DPRK Remote Worker Fraud: A CPO’s Firsthand Interview Experience

What I Knew Before the Interview

I already knew and that’s what made it so unsettling. Before the video call interview even connected, our team had flagged the candidate: an initial phone screen that seemed “off,” a resume with bullets that were identical to key phrases in the job requisition, and a LinkedIn profile that hadn’t existed six months prior. These were all the hallmarks of a North Korean DPRK remote worker operating under a fabricated persona. I had the information and I knew what tactics, techniques and procedures (TTPs) the candidate would likely use, but I was still nervous.

What Employment Fraud Looks Like on a Video Call

The video call started, and even though I knew it was likely a synthetic identity, the person and the background looked like a typical video conference with a blurred background, except that the candidate was wearing the same shirt and had the same blurred background during his first video interview.

When he spoke, his English was disjointed in ways that his resume would have never suggested, given his years working in the U.S. and for U.S.-based companies. His responses were choppy, like sentences being assembled in real time from a phrase bank. “How do I say…I have experience with…LangChain…” When I asked him questions, he paused and I noticed that his eyes drifted off screen to his left — a beat too long — like he was using a chat bot to answer the questions. When I pushed for specifics or asked other questions, his eyes went left again. He often used the phrase, “how do I say…” while smiling and trying to redirect.

Knowing the Threat Doesn’t Make It Less Dangerous

I knew about North Korean DPRK remote worker fraud, how they use deep fakes in interviews, and how they create online personas to look like seasoned employees working at U.S. companies. However, knowing the truth didn’t make the conversation easier. If anything, it made me more afraid. Not of him, but of how easily these candidates and their tactics can slip right past hiring teams who aren’t aware of this type of employment fraud.

I’ve spent the past year writing and speaking about employment fraud, participating on conference panels; in HR trainings; and to hiring managers, heads of HR, and security teams who either didn’t know this type of fraud existed or doubted this deception could ever affect their organization. I’ve described exactly this type of scenario: redesigned or doctored photos, new or limited online presence, AI-generated resumes and materials, off-camera glances during the interview, and dodged questions when asked to demonstrate technical abilities in real-time. I knew about North Korea DPRK’s TTPs and yet for all I knew about it, I wasn’t prepared for how convincing almost looks like when you’re the one in the room.

How North Korean Remote Worker Fraud Actually Works

North Korean remote worker fraud is one of the active state-sponsored insider threat operations targeting remote hiring today. Their methods are systematic:

• VPNs and laptop farms to mask geographic location
• Fabricated or doctored personas with U.S.-based facilitators who assist with background checks, drug screenings, and pre-employment assessments.
• ATS-optimized resumes engineered to pass automated screening
• Outsourced technical interviews, where a more skilled individual performs off-camera while the front candidate presents on-screen

What hiring teams encounter in the interview is a front — polished enough to pass if you aren’t trained to look for the tells.

The Real Cost of a Fraudulent Hire

Once hired, paychecks from these workers flow directly to fund North Korea’s weapons programs. But the financial risk is only the beginning. A fraudulent hire embedded inside your organization has access to codebases, internal systems, proprietary data, and colleagues who trusted them. The security breach often isn’t discovered until long after the damage is done.

What rarely gets discussed is what it does to a team. The erosion of internal trust that follows an insider threat discovery reshapes how people work together, how they collaborate, how freely information is shared, and how safe people feel.

Why HR and People Leaders Must Lead on Employment Fraud Risks

After the interview — which never completed, because the candidate signed off when we asked him to show us his GitHub portfolio or demonstrate his work in real-time — I kept thinking about those off-screen glances. The pauses. The way his answers arrived in pieces. And how, without prior knowledge of employment fraud red flags, a hiring team could easily have read those behaviors as standard interview nerves and advanced him to the next round.

That’s the gap we need to close.

Employment fraud depends on silence – on the assumption that this won’t happen here, that your ATS will catch it, that a strong recruiter instinct is enough. It isn’t. HR leaders and People Ops teams are now on the front line of insider threat prevention, whether or not that responsibility has been formally named.

Talking openly about these experiences, sharing what we’ve seen, and building employment fraud awareness into hiring practices and HR security training isn’t optional anymore. It’s how we protect our organizations, our teams, and the trust that makes good work possible.

Read more about our DPRK IT Worker investigations, or get in touch with a Nisos specialist to learn how to proactively identify employment fraud and reduce workforce risk.