Terrifying new fronts have emerged in a highly successful employment- fraud scheme in which trained North Korean operatives get jobs at companies around the globe under fake or stolen identities.
The number of companies that hired North Korean software developers grew a staggering 220% during the past 12 months—and most of their success is due to automating and optimizing the workflow involved in fraudulently obtaining and holding tech jobs, Crowdstrike’s 2025 Threat Hunting report released on Monday revealed. The IT workers infiltrated more than 320 companies in the past 12 months.
To level set: The North Korean IT worker scheme is a vast conspiracy to evade punishing financial sanctions on the Democratic People’s Republic of Korea due to authoritarian ruler Kim Jong Un’s human-rights abuses and relentless quest to develop weapons of mass destruction. To dodge the sanctions and make money to keep funding its nuclear program, North Korea now trains young men and boys in tech, sends them to elite schools in and around Pyongyang, and then deploys them in teams of four or five to locations around the world including China, Russia, Nigeria, Cambodia, and the United Arab Emirates.
The workers are each required to earn $10,000 a month, according to a defector, and have managed to do so by getting remote jobs doing IT work at U.S. and European companies while earning good salaries, court records show. Since 2018, the UN estimates, the scheme has generated between $250 million to $600 million per year on the backs of thousands of North Korean men.
For the Fortune 500, the IT worker scheme has been a flashing red alert about the evolution of employment-fraud schemes. Court records show hundreds of Fortune 500 companies have unknowingly hired thousands of North Korean IT workers, in violation of sanctions, in recent years. In some cases, the IT worker scheme is purely about generating stable revenues for the regime. In others, FBI investigators have found evidence IT workers share information with more malicious hackers that have stolen nearly $3 billion in crypto, according to the UN.
Under siege
Crowdstrike’s investigations revealed North Korea’s tech workers, an adversary Crowdstrike dubs “Famous Chollima,” used AI to scale every aspect of the operation. The North Koreans have used generative AI to help them forge thousands of synthetic identities, alter photos, and build tech tools to research jobs and track and manage their applications. In interviews, North Koreans used AI to mask their appearance in video calls, guide them in answering questions, and pass technical coding challenges associated with getting software jobs.
Critically, they now rely on AI to help them appear more fluent in English and well-versed in the companies where they’re interviewing. Once they get hired, the IT workers use AI chatbots to help with their daily work—responding in Slack, drafting emails—to make sure their written offerings appear technically and grammatically sound and to help them hold down multiple jobs simultaneously, CrowdStrike found.
“Famous Chollima operatives very likely use real-time deepfake technology to mask their true identities in video interviews,” the report states. “Using a real-time deepfake plausibly allows a single operator to interview for the same position multiple times using different synthetic personas, enhancing the odds that the operator will get hired.”
Crowdstrike investigators have observed North Korean IT workers searching for AI face-swapping applications and paying premium prices for subscriptions to deepfake services during active operations.
“Laptop farms” move beyond U.S. borders
Adam Meyers, senior vice president of CrowdStrike’s counter adversary operations, told Fortune his team generally investigates one incident a day related to the North Korean IT worker scheme. The program has broadened beyond U.S. borders as U.S. law enforcement has cracked down on domestic operations with indictments and advisories, and as more U.S. companies have tightened their security practices and girded their defenses.
Last month, a 50-year-old Arizona woman, Christina Chapman, was sentenced to 8.5 years in prison in July after pleading guilty for her role in operating a “laptop farm” from her home. Prosecutors said she accepted and maintained 90 laptops and installed remote-access software so North Koreans could work for U.S. companies, prosecutors said. Authorities revealed Chapman’s operation alone helped the workers get 309 jobs that generated $17.1 million in revenue through their salaries. Nearly 70 Americans had their identities stolen in the operation, authorities said. These weren’t just attacking smaller companies with looser hiring infrastructure; Nike was one of the companies impacted, according to its victim impact statement in Chapman’s case. The sneaker and activewear giant unwittingly hired a North Korean operative affiliated with Chapman. Nike did not respond to Fortune’s requests for comment.
“U.S. law enforcement has put a big dent in their ability to operate the laptop farms, so as it gets increasingly expensive or difficult to get remote jobs here in the U.S., they’re pivoting to other locations,” said Meyers. “They’re getting more traction in Europe.”
Meyers said Crowdstrike has seen new laptop farms established in Western Europe across to Romania and Poland, which means the North Korean workers are getting jobs—typically as fullstack developers—in those countries and then having laptops shipped to farms there. The scheme is the same as it works in the U.S.: A supposedly Romanian or Polish developer will interview with a company, get hired, and a laptop will get shipped to a known laptop-farm destination in those countries, he said. In other words, instead of shipping devices and onboarding materials to an actual resident where the supposed developer works, the laptop gets shipped to a known farm address based in Poland or Romania. Typically, the excuse is the same type that has proven effective at U.S. companies, said Meyers. The developer will claim to be having a medical or family emergency necessitating a change in the shipping address.
“Companies need to stay vigilant if they’re hiring overseas,” said Meyers. “They need to understand these risks exist not just domestically, but overseas as well.”
AI advancements will neutralize defenses
Amir Landau, malware research team leader at defense firm CyberArk, told Fortune traditional cyber defenses are likely to eventually become insufficient against the threat as genAI used by the North Koreans becomes advanced enough to break through companies’ defense wards. Therefore, what companies need to do to defend themselves requires a fundamental shift in thinking in terms of how much trust and access companies grant their own employees.
The military and intelligence principle of a “need-to-know basis,” which originated during World War II, will become more important, said Landau. Not every developer needs to know or have access to certain assets or documents, even after they’ve been with a company for a certain amount of time, he explained.
Landau also advocates for minimum and limited-time privileges for developers, giving them a short window of time for work, rather than unlimited access that could eventually make a company vulnerable.
Landau also said companies should take some additional common-sense measures in the hiring process. If a job applicant gives a reference, don’t call the phone number or message the email address you’ve been given. Look them up and get in touch with what you see from public databases, he advised. If someone’s personal information sounds bizarre or inconsistent, pay attention. Use the internet to double check what you can find against what you’ve been told.
“There are a lot of small things you can do to defend against these threats,” he said.
And ultimately, while small companies are typically more vulnerable, that doesn’t mean larger companies aren’t also susceptible to fraud schemes, Landau said. Meyers said as long as the IT workers can find work, they’ll keep evolving their tactics through the use of genAI.
“These are basically exploited people from North Korea making money for the regime,” said Meyers. “As long as they can continue to generate revenue, they’re going to keep doing this.”
Politics8 years ago