It starts with a solid resume. Maybe a developer named "Kyle" or "Ji-ho" applying for a remote engineering role. They have great GitHub contributions, a clean LinkedIn profile, and they nail the technical interview. They sound smart. They seem eager. But honestly, "Kyle" doesn't exist. He is a front for a North Korean employment scam that has quietly infiltrated some of the biggest tech firms in the West.
The FBI hasn't been quiet about this. In 2024 and 2025, federal warnings spiked because these aren't just low-level phishing attempts anymore. We are talking about state-sponsored IT workers using stolen identities to bypass KYC (Know Your Customer) checks on freelance platforms. They want the paycheck. But more importantly, they want the access.
North Korea is desperate for hard currency. Sanctions have squeezed the regime, so they've turned their elite hackers and coders into a global remote workforce. Thousands of these workers are allegedly stationed in places like China, Russia, and Southeast Asia. They aren't just "scammers" in the way we think of someone calling about your car’s extended warranty. They are highly skilled professionals.
The mechanics of the North Korean employment scam
So, how do they actually get past a modern HR department? It’s surprisingly low-tech at the start. They use "laptop farms."
Basically, the worker in East Asia hires a "mule" in the United States or Europe. This mule is a real person who agrees to host a laptop at their house. When the company mails a corporate MacBook to their new hire, it goes to the mule’s address. The mule plugs it in and sets up a remote desktop connection. Now, the North Korean worker can log in from across the world, but to the company’s IT department, the IP address looks like it’s coming from a cozy apartment in Nashville or London.
It’s clever. It's effective. And it's making the DPRK millions of dollars.
The Department of Justice recently highlighted cases where these workers pulled in over $300,000 a year. Imagine that. Your company could be unknowingly funding a nuclear weapons program while you think you’re just getting a bargain on a senior React developer.
🔗 Read more: EU DMA Enforcement News Today: Why the "Consent or Pay" Wars Are Just Getting Started
Identity theft is the engine
They don't use their own names, obviously. They steal the identities of real Americans. They buy Social Security numbers on the dark web or use AI-generated deepfakes to pass video interviews. Sometimes, they hire a "front" person—a Westerner who does the video interview for them—and then the "silent" worker takes over once the job starts.
If you've noticed a new hire who refuses to turn on their camera during Zoom calls, or whose English skills seem to fluctuate wildly between the interview and the actual work, you might be looking at a red flag.
Why the tech industry is the primary target
Technology companies are the "Goldilocks" zone for this. Remote work is the standard. Pay is high. Access to sensitive infrastructure is often granted on day one.
While the primary goal is often just a steady salary, the secondary risk is terrifying. Once a North Korean operative is inside your Slack, your GitHub, or your AWS environment, they have the keys to the kingdom. They can plant backdoors. They can exfiltrate data. They can wait for months, performing perfectly well as an employee, only to strike when the regime needs a specific leverage point.
Spotting the "Hidden" Employee
You can't just rely on gut feeling. These guys are pros. But there are patterns that the FBI and Mandiant have identified over the last few years.
- The Resume Ghost: Their work history is impressive but vague. If you try to contact previous employers, you get dead ends or VOIP numbers that go to voicemail.
- The Remote Desktop Lag: During screen-sharing sessions, there is a noticeable lag that shouldn't exist if they were actually in the same country.
- Payment Redirection: They often ask to be paid through third-party platforms or crypto, or they keep changing their banking information to accounts that don't match their name.
- Work Hours: They are incredibly productive at 3:00 AM your time but seem "busy" or unresponsive during standard US business hours.
One specific case involved a worker who managed to get hired by a major US media company. They worked there for months, gaining praise for their coding speed. It was only when an IT audit noticed the laptop was being accessed via a specific remote-access tool that the whole thing unraveled. By then, thousands of dollars had already been funneled to overseas accounts.
💡 You might also like: Apple Watch Digital Face: Why Your Screen Layout Is Probably Killing Your Battery (And How To Fix It)
The Role of IT "Mules"
We have to talk about the people inside the US helping them. Many of these "laptop farm" hosts are just looking for easy money. They get paid a few hundred bucks a month to keep a laptop plugged in and running. They might not even know they are working for North Korea.
The DOJ has been cracking down on these individuals, charging them with wire fraud and identity theft. In 2024, a woman in Arizona was arrested for managing a farm that helped North Koreans get jobs at over 300 US companies. This isn't a small-scale operation. It's an industry.
How to Protect Your Organization
If you're a founder or a hiring manager, you're probably feeling a bit paranoid right now. Good. You should be. The standard "background check" isn't enough anymore because the identity they are using is real—it's just stolen.
1. Mandatory Video Interviews with ID Verification
Don't just look at a digital copy of a driver's license. Use a service that requires the person to hold the ID up to their face during a live, recorded session. Watch for inconsistencies in the video feed—AI deepfakes often struggle with side profiles or hands passing in front of the face.
2. Geolocation Audits
Your IT team needs to do more than check the IP. They should be looking for the use of remote desktop software like AnyDesk or TeamViewer on corporate-issued devices. There is almost no reason a standard remote employee should be accessing their work laptop through another computer.
3. Cultural and Knowledge Checks
During the interview, ask hyper-local questions. If they claim to be from Chicago, ask about a specific neighborhood or a local event. It’s a simple "human" test that script-following operatives often fail.
📖 Related: TV Wall Mounts 75 Inch: What Most People Get Wrong Before Drilling
4. Shipping Logistics
Never ship a laptop to a P.O. Box or a residential address that doesn't match the tax records of the employee. If the address on the W-4 is different from the shipping address, pause everything.
The Long-Term Stakes
This isn't just a "business" problem. It's a national security issue. The North Korean employment scam is a primary funding source for the DPRK's ballistic missile program. Every dollar you pay a fraudulent hire could be directly contributing to global instability.
The scammers are getting better. They are using LLMs to write better cover letters. They are using sophisticated voice-cloning software to sound more "Western" during phone calls.
But they aren't perfect. They rely on the fact that HR departments are often overworked and more focused on "filling the seat" than deep-diving into a candidate's physical reality.
Actionable Steps for Employers Today
- Audit your current remote workforce. Look for any laptop that hasn't moved geographically in six months or shows constant remote-access logins.
- Update your onboarding. Implement a "day one" video check-in where the employee must show their physical surroundings.
- Train your recruiters. Make sure they know that "Kyle from California" might actually be a state-sponsored actor in a different time zone.
- Collaborate with legal. Ensure your employment contracts have strict clauses regarding the physical location of work and the use of unauthorized remote-access tools.
Ignoring this is no longer an option. The sophistication of these attacks means that by the time you realize you’ve been scammed, the money—and potentially your data—is already gone. Verify everything. Trust, but verify, has never been more relevant for the remote work era.