North Korean remote worker infiltration scheme

North Korean operatives have posed as remote workers in Western companies under stolen or fabricated identities, primarily targeting information technology and technical roles. They generate revenue for the North Korean government, particularly to fund its weapons programs.

North Korean remote worker infiltration scheme

Founded	c. 2014
Founding location	North Korea
Years active	2014–present
Territory	Global (primarily targeting US and European companies)
Ethnicity	Primarily North Korean
Membership	Estimated 8,400 cyber operatives (2024)
Criminal activities	Identity theft, Wire fraud, Money laundering, Cyber espionage

Operations

The operation emerged as part of North Korea's broader cybercrime strategy under Kim Jong Un, who made information technology a national priority after assuming power in 2011.^[1] The COVID-19 pandemic significantly expanded remote work opportunities, which North Korean intelligence services exploited to scale up their operations.

According to South Korea's National Intelligence Service, the number of people working in North Korea's cyber divisions grew from 6,800 in 2022 to 8,400 in 2024, including IT worker infiltrators, cryptocurrency thieves, and military hackers.^[1]

The operations are run out of North Korea's Department 53. It is behind front companies including Korea Osong Shipping Co. and Chonsurim Trading Corporation, that sent IT workers to Laos.^[2]

Recruitment and training

North Korean intelligence services, including the Reconnaissance General Bureau, recruit top graduates from prestigious institutions such as Kim Chaek University of Technology and the University of Sciences in Pyongsong.^[1] These operatives are trained in hacking techniques, foreign languages, and are promised higher wages and internet access as incentives.

Methodology

The scheme typically follows a standardized process:

1. Identity Theft: Operatives create fake profiles using stolen personal information, including Social Security numbers, addresses, and other credentials from real Americans.^[3]
2. Job Applications: Using platforms like LinkedIn and freelance sites like Upwork, operatives apply for high-paying, fully remote positions, with a focus on IT roles such as software engineering, web design, and full-stack development, though the scheme has expanded to other technical and some non-technical roles.^[3][4]
3. AI-Enhanced Interviews: Operatives use artificial intelligence tools, including deepfake technology, to pass video interviews and coding assessments while impersonating their stolen identities.^[3]
4. Laptop Farms: After being hired, operatives request that company laptops be sent to addresses controlled by US-based facilitators, who maintain "laptop farms" containing dozens of devices that can be controlled remotely.^[1]

Income

According to US government estimates, a typical team of North Korean IT workers can earn up to $3 million annually.^[1] Individual workers can earn an average of $300,000 per year, with the funds being funneled directly to North Korea's government and weapons programs.^[3] Some operatives work multiple jobs simultaneously to maximize earnings.

Notable cases

Christina Chapman case

In 2025, Christina Chapman, a 44-year-old American citizen from Arizona, pleaded guilty to charges related to operating a laptop farm that facilitated North Korean operatives for three years. Chapman's operation involved over 300 American companies and generated more than $17 million for the North Korean government.^[1]

KnowBe4 incident

In July 2024, KnowBe4, a Florida-based cybersecurity training company, discovered that a new hire identified as "Kyle" was actually a North Korean operative who had passed background checks and ID verification.^[1][5]

Impact

According to Mandiant (now part of Google Cloud), nearly every Fortune 500 company chief information security officer interviewed about the issue has admitted to hiring at least one North Korean IT worker.^[3] SentinelOne, a cybersecurity firm, reported receiving approximately 1,000 job applications linked to North Korean operatives.^[3]

North Korean operatives generally target software engineer, front-end developer and full-stack developer jobs, though the scheme extends to roles beyond traditional IT.^[4]

Beyond salary payments, impact includes:

• Data Theft: Operatives often steal sensitive company data and intellectual property
• Malware Installation: Some plant malicious software for future access or ransomware attacks
• Compliance Violations: Unknowingly employing North Korean operatives violates international sanctions^[3]

While initially focused on US companies, the scheme has expanded globally. CrowdStrike reports tracking similar operations in the United Kingdom, Poland, Romania, and other European nations, as well as organizations in South Asian countries.^[3]

Government response

The FBI, State Department, and Treasury Department have issued joint advisories warning companies about the threat, ^[3] and initiated multiple prosecutions.

In December 2024, the Justice Department indicted 14 North Koreans for generating at least $88 million over six years.^[6]

The Department of Justice announced indictments in January 2025 against two Americans for operating a six-year scheme that placed North Korean operatives in over 60 US companies, generating more than $800,000 in revenue.^[7]

The U.S. Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions in January 2025 against two individuals and four entities involved in North Korea's illicit remote IT worker schemes that generate revenue for the country's weapons programs. The sanctioned entities include two front companies (Korea Osong Shipping Co. and Chonsurim Trading Corporation) that sent IT workers to Laos, Chinese company Liaoning China Trade Industry Co. for supplying technological equipment, and individuals Jong In Chol and Son Kyong Sik who ran the front operations.^[2]

See also

• North Korea portal

• Lazarus Group
• Remote work
• Identity theft
• Sanctions against North Korea