People, Process, Personas: Nisos Exposes the Human Risk in DPRK Employment Fraud Schemes

Executive Summary

Nisos assesses with high confidence that a Democratic People’s Republic of Korea (DPRK) state-sponsored cell conducted industrial-scale employment fraud against US companies, submitting more than 170,000 job applications that yielded 76 employment offers across 22 operatives between December 2024 and September 2025, utilizing appropriated identities, AI-driven interview assistance, and US-based facilitators to infiltrate UScompanies primarily in the technology sector. The cell—which Nisos identified and has tracked since mid-2025—possesses the same technical indicators, operational patterns, and tactics that align with documented North Korean employment fraud campaigns designed to generate income for the regime. [1]

• Some operatives likely operated from Taraksan, North Korea and other international locations.
• Technical analysis revealed tactics, techniques, and procedures (TTPs) consistent with known DPRK tactics, including use of Astrill VPN, PiKVM devices for remote access, and cryptocurrency payments.
• The cell focused on revenue generation through actual employment rather than traditional cybercrime, providing high-confidence attribution to DPRK’s systemic campaign to generate funds through fraudulent IT employment.

Overview

The cell maintained a hierarchical structure with an administrator, administrative manager, team leads, and operatives who managed one to four personas each. Each operative was responsible for completing the job duties of their respective personas, either through their own efforts or through outsourcing to a third party they referred to as a “bidder.”

These roles are further defined in Appendix A.

• The cell employed facilitators, known internally as “natives,” who managed US-based laptop farms that served as controlled technical entry points for operatives to remotely conduct fraudulent activities.
• The cell used a Discord server for internal communication among operatives and a Vercel dashboard (cloud-hosted web management tool) to track the cell’s performance.
• The DPRK operative cell maintained strict operational security to conceal identities, limit discoverability, and segment communications.

Pre-Employment

Operatives built personas using appropriated or purchased information associated with real people, but usually with new email and LinkedIn accounts the operatives controlled, to aid in passing initial background checks during the onboarding process.

• Operatives conducted some vetting of the identity information, such as checking the validity of the social security number (SSN) on www.ssn-verify[.]com, verifying whether the identity is registered for Selective Service on www.sss[.]gov/verify, and searching the individual in TruthFinder.
• Operatives purchased identity packages and accounts from bespoke brokers (i.e. – one on Telegram) to build personas, paying between $20 and $200 per item.
• Operatives obtained likely Department of Motor Vehicles (DMV)-issued but fraudulently obtained driver’s licenses through state DMV websites, routed physical documents through US-based “natives,” then digitally manipulated the photographs to match operatives or natives conducting interview/drug tests, verifying accuracy using Dynamsoft barcode readers.
• Operatives created a closed-loop reference validation system where operatives provided mutual employment verifications and reference checks for each other through their established personas.
• Operatives recruited US-based individuals, or natives, to serve as front-facing employees and to manage laptop operations. Operatives paid natives via ERC20 cryptocurrency.
• Operatives established a website for a fictitious company to potentially verify false employment history when needed, though we did not identify any active use of this fictitious company during our investigation.

Application, Interview, and Onboarding

Analysis of DPRK activity across application, interview, and onboarding phases highlight how the cell executes industrial-scale employment fraud with discipline, precision, and coordinated tradecraft. Investigation origins are detailed in Appendix B.

• In the application phase, team leads set priorities, enforce exclusions, and push volume through resume generators and shared dashboards, driving thousands of tailored submissions across mainstream hiring platforms.
• The interview phase shows reliance on AI-enabled coaching, accent training, and remote access overlays that allow operatives to inject technical responses while operatives or “natives” support the personas’ presence within the United States.
• The onboarding phase leverages forged documentation, metadata scrubbing, and employer-issued hardware to establish persistence and integrate accounts into the broader operation.

On the Job

Upon employment, DPRK operatives executed work through at least three distinct models: A native as front-facing employee with the operative performing work (likely 50/50 compensation split); an operative as both front-facing employee and worker; and an operative as front-facing employee with a bidder who performs work.

DPRK Attribution Analysis

The fraudulent employment scheme Nisos detected employs tactics consistent with documented North Korean activities, including appropriating legitimate biographical information from US citizens to pass pre-employment verification, systemically requesting hardware shipment to addresses different from personas’ listed residences, and utilizing certain personas to serve as employment references and emergency contacts for multiple candidates in the pre-hire and post-offer stages.

• Nisos assesses with moderate confidence that at least some operatives were physically co-located in Taraksan, North Korea, while others operated from multiple locations outside the US. Discord direct messages revealed at least three operatives explicitly referencing the location of Tarak in their discussions, likely a reference to Taraksan, North Korea. Taraksan, also known as Mount Tarak, which has a sparse population density. Discord messages also showed a reliance on Google Meet, Zoom, and Microsoft Teams for communication and infrastructure testing, suggesting a dispersed operational structure rather than full co-location.
• Technical analysis of the operative who applied to Nisos revealed TTPs consistent with DPRK IT workers: use of Astrill VPN (IP addresses 167.88.61.250 and 167.88.61.117); deployment of PiKVM devices for undetectable remote access to corporate laptops; and use of Tailscale mesh VPN to create encrypted networks across distributed laptop farms.
• The cell’s operational security (OPSEC) practices—including the use of AI-generated resumes that mirror job descriptions and VoIP phone numbers from services like Hushed—align with FBI and Treasury warnings about DPRK IT workers. [2,3]
• The cell’s structure reveals a high level of coordination: a formal hierarchy with administrators, managers, and team leads overseeing up to 22 operatives who submitted at least 166,893 job applications in roughly 9 months, resulting in at least 76 employment offers.
• The cell focused on revenue generation through actual employment rather than traditional cybercrime, demonstrated avoidance of cybersecurity roles that might expose their activities, and used cryptocurrency payments for payments to and from the group.

About Nisos®

Nisos is the human risk management company specializing in unmasking threats before they escalate. The company is a trusted advisor, operating as an extension of security, intelligence, legal, and human resource teams to protect their people and business. Nisos’ intelligence-led solutions help enterprises make critical decisions, manage human risk, and drive real world consequences for digital threats. For more information, please visit: https://www.nisos.com.