There is a state-run programme placing North Korean IT workers into remote engineering roles at thousands of companies worldwide. And it is not just going after big enterprises — companies with 50 to 500 employees are well within the targeting range. These operatives use stolen identities, laptop farms, domestic facilitators, and AI deepfake tools to get through background checks and video interviews. Consistently enough to have reached industrial scale.
The numbers back this up. Okta‘s September 2025 threat intelligence report tracked 130+ DPRK IT worker identities across 6,500+ interviews at 5,000+ companies. Amazon blocked 1,800+ suspected operatives, with DPRK-affiliated applications accelerating 27% quarter-over-quarter. The DOJ’s June 2025 enforcement actions included searches of 29 laptop farms across 16 states.
This is not standard hiring fraud. When DPRK operatives are discovered, they do not just disappear — documented cases show extortion demands, data exfiltration threats, and ransomware deployment. And every company that paid salary to one of these operatives has a potential OFAC sanctions violation on their hands, regardless of whether they knew. This article is part of our series covering synthetic candidate fraud in engineering hiring, where we examine the full landscape of threats and defences in the remote hiring pipeline.
What is the DPRK IT worker scheme and how does it actually work?
The DPRK IT worker scheme is a state-directed programme. North Korean workers — physically located in China, Russia, and neighbouring countries — use stolen or fabricated identities to get remote engineering jobs at foreign companies. The revenue flows back to fund weapons programmes. This is not freelancing. It is a directed state operation.
Here is how the operation is structured.
The workers are recruited and directed by the regime. Microsoft estimates over 10,000 operatives active worldwide.
Domestic facilitators are US-based individuals who receive devices at real US addresses, install remote access software, and manage payroll and tax documentation. They make a foreign operative look like a legitimate US-based hire with a real identity and banking setup. An active-duty US Army soldier was among those who pled guilty.
Laptop farms are apartments, warehouses, or offices filled with laptops configured for remote access — so DPRK workers in China or Russia can appear to be operating from inside the United States. The DOJ searched 29 of them across 16 states in June 2025. An Arizona woman pled guilty to operating one that served 300+ companies and generated $17M in illicit revenue.
VPN and IP spoofing round out the evasion. Workers connect through VPN infrastructure to appear US-based. KELA found North Korean-linked machines running developer tools alongside a DPRK-owned VPN called NetKey.
Revenue runs from salary through domestic facilitators into cryptocurrency and back to the North Korean Ministry of Defence — laundered through chain-hopping and OTC traders. Individual workers can earn up to $300,000 annually.
One terminology note worth making: the accurate term is “DPRK IT worker,” not “North Korean hacker.” That framing conflates this programme with intrusion operations like Lazarus Group, which is a separate cluster entirely.
How do DPRK operatives get past video interviews, background checks, and reference checks?
The short answer: no single existing hiring control reliably catches them. The scheme is designed to defeat each control in sequence.
Background checks fail because stolen identities carry real Social Security numbers, real addresses, and real employment histories. Conventional screening has nothing anomalous to flag.
Video interviews fail because AI face-swapping tools overlay fabricated faces during live video calls. The FBI IC3 PSA of January 2025 documents that DPRK operatives use AI and deepfake tools to conceal their identities during interviews. Okta observed DPRK-linked actors progressing through multiple interview rounds at the same organisations — and the operative may not even be the same person across different rounds.
Earpiece coaching lets operatives perform credibly in technical interviews even when their actual skills are inconsistent. Combined with AI face-swapping, both visual and technical performance can be managed at the same time.
Reference checks fail because DPRK networks maintain scripted co-conspirators who pose as former colleagues. Okta’s recommendation: require corporate email references and confirm them via outbound call to the main switchboard — not to numbers the candidate provides.
The combination is what matters. A threat actor who can defeat background checks, video interviews, and reference checks cannot be stopped by any single control working alone.
What is the documented scale of the DPRK IT worker threat?
The scale data from independent sources is corroborating, not conflicting. This is not a single vendor overstating a threat to sell product.
Okta’s September 2025 report tracked 130+ confirmed DPRK identities across 6,500+ interviews at 5,000+ distinct companies. Okta notes that 130 identities is a small sample of total active activity.
Amazon CSO Stephen Schmidt disclosed in December 2025 that Amazon had blocked 1,800+ suspected operatives, with applications increasing at 27% quarter-over-quarter. It is accelerating.
