May 1, 2025

Inside North Korea’s IT Worker Playbook: Infiltration, Sanctions Evasion & Ransomware Extortion

by
Nametag Team
North Korea Blog Post Header
press@nametag.co

Get in touch with our PR team.

Download media kit

Logos and graphics to help you cover Nametag.

Nametag console showing a successful verification result

Enable Self-Service Account Recovery

Nametag sends MFA and password resets to self-service while protecting your helpdesk against social engineering.

Five stars in a line
Learn how

Thousands of companies breached. Billions of dollars funnelled to weapons programs. Source code held for ransom. North Korean IT workers are ramping up their attacks, and most companies are unprepared. Here’s what you need to know and how to fight back.

Note: This article was originally published in Februrary 2025. It is being continually updated as new reports and stories emerge.

Threat Overview: North Korean IT Workers

In 2024, an escalating series of incidents brought to light a set of global programs to help threat actors affiliated with the Democratic People’s Republic of Korea (DPRK) infiltrate companies around the world through remote IT jobs. Their goals include generating revenue for the DPRK government, stealing sensitive data or secrets, or extorting ransomware payout.

The FBI first warned against these attacks in May 2022 and they have intensified dramatically in 2025. The scale of the threat is staggering: reports in late April 2025 and early May 2025 now indicate that attackers have breached thousands of companies around the world, including "nearly every major company" and hundreds of the global Fortune 500.

More and more companies are now coming forward to share their stories in hopes of providing insights and intel that will help their colleagues in cybersecurity and insider risk management counter these threats. But the job applications keep coming and the breaches keep happening.

“There are hundreds of Fortune 500 organizations that have hired these North Korean IT workers." - Mandiant Consulting CTO Charles Carmakal

The fake IT worker program is so successful, it's become a major arm of the DPRK government's cyber divisions. An exposé published in Wired details a sting operation carried out by the reporter and a web security startup. The article describes "Teams of 10 to 20 young men" who "live and work out of a single apartment, sleeping four or five to a room and grinding up to 14 hours a day at weird hours to correspond with their remote job’s time zone."

In addition to the scope, the level of sophistication and innovation demonstrated by these attackers is also unprecedented. Attackers combine diverse tools in order to gain employment and remain undetected.

  • Generative AI to create attractive resumes and pass interviews, then producing deepfake identity documents to pass hiring checks.
  • Proxies and laptop farms to mask their location using an intricate system of VPNs, Remote Access Tools (RATs), and physical collaborators.
  • Remote work environments, including outsourced and contractor roles, which don’t expect operatives to show up in person or appear on camera.
  • Deliberate targeting of critical sectors, including concerted attacks on nuclear power plants and financial systems, as detailed in SC Media.
[Fraudsters] take a green-colored card the exact shape and size of an identity card—a mini green screen—and, using deepfake technology, project the image of an ID onto it. “They can actually move it and show the reflection,” says Greene. “It’s very sophisticated.”

North Korean IT worker groups are highly organized. Microsoft has found a public repository of their resources, including fake resumes; playbooks for operatives to follow; email accounts and digital wallets; and a detailed tracking sheet. According to Mandiant, operatives may work multiple jobs at once, at varying levels of complexity and across multiple industries.

In December 2024, the U.S. Department Of Justice indicted 14 DPRK nationals for operating a fake IT worker scheme. The indictment reveals that just this one, single group generated over $88 million in revenue for North Korea's weapons programs. The cluster was operating undetected for over six years.

Detail: North Korean IT Worker Schemes

A basic North Korean IT worker scheme works like this:

  1. Create fake identity. A North Korean, often operating out of Russia or China, creates a fake persona, combining a real person’s stolen information with deepfake identity documents.
  2. Get hired into a remote job. The worker passes their interviews, possibly using a generative AI-powered interview coach, and passes background checks using their stolen identity and fake IDs.
  3. Mask their location. The worker has their laptop shipped to a collaborator located in the country they're claiming to work from. Secureworks’ Counter Threat Unit (CTU) has also observed cases where threat actors ask to use their personal laptops instead.
  4. Play to their desired end-game. Once hired, North Korean IT workers operate with some combination of the following three goals in mind:
    • Financial: Collect as many paychecks as possible.
    • Intelligence: Gain access required to exfiltrate data or secrets.
    • Extortion: Deploy ransomware or steal source code to extort a payout.
A deepfake profile photo (right) created by a DPRK IT worker based on a stock image (left) - from KnowBe4

