The job interview was off to a strange start. The man on camera seemed nervous, constantly glancing offscreen and fumbling through his responses. Then without warning, a new device joined the meeting—off camera, but displaying the same name as the interviewee. This mysterious newcomer began answering the hiring manager’s questions as the original candidate remained on the call, silently mouthing along to the words like a ventriloquist’s dummy.
It wasn’t a bizarre prank. It was part of a complex scheme by the North Korean government to fund its operations by infiltrating U.S. companies with remote IT workers. Robert Schuett, whose cybersecurity firm DTEX Systems has helped clients detect these illicit workers, shared this story during a July 16 panel at the International Conference on Cyber Security (ICCS) hosted by Fordham’s Gabelli School of Business.
A New Era of ‘Insider Threats’
According to panelist Amit Kachhia-Patel, assistant special agent in charge of the FBI’s New York cyber team, the rise of remote work is creating an opening for North Korean operatives. They’ve already landed jobs at hundreds of U.S. employers, including Fortune 500 companies.
“There’s been a huge demand within corporate America for IT workers, particularly after COVID when everyone went remote. They had to stand up all that remote work infrastructure and now they’ve got to maintain it,” said Kachhia-Patel. Most of the North Koreans are working as programmers, developers, or in other lucrative jobs, the panelists said, generating significant revenue for the heavily sanctioned nation, often referred to as the “hermit kingdom.”
Inside the North Korean Remote Work Scheme
Here’s how the scheme works: North Koreans pose as U.S.-based IT workers, using fake identities to land jobs with American companies. Once hired, they dial into work on company laptops hosted by U.S.-based accomplices. Their paychecks are then funneled to the North Korean regime to fund its operations, including its weapons program.
Several U.S.-based individuals have been charged for creating front companies and fraudulent websites to validate the applicants’ bonafides, and for hosting the company laptops. One Arizona woman pleaded guilty in February for running a “laptop farm” from her apartment that helped funnel more than $17 million to the North Korean government.
Productivity at a Price
The scheme’s goal is generating revenue through actual work, and the North Korean workers tend to be high performers. They’re two to three times more productive than a typical employee, frequently working through weekends and holidays, the panelists said. That’s because each worker is actually a team of people in North Korea.
“Most CEOs hate when we show up at their door. They’re like, ‘You better be kidding, that’s my best worker.’ And unfortunately, yeah, we’re pulling their best developer right out of the production stack,” Schuett said.
Despite the productivity, the IT workers pose real threats. Some have gained access to sensitive information and tried to extort their employers when confronted. In one case, they hacked into a startup’s cryptowallet and stole approximately $900,000 worth of virtual currency.
Defending Against the Threat
So what can companies do? Security starts with the hiring process, according to Brandon Kappus, chief intelligence officer of corporate cybersecurity firm NISOs. Red flags like AI-generated headshots, suspicious resume claims—like many years of experience with a technology that hasn’t been around that long—unverifiable employment histories, or an inability to meet in person can all indicate a fraudulent worker.
“The biggest thing we’re stressing with our clients is close coordination between HR and their security teams during hiring,” Kappus said.
Once employed, there are other red flags to look out for. Irregular hours, working weekends and holidays, and downloading additional remote software can signal a problem.
Schuett shared another giveaway: All of the North Korean IT workers he’s investigated took an unexplained two-hour break in the middle of each workday—timed suspiciously to align with the country’s mandatory indoctrination periods or “Political Ideology Learning Sessions.”
The panelists acknowledged that the added scrutiny needed to weed out these workers could be expensive, but said it’s well worth it in the name of security. In the age of remote work, it’s no longer enough for employers to know what their workers are doing. They have to be sure they know who they are.
