Hiring an Insider Threat…On Purpose: Uncovering North Korean IT Worker Fraud and Keeping the Receipts

Here at Nisos, we’ve spent years helping organizations understand and mitigate complex, human risk-related threats, such as insider risk, executive protection and employment fraud. Recently, we found ourselves confronting one of these in an unexpected place: our own applicant tracking system.

As experts in Democratic People’s Republic of Korea (DPRK)-related IT worker employment fraud, we recognized the red flags we’ve come to know as the hallmark of DPRK threat actors almost immediately when a candidate applied for one of our open roles.

The resume was polished – almost too polished. It appeared to be crafted with generative AI, mirroring our posted job description with uncanny precision. The candidate claimed years of experience with certain tools and technologies that, in reality, had not even existed for that long.

For those of us who track this activity closely, these are not subtle mistakes. They are indicators of fraud.

The Interview: Testing the Narrative Behind DPRK IT Worker Fraud

We scheduled interviews and recorded the process. During the conversations, the candidate frequently looked off-screen, likely consulting prepared responses or an AI tool in real-time. We introduced a test: we wanted to ask about a fictitious or historical weather event to validate his location. We referenced “Hurricane George,” a storm that happened back in 1998, and asked about its current impact in the Florida location he claimed as his home base. Without much hesitation, he described damage and local disruption.

Later, when asked to demonstrate prior work live on screen, he abruptly reported connection problems and ended the call.

For organizations unfamiliar with this tactic, it may sound brazen. In reality, it reflects an increasingly sophisticated and industrialized operation. These threat actors are trained to move quickly, adapt their narratives, and disengage the moment scrutiny increases.

Instead of simply rejecting the candidate, we made a deliberate decision: we would treat this as an investigation, and opportunity to learn.

Going Further: Investigating the Suspected Employment Fraud Operation through Controlled Onboarding

At that point, it would be normal for a company to disengage. The candidate’s actions were unusual to say the least, which should have set off enough alarms to close the book on this individual. Looking to learn more, we chose a different path.

We extended a phoney offer and proceeded with a modified onboarding. The objective was clear: better understand the infrastructure and operational tradecraft behind this suspected DPRK employment fraud operation.

We shipped a specially instrumented corporate laptop. Through careful monitoring and investigative techniques, we were able to observe how it was handled, where it was routed, and how it was used.

The device ultimately led us to a Florida-based “laptop farm.” For those unfamiliar, these are physical locations where company-issued computers are hosted (usually someone’s home) and remotely accessed by the DPRK workers, enabling them to do the work, while creating the appearance of legitimate U.S.-based employment.

Once our machine was connected to the farm, we captured images of the setup. We identified their day-to-day patterns, including the number of jobs they apply for and roles they manage in a given day. We quickly recognized multiple U.S. companies in the farm who had already fallen victim to this group of DPRK workers’ fraud efforts – and reached out to them to let them know of the fraudulent workers they were unwittingly employing. We worked with law enforcement, alerting them to our findings and actions of this farm.

Notably, when we requested return shipment of the laptop after we canceled employment, the DPRK worker provided an alternate return address that differed from the one he provided on his resume and the one where we originally shipped the laptop. The laptop farm was on the move.

Why North Korean IT Worker Operations Pose a Growing Risk

DPRK-driven IT worker fraud is not simply an HR issue, or an issue impacting a few small companies. It is a burgeoning national security issue – and a real, material business risk.

These operatives seek remote roles in engineering, DevOps, AI, cybersecurity, and other technical functions. Once embedded, they generate income as revenue for North Korea (reportedly to evade sanctions and help fund their weapons programs) and in the process may gain access to sensitive intellectual property, source code, infrastructure, and data. In some cases, organizations have unknowingly paid salaries for months or even years before discovering the deception. DPRK operators are assumed to be embedded, undiscovered, and still working in U.S. and multinational organizations today.

Their methods are continuing to evolve. AI-generated resumes. Deepfake-enabled interviews. Coordinated laptop farms inside the United States. Fraudulent documentation. Real-time AI coaching during video calls.

Traditional hiring controls and corporate security systems were not designed for this type of threat. HR, legal and security need to collaborate in order to take a more thorough look at any candidate. One red flag might not be enough to cause alarm. But several can point to an issue that shouldn’t be ignored.

Bringing Visibility to Hiring-Based Insider Risk

As you may have seen, our investigation, along with video documentation and interviews with members of our team, was recently featured on NBC News. NBC conducted in-person interviews at our offices earlier this year and has reviewed the footage, imagery, and investigative findings.

We were thrilled to be able to work with such a prominent organization to bring visibility to a threat that far too many organizations still underestimate.

Personally, I will say that it was pretty energizing to be able to work with and be interviewed by such a storied news team. It was impressive to see just how much preparation and care goes into a story like this.

For a deeper look at the investigation, read our full research report on Exposing a Fraudulent DPRK Candidate and check out the NBC coverage featuring our findings.

Then join us on March 17 for our webinar on combating employment fraud and insider risk, where our expert panel will explain how hiring-based fraud enables espionage and financial exploitation, and what strategies you can implement immediately to identify, mitigate and prevent it at your organization.

Rethinking Trust in the Modern Hiring Process

This experience reinforced something we already knew: adversaries will exploit any surface area that generates revenue or gives them easy access. In today’s remote working world, the hiring process is one of those surfaces.

Those in a hiring position can no longer assume that identity equals legitimacy. We must validate, test, and verify – and find a way to do it without compromising fairness or inclusivity.

If this could happen at Nisos – a company that specializes in uncovering this very type of activity – it can happen anywhere, from the biggest corporations, to the small and mid-size businesses. The takeaway is to be aware of the red flags – and to work together internally, across functions, to review candidates and make sure they are who they say they are before hiring them.

If you want to proactively identify employment fraud and reduce workforce risk, talk to our team about protecting your organization across the employee lifecycle.