Inside the North Korean Remote IT Worker Scheme in 2025

North Korean Remote IT Worker Scheme
A visual representation of the North Korean remote IT worker scheme, showing how cyber operators infiltrate global companies through fake jobs and remote access.

The North Korean remote IT worker scheme has evolved from a fringe cybercrime tactic into a large, semi-industrial system that quietly inserts state-backed operatives into Western tech companies. What once looked like isolated fake LinkedIn jobs or suspicious recruiters is now clearly a multi-layered operation with shell companies, identity theft rings, laptop farms, and a growing trail of criminal cases.

In 2025, a wave of new research, indictments and first-hand traps gives the clearest picture yet of how this ecosystem works, how much money it is funneling back to Pyongyang, and why your next remote hire might be more than just a skills match.

How the scheme actually works

At a high level, investigators describe a repeatable playbook.

  1. Create or hijack credible identities.
    North Korean IT workers obtain stolen identities of US and European citizens or pay intermediaries for permission to reuse their names, tax IDs and bank accounts. In one recent US case, Ukrainian national Oleksandr Didenko admitted selling US identities to North Korean operatives so they could land jobs at around 40 American companies. Department of Justice

  2. Hide location behind global infrastructure.
    Workers usually sit in North Korea, China or nearby regions, but route traffic through residential VPNs, proxies and company laptops that physically sit in the US. Justice Department documents describe these setups as “laptop farms”: racks of employer-issued machines at a facilitator’s home, all remotely controlled from abroad.

  3. Pass modern hiring pipelines.
    Operatives use AI tools to draft cover letters, answer technical interview questions and even generate audio or video deepfakes that match the stolen identities. Reporting from WIRED details candidates that cruise through automated coding tests and video interviews using a mix of scripted answers, ChatGPT-style models, and tight rehearsal. WIRED

  4. Blend in inside the company.
    Once hired, the workers behave like typical remote developers. They log tickets, attend stand-ups and push code. The real difference is where the paycheck goes. According to US authorities, salaries, bonuses and side gigs are ultimately wired into networks controlled by the North Korean state, where they help fund missile and nuclear programs.

  5. Turn access into leverage.
    Some workers stop at salary extraction. Others escalate. By controlling laptops and corporate credentials, they can quietly exfiltrate source code, internal tools, and sensitive data. The same access can be reused for follow-on intrusions, ransomware or crypto theft.

New research: when investigators turned the tables

In December 2025, researchers from BCA LTD, NorthScan and analysis platform ANY.RUN did something unusual. They did not just write about Lazarus Group tactics. They hired the attackers. The Hacker News

Using realistic but fully controlled virtual machines wired through US residential proxies, the team invited Lazarus-linked IT workers to operate inside what looked like real developer laptops. The workers attempted to:

  • Install remote access tools such as browser-based remote desktops

  • Set up password and two-factor interception workflows

  • Run reconnaissance scripts and tooling that focus on identity takeover rather than obvious malware

Because the machines lived inside an interactive sandbox, researchers could snapshot every command and network connection without tipping off the operators. Their findings confirm that many engagements are not about dropping a single payload. They are about building durable, reusable control over an entire workspace and the digital identity attached to it.

The article from ANY.RUN’s team is worth reading in full, especially if you manage a security operations center or are responsible for remote hiring policies. LinkedIn

Shell companies, fake recruiters and industrial-scale phishing

The North Korean remote IT worker scheme now includes fully registered US front companies.

A Reuters investigation this year revealed that operatives quietly set up Blocknovas LLC in New Mexico and Softglide LLC in New York, then used those firms to post lucrative-sounding crypto developer roles. Developers who engaged with these “startups” were served trojanized tools that stole private keys and credentials. The FBI later seized at least one of the domains. Reuters

This infrastructure extends the long-running Operation DreamJob pattern documented by security vendors such as ESET and Bitdefender. That campaign uses fake recruiter profiles and fabricated job descriptions to deliver malware through LinkedIn conversations, email attachments and “test projects.” Recent write-ups show targets expanding from crypto exchanges to defense and drone manufacturers. Bitdefender

Threat intelligence firms like Silobreaker now track a steady stream of LinkedIn impersonation incidents that share the same traits: new recruiter profiles with thin histories, roles that offer above-market salaries for relatively simple work, and a fast push toward off-platform messaging where file sharing becomes easier to weaponize. Silobreaker

For recruiters inside genuine companies, this creates a strange inversion. Not only must applicants decide whether a recruiter is real. Recruiters and HR teams must also decide whether applicants are real, geographically, legally and operationally.

The global crackdown: laptop farms, guilty pleas and seized crypto

Throughout 2025, law enforcement agencies have been steadily taking the scheme apart in public.

  • The US Department of Justice announced charges and forfeiture actions tied to at least 29 laptop farms in 16 states, along with the seizure of dozens of web domains and millions of dollars in cryptocurrency that investigators say were linked to the scheme.

