Inside a DPRK Employment Fraud Operation: What We Learned Running a DPRK IT Worker as an Asset

As you may have heard in the new podcast “To Catch a Thief” by Nicole Perlroth, when a suspicious job candidate applied to Nisos last summer, we saw an opportunity to do more than just reject the application. Working with law enforcement, we turned the tables — running the North Korean operative as an unwitting intelligence source for several months to understand how these employment fraud schemes actually work. We previously shared initial findings from this investigation in an earlier research report. Now, we’re releasing comprehensive research that goes far beyond what the podcast revealed, uncovering new details about the organizational structure, operational processes, and industrial scale of DPRK employment fraud.

What we discovered goes far beyond the technical indicators that have dominated public reporting on DPRK IT workers. Our investigation uncovered the organizational structure, operational processes, and human dynamics of a DPRK employment fraud operation that submitted over 170,000 job applications across 22 operatives between December 2024 and September 2025, yielding 76 employment offers from US companies.

The podcast “To Catch a Thief” introduced listeners to our investigation, but the full story is even more revealing. Our comprehensive research uncovers the operational tradecraft behind the headlines, showing not just that North Korean operatives are infiltrating US companies, but exactly how they’re doing it at industrial scale.

The Scale of Employment Fraud Operations

The numbers alone tell a compelling story. This single cell maintained a 13% interview rate but only a 0.35% conversion from application to job offer, suggesting a volume-based approach that treats employment fraud like any other business operation. Technology companies comprised 42.6% of their successful targets, with developers and engineers representing over 70% of pursued roles — positions that offer high salaries, established remote work culture, and limited security screening.

These weren’t isolated cases of candidate fraud. They were part of a coordinated operation designed to place fraudulent personas into remote roles at scale.

But the real insight isn’t in the statistics. It’s in understanding how they operate as an organization.

Inside the Operation: Structure, Process, and Coordination

Our investigation revealed a sophisticated hierarchy with administrators, managers, team leads, and operatives — each with defined roles and responsibilities. They used Discord for daily coordination and a custom dashboard to track performance metrics across the entire cell. Individual operatives managed between one and four fake personas simultaneously, with strict operational security measures to avoid detection.

The cell’s pre-employment preparation highlighted the limitations of traditional identity verification processes. Operatives didn’t just steal identities, they built comprehensive validation systems. They created closed-loop reference networks where operatives provided employment verification for each other’s personas. They purchased identity packages from Telegram brokers for $20-200 per item. They obtained fraudulent but legitimate-looking driver’s licenses through state DMV systems, then digitally manipulated photos to match whoever would be taking drug tests or attending interviews.

Most striking was their recruitment of US-based “natives” — American citizens who served as front-facing employees and managed laptop farms for remote access. These facilitators were recruited through Reddit, Discord, and even adult cam sites, often targeting people in financial distress with offers of 50/50 salary splits or $300 payments for completing drug screenings.

How AI Changed the Interview Process

The cell’s interview tactics showcased how AI tools are being weaponized for employment fraud. Operatives used ChatGPT overlays during video interviews, with AI-generated responses appearing transparently on their screens while maintaining eye contact with interviewers. They practiced accent training through specialized apps and maintained detailed calendars to coordinate overlapping interviews across multiple personas.

In some cases, natives attended interviews while operatives provided technical answers remotely through KVM devices. In others, operatives handled interviews directly with real-time AI assistance. Both approaches demonstrated a level of coordination and technological sophistication that traditional background checks simply aren’t designed to detect.

Three Ways the Cell Generated Revenue

Once hired, the cell operated through distinct models that balanced operational security with profit maximization:

1. Native as employee, operative performs work (50/50 salary split)
2. Operative as both employee and worker (maximum profit retention)
3. Operative as employee, third-party “bidder” performs work (scaling mechanism)

This flexibility allowed individual operatives to manage multiple simultaneous employments while maintaining plausible personas across different companies, demonstrating how remote worker fraud has evolved beyond isolated incidents into organized operations.

Why This Research Matters

For four years, Nisos has been helping clients identify North Korean workers in their organizations. But this investigation provided something different: a window into the human processes behind the technical indicators we typically track.

Understanding how these operations actually function — their organizational structure, recruitment methods, quality controls, and scaling mechanisms — is essential for building effective defenses. Traditional background checks verify documents, but they can’t verify the person behind them. Standard security tools monitor what happens inside your network, but they can’t see the external coordination happening through Discord servers and Telegram channels.

The reality is stark: if you’re hiring remote technology talent, you’re being targeted. The cell we tracked infiltrated companies ranging from small app developers to Fortune 50 enterprises. The sophistication of their personas, the coordination of their operations, and the scale of their activities represent a threat that requires dedicated human intelligence to detect and counter.

See the Full Investigation

Our full research report details the operational tradecraft, communication patterns, and organizational dynamics we observed during this four-month investigation. For security teams building insider threat programs, HR leaders managing hiring processes, and risk professionals assessing third-party relationships, these insights provide crucial intelligence for understanding what you’re up against.

The threats targeting your people and infiltrating your workforce originate outside your firewall, where traditional security tools have no visibility. This research demonstrates why human risk intelligence has become essential for organizations serious about protecting themselves from state-sponsored employment fraud.

Explore our Employment Shield and Insider Threat solutions to learn how Nisos helps organizations detect and prevent these sophisticated infiltration attempts.