North Korea’s Second Economy

The problem is large in scale and acutely sensitive for firms that prefer not to discuss it publicly. Reputational risk, legal uncertainty, and sheer embarrassment push corporations to conceal the fact that North Korean "remote workers" have infiltrated their ranks—making the issue even harder to combat. Dozens of résumés, LinkedIn profiles, and forged documents, however, show a well-oiled scheme designed to serve the state and circumvent U.S. sanctions.

For Pyongyang, it is a vital revenue stream, sustained by the growth of well-paid remote jobs in the United States. Over the past two years, companies and their cybersecurity partners have grasped the scale of the threat and now warn that it is only escalating. "They are already stealing intellectual property and at the same time working on the projects themselves. Artificial intelligence will allow them to multiply what they are already doing—and what they are doing now is already bad," said Michael “Barney” Barnhart of DTEX Systems.

The scheme is so sophisticated that even the world’s largest companies struggle to filter out candidates. In effect, it operates like a transnational corporation: North Korean state agencies are involved, along with dozens of front companies in China and even Americans willing to facilitate the fraud. Many North Korean IT specialists are genuinely highly skilled—at least until they begin stealing data or blackmailing employers who try to dismiss them.

As Sandra Joyce, vice president of Google Threat Intelligence, noted, one employer, upon learning that his employee was likely a North Korean "fake" candidate, responded: "You must be right, because he is my best employee."

For years, North Korea has invested in building an army of "remote IT workers," preparing them not only for employment under false identities but also for industrial espionage and the theft of intellectual property.

Future recruits are selected and trained at the country’s top universities, such as Kim Chaek University of Technology and the Pyongyang University of Science. Some students specialize in software development, artificial intelligence, or cryptography.

According to DTEX, the most elaborate fraudulent schemes are coordinated by units such as APT 45—a well-known state-backed hacking group involved in corporate breaches, money laundering, and scams. Also active are the Lazarus Group, which focuses on cryptocurrency theft and infiltrating crypto firms, and Research Center 227—a new unit within North Korea’s intelligence services responsible for AI development.

Meanwhile, the cyberthreat landscape is expanding: cybersecurity firms routinely identify new groups involved in attacks and assign them names—Jasper Sleet, Moonstone Sleet, Famous Chollima. This underscores that Pyongyang’s effort is a systemic, multi-layered project rather than a set of isolated initiatives by individual actors.

According to nine cybersecurity experts, it is now difficult to find a major Fortune 500 company that has not at some point employed a North Korean IT worker under false pretenses.

Google acknowledged that it had recorded attempts by such candidates to secure jobs, and other major players, including SentinelOne, reported the same. KnowBe4, a cybersecurity company, openly confirmed that it had inadvertently hired one of them last year. A crypto startup told The Wall Street Journal that it had been paying salaries for nearly two years to individuals who were, in fact, working for Pyongyang.

The scale of the phenomenon is striking: according to Sam Rubin of Unit 42 at Palo Alto Networks, within just 12 hours of a job posting, more than 90% of applicants were suspected of ties to North Korea. "If you are hiring contract IT workers, chances are this has already happened to you," he noted.

Adam Meyers of CrowdStrike says the problem extends even to mid-sized and smaller firms if they rely on remote developers or turn to IT consulting companies. In its annual cyberthreat report, CrowdStrike disclosed that it had investigated more than 320 cases in which North Korean specialists managed to secure work as remote software developers.

Gaining employment at an American company and then secretly participating in its work is part of a carefully constructed scheme involving North Korean IT specialists, shell companies in China, and even U.S. citizens.

Some North Korean programmers are based in China or neighboring countries to avoid raising suspicion. The first step is acquiring stolen identities—often real data belonging to U.S. citizens, including the deceased. To make the deception convincing, forged documents are produced, ranging from passports and Social Security cards to utility bills. According to expert Meyers, many of these fake IDs share the same distinctive checkered background. In December, for example, charges against 14 North Koreans revealed that they had used stolen identities on a large scale to submit dozens of job applications.

The next step is applying for vacancies in software development, tech support, and DevOps. The main platforms are Upwork, Fiverr, LinkedIn, and recruitment agency websites. Artificial intelligence tools are widely used to manage the process, track applications, and submit them. As Trevor Hilligoss, senior vice president at SpyCloud Labs, notes, AI is increasingly employed to create résumés and LinkedIn profiles. "There is a hierarchy. Some handle interviews—they have excellent English. Once they land the job, they hand it over to the developer," he explained. That developer often juggles multiple positions simultaneously while maintaining several fictitious identities.

The crucial stage is the interview, which might seem the easiest place to spot fraud. Yet "candidates"—whether real people or AI-generated avatars—are often skilled interlocutors and able to complete test tasks. According to Barnhart, some companies noticed discrepancies only weeks later, when the behavior of the "employee" diverged from what they had seen in the interview.

Once hired, the developer insists on having a corporate laptop shipped to a U.S. address—usually citing a sudden move or family circumstances. These addresses belong to American accomplices who run so-called "laptop farms." They install remote-access software on the machines, enabling North Korean workers to operate from abroad. In July, the FBI raided 21 locations in 14 states and seized 137 laptops linked to such schemes.

Another challenge is channeling salaries back to the regime. To do this, accomplices route funds through Chinese shell companies or use cryptocurrency exchanges. A study by Strider Technologies, published in May, identified 35 Chinese firms involved in supporting such operations.

According to Sarah Kern, lead North Korea analyst at Sophos’s Counter Threat Unit, the hiring process in American companies is so fragmented that managers often fail to notice signs of deception until the North Korean employees are already on the job.

Even when suspicions arise, the evidence is scattered and not always obvious. Security teams may detect unusual remote-access tools or odd browser behavior, while HR departments may see repetitive references or résumés with the same phone numbers. But unless these signals are connected, they rarely trigger alarm. "There is no single big red flag you can point to," Kern explains. "It is a combination of technical traces and human details that are hard to catch, and they do not always appear in detection telemetry."

Even when exposure occurs, the situation remains complicated. According to Alexandra Rose, director of the same Sophos unit, many of these specialists are so capable that managers sometimes simply refuse to believe they could be operating out of North Korea.

When fraudsters are exposed, companies face a wide range of problems. Some employees download confidential data and resort to blackmail, demanding large sums. Others file legal complaints, including claims for compensation, and sometimes try to exploit protective provisions in the law. Barnhart recalls a case in which an employee, upon dismissal, attempted to invoke domestic-violence protections to buy time.

"A lot of attention is rightly paid to the idea that cybersecurity should not rest solely with the CISO," Rose emphasized. "There needs to be a baseline of security awareness across the entire company—and these cases show why."

In the end, many employers choose not to report such incidents, fearing they could be accused of violating sanctions. But law-enforcement agencies have repeatedly made clear: they are looking for cooperation, not punishment.

At present, the primary goal of these operations is to generate revenue for the North Korean regime. But the threat is gradually becoming more complex. Groups engaged in such schemes are evolving into more dangerous entities: there is a risk they could begin developing their own artificial intelligence models, trained on confidential data stolen from American companies.

The defense sector is of particular concern. According to Barnhart, his team has documented cases in which North Korean IT specialists were actively studying information on AI technologies, drone production, and projects tied to defense contractors.

As American firms grow more vigilant toward such schemes, North Korean specialists are shifting focus to overseas markets, setting up "laptop farms" and securing jobs across Europe. This points to an expansion of operations rather than a retreat. "We are starting to see it in Europe—they are already in Poland, in Romania, in the United Kingdom," noted Meyers of CrowdStrike. "They are expanding everywhere."