North Korean Spies Infiltrate Companies as Remote Workers

North Korean IT Workers Infiltrating Western Companies

Security firm CrowdStrike reports a significant surge in activity involving North Korean individuals fraudulently securing remote employment. These actors pose as IT professionals to generate revenue for the North Korean government.

Increased Incidents of Fraudulent Employment

CrowdStrike’s recent threat intelligence indicates over 320 identified incidents in the last year. This represents a 220% increase compared to the previous year, with North Koreans obtaining remote developer positions within Western organizations.

Scheme Details and Objectives

The operation centers around the use of fabricated identities, resumes, and employment histories. This allows North Korean workers to earn funds for the regime.

Beyond financial gain, this scheme provides access to sensitive company data, which can be leveraged for extortion purposes. The ultimate goal is to finance North Korea’s nuclear weapons program, which has reportedly generated billions of dollars.

Scale of the Operation

The exact number of North Korean IT workers currently employed by U.S. companies remains unknown. However, estimates suggest the figure could be in the thousands.

Leveraging Artificial Intelligence

CrowdStrike, referring to these actors as “Famous Chollima,” has observed the increasing use of generative AI and other AI-powered tools. These tools are utilized to create convincing resumes and even to digitally alter appearances for remote interviews.

Circumventing Sanctions

Despite existing sanctions prohibiting U.S. companies from hiring North Korean workers, the success rate of these fraudulent applications is growing.

Mitigation Strategies

Enhanced identity verification procedures during the hiring process are crucial to preventing the employment of sanctioned individuals. Some companies in the cryptocurrency sector are reportedly employing unconventional screening methods.

These methods include asking candidates to express critical opinions about North Korea’s leader, Kim Jong Un. Such requests are designed to identify potential operatives, as genuine North Korean employees are subject to intense monitoring.

U.S. Department of Justice Intervention

The U.S. Department of Justice is actively working to dismantle these operations. Efforts are focused on prosecuting U.S.-based facilitators who assist in running the scheme for their North Korean counterparts.

This includes targeting individuals operating “laptop farms” – facilities containing numerous open laptops used by North Korean workers to simulate a physical presence within the United States.

Recent Indictments

A recent indictment revealed that a single North Korean operation compromised the identities of 80 U.S. individuals between 2021 and 2024. These stolen identities were used to secure remote work at over 100 U.S. companies.