North Korean remote worker scheme

Last updated
North Korean remote worker scheme
Foundedc.2014
Founding location North Korea
Years active2014–present
TerritoryGlobal (primarily targeting US and European companies)
EthnicityPrimarily North Korean
MembershipEstimated 8,400 cyber operatives (2024)
Criminal activities Identity theft, Wire fraud, Money laundering, Cyber espionage
a laptop farm in Litchfield Park, Arizona, US, photographed by the FBI in 2023 North Korean Laptop Farm (01).jpg
a laptop farm in Litchfield Park, Arizona, US, photographed by the FBI in 2023

North Korean operatives have posed as remote workers in Western companies under stolen or fabricated identities, primarily targeting information technology and technical roles. They generate revenue for the North Korean government, particularly to fund its weapons programs.

Contents

Operations

The operation emerged as part of North Korea's broader cybercrime strategy under Kim Jong Un, who made information technology a national priority after assuming power in 2011. [1] The COVID-19 pandemic significantly expanded remote work opportunities, which North Korean intelligence services exploited to scale up their operations.

According to South Korea's National Intelligence Service, the number of people working in North Korea's cyber divisions grew from 6,800 in 2022 to 8,400 in 2024, including IT worker infiltrators, cryptocurrency thieves, and military hackers. [1]

The operations are run by North Korea's Department 53. It is behind front companies including Korea Osong Shipping Co. and Chonsurim Trading Corporation, that sent IT workers to Laos. [2]

Recruitment and training

North Korean intelligence services, including the Reconnaissance General Bureau, recruit top graduates from prestigious institutions such as Kim Chaek University of Technology and the University of Sciences in Pyongsong. [1] These operatives are trained in hacking techniques, foreign languages, and are promised higher wages and internet access as incentives.

Methodology

The scheme typically follows a standardized process:

  1. Identity theft: Operatives create fake profiles using stolen personal information, including Social Security numbers, addresses and other credentials from real people. [3]
  2. Job applications: Using platforms like LinkedIn and freelance sites like Upwork, operatives apply for high-paying, fully remote positions, with a focus on IT roles such as software engineering, web design, and full-stack development, though the scheme has expanded to other technical and some non-technical roles. [3] [4]
  3. AI-enhanced interviews: Operatives use artificial intelligence tools, including deepfake technology, to pass video interviews and coding assessments while impersonating their stolen identities. [3]
  4. Laptop farms: After being hired, operatives request that company laptops be sent to addresses controlled by facilitators outside North Korea, who maintain "laptop farms" containing dozens of devices that can be controlled remotely. [1]

Income

According to US government estimates, a typical team of North Korean IT workers can earn up to $3 million annually. [1] Individual workers can earn an average of $300,000 per year, with the funds being funneled directly to North Korea's government and weapons programs. [3] Some operatives work multiple jobs simultaneously to maximize earnings.

Notable cases

Christina Chapman case

In 2025, Christina Marie Chapman, a 44-year-old American citizen from Arizona, pleaded guilty to federal charges related to operating a laptop farm that facilitated North Korean operatives for three years. Chapman's operation involved over 300 American companies and generated more than $17 million for the North Korean government. She was sentenced to 8 years in federal prison. [1] [5]

KnowBe4 incident

In July 2024, KnowBe4, a US cybersecurity training company, discovered that a new employee identified as "Kyle" was actually a North Korean operative who had passed background checks and ID verification. [1] [6]

Impact

According to Mandiant (now part of Google Cloud), nearly every Fortune 500 company chief information security officer interviewed about the issue has admitted to hiring at least one North Korean IT worker. [3] SentinelOne, a cybersecurity firm, reported receiving approximately 1,000 job applications linked to North Korean operatives. [3]

North Korean operatives generally target software engineer, front-end developer and full-stack developer jobs, though the scheme extends to roles beyond traditional IT. [4]

Impact includes:

While initially focused on US companies, the scheme has expanded globally. CrowdStrike reports tracking similar operations in the United Kingdom, Poland, Romania and other European countries, as well as organizations in South Asian countries. [3]

US government response

The FBI, State Department, and Treasury Department have issued joint advisories warning companies about the threat, and initiated multiple prosecutions. [3]

In December 2024, the Justice Department indicted 14 North Koreans for generating at least $88 million over six years. [7]

The Department of Justice announced indictments in January 2025 against two Americans for operating a six-year scheme that placed North Korean operatives in over 60 US companies, generating more than $800,000 in revenue. [8]

The U.S. Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions in January 2025 against two individuals and four entities involved in North Korea's illicit remote IT worker schemes that generate revenue for the country's weapons programs. The sanctioned entities include two front companies (Korea Osong Shipping Co. and Chonsurim Trading Corporation) that sent IT workers to Laos, Chinese company Liaoning China Trade Industry Co. for supplying technological equipment, and individuals Jong In Chol and Son Kyong Sik who ran the front operations. [2]

See also

References

  1. 1 2 3 4 5 6 7 Johnson, Bobbie (May 1, 2025). "North Korea Stole Your Tech Job". Wired . Retrieved June 10, 2025.
  2. 1 2 Otto, Greg (2025-01-16). "Treasury sanctions North Korea over remote IT worker schemes". CyberScoop. Retrieved 2025-06-11.
  3. 1 2 3 4 5 6 7 8 9 Nickel, Dana; Miller, Maggie (May 12, 2025). "Tech companies have a big remote worker problem: North Korean operatives". Politico . Retrieved June 10, 2025.
  4. 1 2 Kapko, Matt (April 1, 2025). "The North Korea worker problem is bigger than you think". CyberScoop. Retrieved June 10, 2025.
  5. Gerut, Amanda (July 19, 2025). "An American who helped North Korean IT workers rake in $17.1 million faces sentencing in scheme that tricked hundreds of Fortune 500 companies". Fortune . Retrieved 4 August 2025.
  6. Tidy, Joe (2024-10-16). "Firm hacked after accidentally hiring North Korean cyber criminal". BBC. Retrieved 2025-06-11.
  7. Starks, Tim (2024-12-12). "Court indicts 14 North Korean IT workers tied to $88 million in illicit gains". CyberScoop. Retrieved 2025-06-11.
  8. "Office of Public Affairs | Two North Korean Nationals and Three Facilitators Indicted for Multi-Year Fraudulent Remote Information Technology Worker Scheme that Generated Revenue for the Democratic People's Republic of Korea | United States Department of Justice". www.justice.gov. 2025-01-23. Retrieved 2025-06-11.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.