Fake remote applicants, stolen identities, and “laptop farms”: how Pyongyang is turning US hiring into a vehicle for espionage.
In summary
North Korea has found an effective shortcut to Western information systems: remote recruitment. The principle is simple. Operators present themselves as American candidates, using stolen or fabricated identities. Once hired, they work “remotely” on computers provided by the company, but these machines are often physically located in the US in relay networks, which masks their actual location. The gain is twofold. On the one hand, the regime captures salaries and circumvents sanctions. On the other, it gains internal access, which is useful for espionage, data exfiltration, and sometimes financial theft. U.S. investigations published in 2025 describe more than 100 companies affected, more than 80 identities compromised, and several million dollars in damages. In the medium term, the risk is the industrialization of the process via AI and subcontracting chains. In the long term, it is confidence in digital hiring that is being undermined.
The industrialization of remote working as an entry point
Remote working has created a global talent market. It has also created an illusion. Many companies have treated location as an administrative detail, when in fact it is a security issue. North Korea is methodically exploiting this gray area. It does not start by hacking firewalls. It gains access to companies through the HR process.
The heart of the system relies on North Korean IT workers who are capable of filling real technical positions. They don’t just send resumes. They go through interviews. They produce deliverables. Their advantage is that they are credible and are managed as an organization. This is a far cry from the isolated freelancer.
Recruitment as a means of access rather than as classic fraud
The key point is not just wage fraud. It is the shift from an “administrative” act to an “operational” act. Hiring means opening an account, assigning rights, delivering a computer, connecting a VPN, and giving access to code repositories, internal tickets, and SaaS tools. In many companies, this access is quicker to obtain than supplier access or a partnership.
The process is even simpler when teams are under pressure and time-to-hire becomes an obsession. If the candidate appears competent and the checks remain superficial, the door opens.
Local facilitators: the piece that makes it all possible
This model requires intermediaries on American soil. Without them, the deception would be more visible. Court records describe networks that receive company computers, manage bank accounts, create shell companies, and provide a local “presence.” This is where the operation changes scale. We are no longer talking about a fictitious candidate. We are talking about a logistical system.
The technical mechanism of infiltration, step by step
The process reads like a chain. Each link reduces the risk of detection. And each link is relatively mundane when taken in isolation.
The identity-equipment-connection chain
First link: identity theft. The US authorities mention dozens of victims whose identities were compromised in order to apply for jobs and attend interviews. A “clean” identity makes it possible to obtain a contract, onboarding, and sometimes automatic checks without raising any alarms.
Second link: location. To avoid being detected as operating from abroad, operators use physical relays in the United States. The famous laptop farms are the most telling example. Rows of computers, sometimes in private homes, sometimes via more structured networks. The machines are turned on, connected, and administered. The company sees a machine “in the country” and a user “connected normally.”
Third link: remote control.
Control devices allow operations to be carried out from abroad while giving the impression of local use. In some cases, KVM (keyboard-video-mouse) type equipment is cited as a tool for controlling multiple workstations, in order to pool operations.
Fourth link: the actual execution of the work. This is an important point. The system works because the work delivered can be satisfactory. This is what makes detection difficult. Signs often appear when there is a “physical” request: a presence on site, a trip, or an incident that requires a prolonged video exchange.
Weak signs on the HR and security side
Alerts are not always technical. They are often behavioral. Inconsistencies in the biography. Diplomas that are difficult to verify. Repeated refusals to interact synchronously. Supporting documents that are “too clean.” Frequent address changes. Access at atypical times, but not always, because local relays also mask this point.
The real blind spot is the gap between HR and cybersecurity. In many companies, HR validates a profile. IT executes. Security intervenes afterwards. But here, hiring is the attack.
The results obtained, beyond simple salary misappropriation
The figures give an idea of the scale. But they don’t tell the whole story. The most serious aspect is often qualitative: access.
Figures from US investigations in 2025
Official US communications published at the end of June 2025 mention more than 100 companies affected, more than 80 identities compromised, and at least $3 million in damages. US media also reported seizures of financial accounts, fraudulent websites, and computer equipment in several states.
In addition, another case tried in 2025 highlighted an even more massive fraud: more than 300 companies targeted and more than $17 million generated over a multi-year period, with a 102-month prison sentence for a facilitator based in the United States. This second case shows that the scheme is not marginal. It can last for years.
Access obtained and the value of the targeted data
The objective is not solely financial. The model also serves espionage purposes. Once inside the company, an operator can access internal data, code, product roadmaps, trade secrets, and sometimes regulated data. Press articles have mentioned cases where defense-related information, including ITAR-controlled items, may have been exposed as a result of these infiltrations.
