Researchers at security giant CrowdStrike say they have seen hundreds of cases where North Koreans posing as remote IT workers have infiltrated companies to generate money for the regime, marking a sharp increase over previous years.
Per CrowdStrike’s latest threat hunting report, the company has identified over 320 incidents over the past 12 months, up by 220% from the year earlier, in which North Koreans gained fraudulent employment at Western companies working remotely as developers.
The scheme relies on North Koreans using false identities, resumes, and work histories to gain employment and earn money for the regime, as well as allowing access for the workers to steal data from the companies they work for and later extort them. The aim is to generate funds for North Korea’s sanctioned nuclear weapons program, which has so far made billions of dollars for the regime to date.
It’s not known exactly how many North Korean IT workers are currently working for unknowing U.S. companies, but some have estimated the number to be in the thousands.
According to CrowdStrike, the North Korean IT workers, which the company calls “Famous Chollima” using its naming scheme of hacking groups, rely on generative AI and other AI-powered tools to draft resumes and modify or “deepfake” their appearance during remote interviews.
While the scheme is not new, North Koreans are increasingly succeeding at getting jobs, despite sanctions laws preventing U.S. companies from hiring North Korean workers.
CrowdStrike said in its report that one of the ways to prevent hiring sanctioned workers is by implementing better identity verification processes during the hiring phase. TechCrunch has anecdotally heard of some crypto-focused companies asking prospective employees to say critical things about North Korea’s leader, Kim Jong Un, in an effort to weed out potential spies. The would-be North Korean employees are often highly monitored and surveilled, making any such request impossible and likely outing the fraudulent worker.
Over the past year, the U.S. Department of Justice has sought to disrupt these operations by going after the U.S.-based facilitators who help run and operate the scheme for their North Korean bosses. These operations have included targeting the individuals who run “laptop farm” operations, which include racks of open laptops used by the North Koreans to remotely do their work as if they were physically located in the United States.
Prosecutors said in a June indictment that one North Korean operation stole the identities of 80 individuals in the U.S. between 2021 and 2024 to get remote work at more than 100 U.S. companies.
