From Red Flags to Laptop Farms: How We Exposed a DPRK IT Worker Fraud Operation from the Inside

Since early 2023, we’ve helped clients navigate the growing threat of North Korean (DPRK) IT worker employment schemes. But in June 2025, the threat hit home when one of these workers targeted Nisos directly.

This is the story of how we exposed the fraud, infiltrated the network, and discovered a laptop farm operating on American soil.

For those of us who track this activity closely, these are not subtle mistakes. They are indicators of fraud.

The Application That Raised Red Flags for Employment Fraud

The candidate seemed perfect on paper: a Florida-based lead AI architect with over 10 years of experience, impressive credentials, and a resume that aligned remarkably well with our job posting. Perhaps too well.

During our pre-employment investigation, we noticed several concerning patterns:

• The resume mirrored our job description verbatim, including specific phrases about “researching and evaluating emerging agentic AI technologies”
• Claims of experience with tools that didn’t exist during the stated employment periods
• A brand-new email address, with no presence in any data breaches – unusual for someone with a decade of professional experience
• A VoIP phone number that could be registered from anywhere
• Multiple conflicting resumes across different platforms, each telling a different story

These were more than just red flags. Together, they pointed to a coordinated employment fraud attempt targeting remote hiring processes.

The AI-Powered Interview Deception

During our virtual interviews, we observed that the candidate appeared to be using AI assistance in real-time. Their eye movements and response patterns suggested they were reading from an application overlaid on their screen, with the AI listening to our questions and generating responses for the operative to read.

To test this theory, we set a trap. During the second interview, we referenced “Hurricane George,” a storm that happened back in 1998, and asked about its impact on the candidate’s Florida home. Unphased, the candidate informed us their property had only experienced “minor rain and wind” from our fabricated storm.

The jig, as they say, was up.

What We Found Following the Digital Trail

Rather than immediately rejecting the candidate, we decided to play along and see what we could learn. Using canary tokens, we traced their connections back to Astrill VPN – a service popular in China, and frequently used by North Korean IT workers.

The plot thickened when we requested a mailing address for laptop delivery. The address provided was different from the one on their resume and had no connection to the real Florida resident whose identity had been appropriated.

Inside the Laptop Farm Linked to DPRK IT Worker Fraud

We shipped a specially configured laptop to the provided address, and they took the bait, giving us unprecedented visibility into their operation.

Through the laptop’s camera, we captured images of what appeared to be a closet containing multiple devices – a literal laptop farm. But the real revelation came when we discovered how they maintained control: PiKVM devices.

PiKVM (Keyboard, Video, Mouse over IP) allows remote users to control computers as if physically present, even before the operating system boots. This hardware-based solution is difficult for corporate security systems to detect, making it a particularly useful tool for DPRK IT worker employment fraud.

Exposing the Network Behind the Fraud Operation

Our access revealed a sophisticated operation involving:

• Approximately 40 devices on the network, with 20 actively part of the laptop farm
• Multiple personas working for different companies simultaneously
• Tailscale mesh VPN creating encrypted point-to-point connections between devices
• A network of willing American accomplices running these laptop farms on US soil

Each PiKVM-controlled laptop represented a fake employee at a different company, all operated remotely by North Korean IT workers.

The Bigger Picture: DPRK IT Worker Fraud at Scale

Our investigation revealed this wasn’t an isolated incident. Hundreds of potential laptop farms operate across the United States, with American citizens willingly (or unknowingly) facilitating this scheme. The workers funnel their paychecks through US bank accounts set up with fake identities before the money makes its way to North Korea.

The sophistication of this operation – combining stolen identities, AI-powered interviews, hardware-based remote access, and distributed laptop farms – represents an evolution in employment fraud that many companies aren’t equipped to detect or prevent.

How to Identify and Prevent Employment Fraud

The North Korean IT worker scheme targets companies of all sizes across every industry. Even organizations like Nisos, who have published extensive research on DPRK employment fraud, aren’t immune to targeting.

Based on our experience, here are the key indicators to watch for:

• AI-Assisted Communication: Unusual pauses, generic responses, inability to answer unexpected questions
• Digital Footprint: Newly created emails, no breach history, limited online presence
• Identity Inconsistencies: Multiple resumes with conflicting information, VoIP numbers, different mailing addresses
• Technical Anomalies: VPN usage (especially Astrill), reluctance to turn on video, hardware shipping to unexpected locations
• Documentation Issues: Copied job descriptions, anachronistic experience claims, generic portfolio work

Adapting Hiring Practices to Detect Employment Fraud

This experience reinforced an important truth: traditional hiring processes are inadequate for detecting sophisticated employment fraud. The combination of stolen identities, AI tools, and distributed technical infrastructure creates a perfect storm of deception.

Organizations should adapt their hiring practices to include:

• Comprehensive OSINT investigations during pre-employment screening
• Unexpected scenario questions during interviews to detect AI assistance
• Verification of technical claims against historical timelines
• Monitoring of device access patterns after hiring
• Regular audits of remote worker activities

The stakes are high. Hiring individuals connected to DPRK employment fraud schemes exposes organizations to IP theft, data breaches, regulatory sanctions, and reputational damage.

How Employment Fraud Continues to Evolve

This experience reinforced an important truth: traditional hiring processes are inadequate for detecting sophisticated employment fraud. The Even as we publish this, the North Korean IT worker scheme continues to evolve. New technologies, better fake identities, and more sophisticated interview techniques emerge regularly. What remains constant is their determination to infiltrate Western companies and generate revenue for their regime.

Our investigation provided a rare glimpse into their operations, but it also served as a reminder: in the world of remote work, verification is no longer optional – it’s essential.

If your organization lacks the resources or expertise to conduct thorough pre-employment investigations, consider partnering with specialists who understand these evolving threats. The cost of prevention pales in comparison to the potential damage of infiltration.

The future of work may be remote, but it doesn’t have to be risky. With the right approach, organizations can embrace global talent while maintaining a trusted workforce and protecting themselves from those who would exploit their trust.

Explore our intelligence solutions for more insights on protecting your organization from employment fraud and insider threats.