February 12, 2025

Inside North Korea’s IT Worker Playbook: Infiltration, Sanctions Evasion & Ransomware Extortion

by
Nametag Team
North Korea Blog Post Header
press@nametag.co

Get in touch with our PR team.

Download media kit

Logos and graphics to help you cover Nametag.

Nametag console showing a successful verification result

Enable Self-Service Account Recovery

Nametag sends MFA and password resets to self-service while protecting your helpdesk against social engineering.

Five stars in a line
Learn how

Thousands of companies breached. Hundreds of millions of dollars funnelled to weapons programs. Sanctions compliance violations. Source code held for ransom. North Korean IT workers are ramping up their attacks, and most companies are unprepared. Here’s what you need to know and how to fight back.

Threat Overview: North Korean IT Workers

A recent advisory from the New York Department of Financial Services highlights the growing risk of remote workers using deepfake technology and stolen identities to bypass hiring checks. The FBI first warned about operatives affiliated with the Democratic People’s Republic of Korea (DPRK) in 2022. In 2024, North Korea dramatically expanded these operations. Hundreds of companies are confirmed to have been breached, with thousands more likely going unreported or still undetected by their victim. Remote IT worker fraud schemes are a gold mine: North Korea stole $1.34 billion in 2024 from crypto companies alone, per the Observer Research Foundation.

North Korean IT worker operations rely heavily on:

  • Generative AI, using it to create attractive resumes and pass interviews, then producing deepfake identity documents to pass hiring checks.
  • Proxies and laptop farms, masking operatives’ true locations using an intricate system of VPNs, Remote Access Tools (RATs), and physical collaborators.
  • Remote work environments, including outsourced and contractor roles, which don’t expect operatives to show up in person or even appear on camera.
  • Deliberate targeting of critical sectors, including concerted attacks on nuclear power plants and financial systems, as detailed in SC Media.

In December 2024, the U.S. Department Of Justice indicted 14 DPRK nationals for operating a fake IT worker scheme. The indictment reveals that just this one, single group generated over $88 million in revenue for North Korea's weapons programs. The cluster was operating undetected for over six years.

Detail: North Korean IT Worker Schemes

A basic North Korean IT worker scheme works like this:

  1. Create fake identity. A North Korean, often operating out of Russia or China, creates a fake persona, combining a real person’s stolen information with deepfake identity documents.
  2. Get hired into a remote job. The worker passes their interviews, possibly using a generative AI-powered interview coach, and passes background checks using their stolen identity and fake IDs.
  3. Mask their true location. The worker has their laptop shipped to an American collaborator to mask their true location. Secureworks’ Counter Threat Unit (CTU) has also observed cases where threat actors ask to use their personal laptops instead.
  4. Play to their desired end-game. Once hired, North Korean IT workers operate with some combination of the following three goals in mind, depending on a number of factors:
    • Financial: Stay employed for as long as possible to collect as many paychecks as possible.
    • Intelligence: Gain access required to exfiltrate data, intellectual property, or defence secrets.
    • Extortion: Gain access, then deploy ransomware or steal source code to extort a large payout

North Korean IT worker groups are highly organized. Microsoft has found a public repository of their resources, including fake resumes; playbooks for operatives to follow; email accounts and digital wallets; and a detailed tracking sheet. According to Mandiant, operatives may work multiple jobs at once, at varying levels of complexity and across multiple industries or fields of expertise.

A deepfake profile photo (right) created by a North Korean IT worker based on a stock image (left) - from KnowBe4

The Key to Stopping North Korean IT Workers

To stop North Korean IT workers, firms need to implement robust security measures during hiring and employee onboarding. Mandiant, Palo Alto Networks, the FBI and U.S. Department of Justice have all recommended a range of mitigations. We highly recommend reading through Unit 42’s Threat Research report along with their Example Risk Matrix for an Organization Combating DPRK IT workers.

Some commonly-recommended mitigations are good practice. For instance, Mandiant suggests monitoring and restricting the use of remote administration tools (RATs) and verifying phone numbers to detect Voice Over IP (VoIP), which Mandiant has identified is a common tool of North Korean actors.

Other mitigations, however, are less effective. For instance, Palo Alto Networks suggests using a background check provider that includes a document verification service. But all of these services use outdated consumer-grade technology which can easily be fooled by AI-generated deepfake IDs.

Video verification calls, meanwhile, are also vulnerable to generative AI. Threat actors can now swap their video source to live video deepfake generators which are “good enough to fool most people”, according to defense evangelist Roger Grimes. In one case, attackers tricked a Hong Kong finance employee into wiring away $25 million by using deepfakes to impersonate their CFO on a live video call.

Instead of trusting in outdated mitigations which have already proven ineffective, IT and security teams should look to modern solutions that leverage next-generation identity verification technology to place a secure “identity assurance gate” at the account provisioning stage of new employee onboarding. 

Stop North Korean IT Workers with VerifiedHire™

VerifiedHire™ by Nametag is an out-of-the-box solution for secure employee onboarding that is uniquely capable of stopping North Korean IT workers and other advanced threat actors. VerifiedHire replaces outdated, insecure initial credentialing procedures with streamlined self-service backed by Deepfake Defense™ identity assurance. It integrates seamlessly with Identity & Access Management (IAM) platforms like Okta, Microsoft Entra, and Cisco Duo, and OneLogin.

  1. Enable self-service onboarding: Instead of sending a temporary password or pre-authenticated URL to insecure personal email, direct new hires to your customized VerifiedHire onboarding page.
  2. Verify their identity. Nametag’s Deepfake Defense identity verification engine validates legitimate new hires in under 30 seconds, while surfacing North Koreans and other bad actors.
  3. Protect your networks: Verified hires can proceed to set their passwords and enroll in MFA with your identity providers, while bad actors are prevented from gaining access to your systems.

Onboarding new employees through VerifiedHire brings numerous benefits across your organization:

  • Prevent Infiltration: Stop North Korean IT workers and other threat actors from  gaining access to your networks and applications.
  • Stop Contractor Fraud: Use Nametag to quickly verify your extended workforce at scale, discovering imposters and revealing potential insider threats.
  • Eliminate Temporary Passwords: VerifiedHire replaces outdated, insecure temporary password delivery systems with a modern, secure account provisioning experience.
  • Cost Savings: By deflecting new employee verification and initial credentialing to self-service, VerifiedHire creates substantial time and cost savings for IT teams.
Learn more about VerifiedHire onboarding ->

Conclusion: Block Fake IT Workers at Onboarding

North Korean IT workers are confirmed to have successfully infiltrated hundreds of companies in the United States and around the world, with thousands more breaches likely going unreported or still undiscovered by their victims. Fake IT worker schemes create compliance and insider risks for enterprises while attackers steal money, sensitive data, and even defense secrets.

Current mitigations are failing to stop infiltration. Background checks, I-9 validation, video interviews, and other tools are easy to bypass or spoof. By adding an identity verification "gate" in front account provisioning, your organization can finally put an end to the North Korean IT worker threat.

With our Nametag's VerifiedHire secure onboarding solution, you can close a critical security gap in employee onboarding while saving time and improving experiences for (legitimate) new hires. Only Nametag verification is truly capable of combatting modern, AI-powered impersonation threats like DPRK IT workers. Learn more about secure employee onboarding with Nametag VerifiedHire.

Secure your helpdesk against social engineering and impersonators.
Learn more about Nametag
Right Arrow Blue
We use cookies to provide, improve, and promote our services. By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts. Visit our Privacy Policy to learn more.
Decline
Accept All Cookies