CrowdStrike reported a 220% increase in companies infiltrated through the Famous Chollima cluster over the preceding 12 months.
DOJ enforcement actions confirm that consequences are real. The June 2025 actions included two indictments, 29 laptop farm searches across 16 states, and 21 fraudulent websites taken down. The November 2025 announcement documented five guilty pleas and $15M+ in civil forfeiture across 136+ US victim companies.
Chainalysis documented DPRK stealing $1.34B in digital assets in 2024, with the IT worker programme one of several revenue streams.
Is this an enterprise problem or does it reach 50-to-500-person companies?
Sophos put it plainly in their November 2025 CISO Playbook: targeting spans solo contractors all the way up to Fortune 500 companies. Sophos itself was targeted by North Korean operatives posing as IT workers. Their conclusion: “Any company hiring remote workers is at risk.”
IT and technology companies represent only half of Okta’s targeted entities. Finance, healthcare, public administration, and professional services all appear consistently in the data.
The scheme expanded beyond large enterprises because those companies hardened their defences. Smaller companies with valuable code repositories, cloud environments, and customer data became primary targets. Think about what a 100-person SaaS company holds: AWS credentials, source code, customer PII, API keys, and financial system access. Headcount is not a filter.
KnowBe4 — a security awareness training company, not a Fortune 500 enterprise — publicly disclosed it had hired a DPRK operative. Companies well outside big tech are firmly within targeting range.
What happens when a DPRK operative is discovered on your payroll?
This is where it stops being an HR problem and becomes a security incident.
When discovery is imminent, documented cases show operatives shift to extortion, threaten data exfiltration, and in some cases deploy ransomware. The FBI IC3 PSA of January 2025 documents North Korean remote IT workers committing data extortion post-discovery. The US Treasury stated it directly: “The North Korean regime continues to target American businesses through fraud schemes involving its overseas IT workers, who steal data and demand ransom.”
The threat does not wait for termination either. Okta identified early evidence of persistent data theft throughout employment. Some workers introduced malware into company networks while they were still on the payroll.
Post-discovery response requires legal counsel immediately — counsel with experience spanning cybersecurity, privacy, sanctions, and export controls. Forensic review covers every system the operative accessed. Network access is isolated, credentials are rotated, and OFAC voluntary self-disclosure goes on the table. As Crowell & Moring put it: “The solution requires collaboration across HR, IT, legal, finance, and cybersecurity.”
Detection, response, and the full prevention stack are covered in the defence stack for your hiring pipeline.
What does OFAC sanctions liability mean for companies that unknowingly paid a DPRK worker?
This is the element most often missing from technical briefings on this threat.
OFAC enforces civil penalties on a strict liability basis. That means companies can face penalties without knowledge or intent. Paying salary to a DPRK operative constitutes exporting a service payment to a sanctioned entity — regardless of whether the hiring company knew who they were dealing with.
Three rounds of sanctions were imposed in July and August 2025, targeting facilitators who were citizens of Russia, China, India, and Burma. This is active enforcement, not theoretical risk.
Companies that allowed access to ITAR or EAR-controlled data — even inadvertently — may also face investigations from the Departments of State, Commerce, and Justice.
The bottom line: a DPRK IT worker discovery is a board-level legal exposure. The first call should be to legal counsel with sanctions compliance experience.
Detailed board-level treatment is covered in OFAC and negligent hiring exposure.
What can companies actually do to detect DPRK operatives in their hiring pipeline?
Existing defences fail because they were designed for different adversaries. Here is what actually works.
Live, interactive identity verification needs to replace document-scan-only processes. Cross-check stated locations with IP addresses — including VPN detection — against time-zone behaviour and payroll banking information. Sardine.ai is one example of a vendor capable of piercing VPN layers to reveal true device location signals.
Video call anti-deepfake tactics are low-tech but effective. Ask candidates to sit near a window, or to pick up something in their background. Those are actions that are difficult to execute convincingly with real-time face-swapping software running.
Reference verification must use outbound calls. Require corporate email references and confirm them via outbound call to the main switchboard — not to numbers the candidate provides.
Post-onboarding monitoring matters as much as pre-hire verification. Default new workers to least-privilege profiles. Monitor for large data pulls, off-hours logins from unexpected locations, and credential sharing. Segment development, testing, and production environments.