The other dimension is financial theft. Some proceedings refer to the misappropriation of cryptoassets and attempts at extortion or monetizable exfiltration. The logic is consistent with an overall strategy: to finance a regime under sanctions while fueling its strategic priorities.
Medium-term risks, when the model becomes an “industry”
The immediate danger is already serious. The medium-term danger is standardization.
Contamination of the supply chain and product teams
An infiltrated developer does not need to be a network administrator to cause damage. All they need is access to a code repository, a CI/CD pipeline, or an internal library. The risks range from discreet exfiltration to the introduction of vulnerabilities.
At this point, the line between espionage and sabotage becomes blurred. A minor modification can lie dormant for months before being activated.
The most exposed companies are not just the giants. They also include B2B publishers and service providers that serve hundreds of customers. Infiltration of a subcontractor can become an indirect gateway to other organizations.
Acceleration through automation and AI
Since 2024, several cybersecurity players have warned of a new development: the use of generative AI to produce resumes, optimize profiles, generate interview responses, and industrialize prospecting. This reduces costs and increases volume. The model becomes compatible with large-scale campaigns, where 95% of applications fail, but 5% are enough to generate revenue and access.
Long-term risks: a crisis of confidence in digital identity
In the long term, the problem goes beyond North Korea. It affects the way companies “believe” what they see.
Erosion of trust in digital hiring
When a company makes a mistake about a candidate, it doesn’t just lose money. It damages its internal trust system. It may tighten its processes, slow down its recruitment, and penalize legitimate candidates, especially internationally. The cost becomes economic and social: more friction, more delays, more suspicion.
This drift is likely: if the attacks continue, companies will increase their controls, sometimes in a disorderly manner. And disorderly control creates new blind spots.
The sustainable financialization of espionage
The most chilling, and therefore most worrying, aspect is the rationality of the model. It finances, infiltrates, and collects. It’s a cycle. Even if a company detects it late, the revenue has already circulated, access has already been gained, and data may already have been copied. Profitability is asymmetrical. A year of infiltration is sometimes worth more than a one-off attack.
Measures that really change the level of risk for companies
There are answers. But they require treating recruitment as an attack surface.
Identity and work permit checks, without improvisation
The basis is a robust, consistent, and documented identity check. Not a simple “paper” check. Signals must be cross-checked. Documents must be verified. Geographical consistency must be checked. Professional background must be verified whenever possible. Above all, these checks must be mandatory before access is granted.
Companies must also monitor changes during the contract period: changes in bank details, changes of address, changes in equipment, unusual payroll requests. These are classic entry points for organized schemes.
The minimal access model and “zero trust” architecture
Applying a zero trust approach is not just a slogan. It is a discipline. Minimal access from the outset. Segmentation of environments. Logging. Alerts for abnormal behavior. Rotation of credentials. Regular review of rights. And a clear separation between development, testing, and production environments.
A remote employee should not, by default, have access to everything. They should have access to only what is strictly necessary. And every expansion of access should be tracked and justified.
Coordination between HR, IT, security, and legal
If HR recruits alone, they are on the front line without a shield. If security arrives too late, it can only observe. An operational loop is needed: HR detects signals, IT confirms material elements, security analyzes connections, and legal oversees verifications and obligations.
Finally, information sharing between companies and authorities remains an accelerator. When a “signature” is identified (CV patterns, infrastructure, methods), it must be circulated quickly.
The gray area that suits Pyongyang, and which must disappear
The success of these operations relies on a Western blind spot: the idea that hiring is an act of “weak” trust, when in fact it opens up very strong rights. As long as companies continue to deliver accounts and machines before having reasonable certainty about identity and location, the model will remain profitable. And as long as the response remains fragmented, Pyongyang will continue to exploit the most human part of the systems: the pressure to recruit quickly and the tendency to believe that a successful interview equates to a true identity.
Sources
National Interest – How North Korea Is Outsourcing Espionage to American Companies
U.S. Department of Justice – Coordinated Nationwide Actions to Combat North Korean Remote IT Worker Schemes
Reuters – DOJ announces arrests, indictments in North Korean IT worker scheme (June 30, 2025)
FBI – Internet Crime Complaint Center (IC3) – Public Service Announcement on North Korean IT Worker Fraud (2025)
Associated Press – North Korean IT workers accused of infiltrating U.S. companies using stolen identities
Wired – Identities of 80+ Americans Stolen for North Korean IT Worker Scams
Microsoft Security Blog – Jasper Sleet: North Korean remote IT workers evolving tactics to infiltrate organizations (2025)
Palo Alto Networks – Unit 42 – North Korean IT Workers: Expanding Global Operations
FBI – Seeking Victim Information in North Korean Remote IT Worker Investigation
The Washington Post – North Korean remote workers, fraud networks and U.S. facilitators (2025)
War Wings Daily is an independant magazine.