DPRK Employment Fraud Is Targeting Crypto Companies

In June 2025, a candidate named “Jo” applied to Nisos for a remote Lead AI Architect role. On paper, he looked strong: 15+ years of experience, a resume aligned tightly to the job description, a Florida address, a local phone number.

He was not who he said he was.

Over the course of a three-month investigation (later reported by NBC News) Nisos identified Jo as a suspected Democratic People’s Republic of Korea (DPRK) operative, traced him to an apparent network of at least 20 North Korean workers who had collectively applied to roughly 160,000 roles, and uncovered a U.S.-based laptop farm supporting the operation. You can read the full investigation here.

But Jo’s story is not the story.

The story is that Jo is likely one of thousands of DPRK operatives using employment fraud to target crypto companies.

The Scale of the Threat

The numbers are stark. The U.S. State Department estimates DPRK IT worker schemes generated as much as $800 million in 2024. CrowdStrike identified a 220% year-over-year increase in North Koreans gaining fraudulent employment at Western companies in 2025. The US Attorney for the District of Columbia, Jeanine Pirro, called it a “code red,” and the Department of Justice has described it as the largest identity-theft operation of its kind.

Much of that money, paid as salaries, flows back to Pyongyang, evading sanctions and ultimately funding weapons programs. And increasingly, the money doesn’t just flow – it’s stolen directly. Last summer, a North Korean IT worker was charged with stealing over $700,000 in cryptocurrency assets from a Georgia-based company after being hired as a remote developer. Security researchers have uncovered fake job application platforms impersonating major U.S. cryptocurrency firms, designed to compromise legitimate applicants and, ultimately, the companies that hire them.

The crypto industry is not incidentally exposed to DPRK employment fraud. It is a primary target.

Why Crypto Companies Are Primary Targets

The Crypto ISAC has characterized recent DPRK employment fraud activity as “a social engineering campaign on a new level” – threat actors who work from the inside out, building trust over months before compromising systems. The Drift hack, which the ISAC cited as a watershed moment for the industry, didn’t start with a smart contract exploit or a zero-day. It started with malicious actors gaining the trust of Drift contributors over months of engagement, eventually compromising their devices and multisig wallets.

This is the pattern. DPRK operatives are not smash-and-grab attackers. They are patient. They pass interviews. They ship code. They attend standups. They build relationships with colleagues, smoke (virtually) with their team, exchange GIFs, and play browser games together. And then, when the access is sufficient and the trust is built, they act.

The question the ISAC posed cuts to the heart of the problem: How do you catch someone who looks like a trusted partner from the inside?

The answer is to catch them before they get inside. Once a DPRK operative has credentials, access, and colleagues, the damage is already in motion. The most effective place to stop them is at the hiring pipeline – before the offer, before the laptop, before the trust.

Where Traditional Hiring and Screening Falls Short

Rather than immediately rejecting the candidate, we decided to play along and see what we could learn. Using canary tokens, we traced their connections back to Astrill VPN – a service popular in China, and frequently used by North Korean IT workers.

The plot thickened when we requested a mailing address for laptop delivery. The address provided was different from the one on their resume and had no connection to the real Florida resident whose identity had been appropriated.

Background Checks Verify Documents, Not Identity

They confirm that a name matches a Social Security number, that a claimed university issued a degree, that a listed employer exists. When a DPRK operative applies using stolen PII from a real American, the background check largely passes. It was never designed to answer the question: is the person in this video interview the same person whose identity appears on this resume?

Identity Verification Only Solves Part of the Problem

Automated identity verification platforms verify that an ID document is real and matches the face in front of a camera. They solve a narrower problem: “is this identity document authentic?” They don’t solve: “is this person who they claim to be, and what risks do they carry?” A DPRK operative using stolen PII paired with a real face (their own) can pass these checks cleanly.

Internal Monitoring Starts After the Hire

Internal security tools watch what happens after someone is hired. By the time a fraudulent hire triggers an internal alert, they are already inside the perimeter, with credentials, access, and trust.

The gap sits in the middle: between document verification and post-hire monitoring, there’s no systematic way to investigate whether the person you’re about to hire is actually who they claim to be. That’s the gap DPRK operatives exploit — not by breaking any single system, but by moving through the seams between them.

What a Different Approach to Employment Fraud Looks Like

The Jo investigation was an internal Nisos operation designed to expose a specific threat and share what we learned with the industry. It was made possible by the same capabilities that underpin our Employment Shield solution: analyst tradecraft applied to open-source intelligence, a structured methodology for identifying red flags in a candidate’s digital footprint, and deep expertise in the tactics employment fraudsters actually use.

Employment Shield was built around a different premise than traditional screening. Instead of verifying the documents a candidate provides, it investigates the person behind them.

The Red Flags Traditional Screening Misses

That distinction matters, because the red flags Nisos identifies are not the ones a background check is designed to catch. They are signals like:

• Mirrored job description language in a resume – a potential indicator that a candidate is using AI to tailor applications at scale
• Multiple resume accounts with the same name but inconsistent histories, suggesting a candidate has built several synthetic personas
• VoIP phone numbers and VPN-associated IP addresses that align with known DPRK infrastructure
• Interview behaviors consistent with scripted responses or real-time AI assistance: the pause, the glance off-screen, the sudden logoff when asked to share a screen
• Digital footprints inconsistent with the candidate’s claimed identity, employment history, or location

These are the kinds of findings our analysts surface every day – not through automated database queries, but through the same tradecraft many of them practiced in the U.S. intelligence community, now applied to the hiring pipeline.

What This Means for Crypto Companies

Crypto companies are operating in a threat environment that is fundamentally different from the one most hiring processes were designed for. The attackers are patient, well-resourced, state-sponsored, and specifically targeting your industry. They are getting past traditional screening. They are building trust over months before they act. And by the time they act, it is too late.

Closing this gap does not require replacing the tools you already have. Background checks still serve a purpose. Identity verification platforms still serve a purpose. But neither was designed to answer the question that matters most: is the person I am about to hire actually who they claim to be?

That question requires a different kind of investigation. One that looks at the candidate the way an attacker would – not to verify what they claim, but to uncover what they haven’t said.

Talk to a Human Risk Expert About Your Hiring Pipeline

If you’re responsible for hiring, security, or insider risk at a crypto company, you already know the threat is real. The question is whether your current process can see it.

Book a working session with a Nisos analyst to walk through the gaps in your current hiring pipeline – what traditional background checks miss, where DPRK operatives and other sophisticated actors are most likely to get through, and what it would take to close the gap. No pitch. Just a candid conversation with someone who has investigated these threats firsthand.