The Key to Stopping Fake IT Workers

To stop North Korean IT workers, firms need to implement robust security measures during hiring and employee onboarding. Mandiant, Palo Alto Networks, the FBI and U.S. Department of Justice have all recommended a range of mitigations. We highly recommend reading through Unit 42’s Threat Research report along with their Example Risk Matrix for an Organization Combating DPRK IT workers.

Some commonly-recommended mitigations are good practice. For instance, Mandiant suggests monitoring and restricting the use of remote administration tools (RATs) and verifying phone numbers to detect Voice Over IP (VoIP), which Mandiant has identified is a common tool of North Korean actors.

Other mitigations, however, are less effective. For instance, Palo Alto Networks suggests using a background check provider that includes a document verification service. But all of these services use outdated consumer-grade technology which can easily be fooled by AI-generated deepfake IDs.

Video verification calls, meanwhile, are also vulnerable to generative AI. Threat actors can now swap their video source to live video deepfake generators which are “good enough to fool most people”, according to defense evangelist Roger Grimes. In one case, attackers tricked a finance employee into wiring away $25 million by using deepfakes to impersonate their CFO on a live video call.

Instead of trusting in outdated mitigations which have already proven ineffective, IT and security teams should look to modern solutions that leverage next-generation identity verification technology to place a secure “identity assurance gate” at the account provisioning stage of new hire onboarding. 

Stop North Korean IT Workers with VerifiedHire™

VerifiedHire™ by Nametag is an out-of-the-box solution for secure employee onboarding that is uniquely capable of stopping North Koreans and other advanced threat actors. It replaces outdated, insecure initial credential delivery with streamlined self-service backed by Deepfake Defense™ assurance.

Learn more and watch a demo of VerifiedHire onboarding ->
  1. Self-service onboarding: Instead of sending a temporary password or pre-authenticated URL to insecure personal email, direct new hires to your customized VerifiedHire onboarding page.
  2. Verify their identity. Nametag’s Deepfake Defense identity verification engine validates legitimate new hires in under 30 seconds, while surfacing North Koreans and other bad actors.
  3. Protect your networks: Only verified hires can proceed to set passwords and enroll in multi-factor authentication with your identity providers.

Onboarding new employees through VerifiedHire brings numerous benefits:

  • Prevent infiltration: Stop North Korean IT workers and other threat actors from  gaining access to your networks and applications.
  • Stop contractor fraud: Use Nametag to quickly verify your extended workforce at scale, uncovering imposters and potential insider threats.
  • Eliminate temporary passwords: VerifiedHire replaces outdated, insecure procedures with a modern, secure, streamlined self-service.
  • Cost savings: Deflect new employee verification and initial credentialing to self-service to create substantial time and cost savings.

Conclusion: North Korean IT Workers Are Everywhere. But They Can Be Stopped.

Thousands of companies have been breached. North Korean IT workers are confirmed to have successfully infiltrated hundreds of companies in the United States and around the world, with thousands more breaches likely going unreported or still undiscovered by their victims.

Current mitigations are failing to stop infiltration. Background checks, I-9 validation, video interviews, and other tools are easy to bypass or spoof. By adding an identity verification "gate" in front account provisioning, your organization can finally put an end to the North Korean IT worker threat.

Uncover fake IT workers with Deepfake Defense™ identity verification. With Nametag's VerifiedHire secure onboarding solution, you can close a critical security gap in employee onboarding while saving time and improving experiences for (legitimate) new hires. Only Nametag verification is truly capable of uncovering AI-powered imposters threats like DPRK IT workers.

Learn more about secure onboarding with Nametag VerifiedHire.
Secure your helpdesk against social engineering and impersonators.
Learn more about Nametag
Right Arrow Blue
We use cookies to provide, improve, and promote our services. By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts. Visit our Privacy Policy to learn more.
Decline
Accept All Cookies