  • In July, Arizona resident Christina Chapman received an eight-and-a-half year federal sentence for running one of the largest documented farms, managing around 90 employer-issued laptops for North Korean workers and helping channel more than 17 million dollars in revenue between 2020 and 2023. Politico

  • In November, five more individuals, including three US citizens and one Ukrainian, pleaded guilty to wire fraud and identity theft charges after admitting they allowed their identities and companies to be used for remote IT work by North Koreans. Court documents say their activities helped infiltrate at least 136 companies. The Hacker News

  • Parallel indictments in Massachusetts and Georgia accuse North Korean workers of stealing both virtual currency and sensitive corporate data, with part of the revenue tied directly to weapons programs. AP News

These cases do not capture the entire scale of the North Korean remote IT worker scheme, but they show a maturing enforcement picture. Authorities are no longer just sanctioning faceless hacker groups. They are charging facilitators, seizing hardware and clawing back cryptocurrency in ways that expose the real-world logistics behind the keyboards.

Why this is more than “just another Lazarus campaign”

Security researchers have tracked Lazarus Group for nearly twenty years. The collective is already linked with the WannaCry ransomware outbreak, the Bangladesh Bank heist, and a series of high-value crypto exchange intrusions. Hacken

The remote worker ecosystem adds two dangerous twists.

  1. Persistent, legitimate access instead of noisy malware.
    A hired developer with valid corporate credentials can move laterally and access tools in ways that barely trigger anomalies. Their logins, VPN sessions and code pushes all look normal. Traditional endpoint detection and antivirus tools are almost irrelevant.

  2. Blended motives.
    Salary diversion alone is lucrative. Reports from the US government estimate that IT worker scams have already generated tens of millions of dollars for North Korea, alongside billions from crypto theft and ransomware.
    At the same time, access to source code, cloud dashboards and R&D documents has obvious intelligence value. In some of the companies targeted, investigators found that North Korean workers had access to defense-related technologies subject to export controls.

For companies, this means the risk is not only financial fraud. It is compliance, regulatory exposure, lost intellectual property and potentially national security impact.

Seven red flags your next hire is part of the North Korean remote IT worker scheme

If you are hiring remote engineers, security analysts or DevOps staff, you do not have to become an intelligence agency. You do, however, need a more skeptical playbook. Drawing on recent cases and security research, here are seven practical signals to watch:

  1. Unusual insistence on fully remote, hardware-shipped roles.
    Candidates who strongly push for company laptops to be shipped to a specific US address, avoid any local meetups and resist camera-on policies deserve extra scrutiny. Several laptop farm operators told investigators they were paid specifically to receive and host machines in this way.

  2. Inconsistent identity footprints.
    Cross-check LinkedIn, GitHub, Stack Overflow and public records. Do work histories, locations and education match, or do they appear stitched together? Investigators frequently find cloned or lightly modified profiles connected to real citizens whose data was stolen elsewhere.

  3. Reluctance to verify location.
    Genuine candidates may have privacy concerns, but they can usually join a quick video call from a known time zone or share basic local proof when required. North Korean workers often avoid spontaneous calls or rely heavily on pre-recorded material.

  4. Recruiters and “agencies” with almost no history.
    Before trusting an external recruiter or job agency, search their company name across news and registries. Shell firms like Blocknovas and Softglide had almost no legitimate footprint beyond a website, sparse LinkedIn presence and a registration tied to a vacant lot or accountant’s office.

  5. Over-eager willingness to accept any role within a specific company.
    Several victims describe candidates who seem less interested in salary negotiation and more focused on simply getting a contract inside a particular brand, especially in crypto, fintech or aerospace. That kind of laser focus can indicate an intelligence-driven target list rather than normal job hunting.

  6. Unusual use of automation in interviews.
    If coding test answers, chat replies and even voice responses feel heavily scripted or instantly generated, consider additional live tests or pair-programming sessions. AI-driven applicants are not suspicious by default, but in combination with other red flags they matter.

  7. Pushback on security controls.
    Be wary of contractors who resist multi-factor authentication, corporate password managers or endpoint monitoring, especially when they insist on using their own tooling for remote access.

How companies should respond

An effective response to the North Korean remote IT worker scheme combines hiring hygiene with technical controls.

  • Treat identity as a security boundary.
    Extend KYC-style checks into high-risk tech hiring, especially for fully remote roles. Require vetted identity verification services and, where legally appropriate, proof of residency.

  • Adopt a Zero Trust mindset.
    Assume any account, including employee accounts, can be compromised. Segment networks, limit lateral movement, and give each role only the minimum needed permissions. Resources from vendors like Google, Microsoft and Cloudflare provide practical Zero Trust reference architectures for mid-sized teams.

  • Instrument developer laptops properly.
    Enroll endpoints in MDM, use modern EDR, and log admin actions. If a machine suddenly changes geolocation patterns, time zones or login behavior, alert on it.

  • Harden your hiring stack.
    Train recruiters and HR on current social engineering trends. Share examples from cases like the US Justice Department’s recent indictments and investigations into laptop farms and shell firms so teams understand the bigger picture.

  • Collaborate with industry.
    Participate in information sharing groups, from ISACs to private threat intel communities. Many of the best indicators of compromise for this ecosystem are behavioral and come from shared experience rather than public blacklists.

The bottom line

The story of the North Korean remote IT worker scheme is not just about one APT group or a single malware family. It is about what happens when remote work, AI-assisted hiring and global sanctions collide.

For companies, this is now a mainstream risk, not a niche geopolitical footnote. The good news is that the same practices that protect you from these campaigns also raise your security baseline against insider threats and account takeovers in general.

Your hiring pipeline is now part of your attack surface. Treat it that way.

Also Read: 5 Simple Tips To Optimise Your ChatGPT Search

RELATED ARTICLESMORE FROM AUTHOR