The Sophos CISO Playbook from November 2025 covers eight control categories with specific red-flag checklists. The FBI IC3 advisories add official red flags: inconsistent identity, anonymising infrastructure, and irregular payment flows.
The full detection and defence stack is covered in the defence stack for your hiring pipeline.
Frequently Asked Questions
How much money does North Korea make from its overseas IT worker programme?
Individual workers can earn up to $300,000 annually, collectively generating hundreds of millions for the regime. Chainalysis documented $1.34B stolen across all DPRK operations in 2024. Workers receive roughly $5,000 per month in stablecoin payments, laundered through chain-hopping and OTC traders.
What is Famous Chollima and what role does it play in the DPRK IT worker scheme?
Famous Chollima is CrowdStrike’s designated threat actor cluster for the DPRK IT worker programme — operationally distinct from Lazarus Group. CrowdStrike reported a 220% increase in infiltrations attributed to this cluster. Famous Chollima’s focus is revenue generation through fraudulent employment. Microsoft tracks related activity under Jasper Sleet and Moonstone Sleet.
How is the DPRK IT worker threat different from regular contractor fraud or overemployment schemes?
DPRK operatives are state-directed, funnelling revenue to a weapons programme — not pursuing personal financial gain. They pose an active security threat through data exfiltration, malware, and post-discovery extortion that freelance fraudsters do not. And hiring one creates OFAC sanctions liability that hiring an overemployment worker does not.
Which countries are being targeted beyond the United States?
Okta data shows 73% of targeted roles at US-based firms, but the UK, Canada, and Germany each represent over 2% of observed interviews. Any country with remote engineering roles and convertible-currency payroll is within targeting scope.
What government agencies should I contact if I suspect I have hired a North Korean IT worker?
The FBI’s Internet Crime Complaint Center (IC3) is the primary reporting channel. OFAC voluntary self-disclosure should be considered with legal counsel — proactive remediation can be a mitigating factor. Make all disclosure decisions with legal counsel before contacting any regulator.
Can my company face penalties if we did not know the worker was North Korean?
Yes. OFAC operates on strict liability — civil penalties can apply without knowledge or intent. Revenue paid to a DPRK operative flows to the sanctioned regime regardless of the hiring company’s awareness. Voluntary self-disclosure and cooperation are mitigating factors, but ignorance is not a defence.
What does the Sophos CISO Playbook recommend for detecting fraudulent North Korean hires?
The Sophos November 2025 CISO Playbook covers eight control categories: HR and process controls; interview and vetting; identity and verification; banking, payroll, and finance; security and monitoring; third-party and staffing; training; and threat hunting. Each includes specific red-flag checklists. Available via the Sophos Trust CISO Playbooks portal.
Where can I find the FBI’s official guidance on deepfake hiring fraud?
The FBI IC3 published a public service announcement on January 23, 2025, warning about DPRK operatives using AI and deepfake tools during hiring. It documents data extortion patterns and provides red-flag indicators and reporting guidance. Available at ic3.gov.
What is a laptop farm and why does it matter for this threat?
A laptop farm is an apartment, warehouse, or office containing multiple laptops configured for remote access — allowing DPRK workers in China or Russia to appear to be operating from within the United States. The DOJ searched 29 of them across 16 states in June 2025. An Arizona woman pled guilty to operating one that served 300+ companies and generated $17M.
What is the role of domestic facilitators in the DPRK IT worker scheme?
Domestic facilitators are US-based individuals who receive devices, install remote access software, and manage payroll and tax documentation — making a foreign operative appear to have a legitimate US identity, address, and banking setup. In documented DOJ cases, some appeared for drug testing on behalf of overseas workers. The DOJ has prosecuted facilitators alongside operatives.
Could a staffing agency or contractor platform be the entry point for a DPRK operative?
Yes. Sophos confirmed this as a documented entry vector. KELA documented widespread use of freelancer platforms including Upwork and Fiverr. Okta noted that IT consultancies embedded with multiple clients amplify the risk — a compromise at a service provider can cascade into multiple customer organisations.
For the full landscape of hiring fraud threats — including how the DPRK scheme fits alongside broader synthetic identity risks and the full prevention picture — see our comprehensive guide to synthetic candidate fraud in engineering hiring.
