American firms are unwittingly hiring IT workers with a second job—as North Korean operatives.
What is North Korea doing?
It has dispatched thousands of homegrown IT specialists to pose online as U.S.-based remote workers and get tech jobs at American companies. Often working from China or Russia, where the internet is more reliable than in North Korea, the impostors apply for gigs as app developers, software engineers, and tech consultants. Individual operatives often work multiple jobs and earn up to $300,000 a year, 90% to 95% of which is sent back to the regime of North Korean dictator Kim Jong Un, according to the U.S. government. The computer activity of these workers is under constant digital surveillance by Pyongyang: If they search for sexually explicit material, or for news reports on Kim, their activity is flagged to the regime. Experts believe that thousands of U.S. firms have unwittingly hired North Koreans, ranging from mom-and-pop firms to blue-chip juggernauts. Charles Carmakal, chief technology officer at the Google-owned cybersecurity provider Mandiant, said earlier this year that “nearly every” Fortune 500 information security chief he’s talked to “has admitted they’ve hired at least one North Korean IT worker”—and sometimes dozens of them. “If you’re an American company that’s hired contract IT workers over the past few years,” said Michael Barnhart, an investigator at cybersecurity company DTEX, “you’ve probably hired a North Korean.”
How do the workers get hired?
It starts on job networking sites like LinkedIn, where the operatives create fake profiles for American job seekers, often using stolen identities. At the interview stage, the North Koreans use AI tools to help them answer questions in English in real time, mimic an American accent, or alter their face on screen; those tools later help the workers with office small talk, suggesting Thanksgiving greetings or explaining American football rules. Once hired, the operative will ask for their work laptop to be sent to the address of a U.S.-based middleman, who installs remote access tools so the North Koreans can access the company’s network from outside the country. These U.S.-based “laptop farms” often host dozens of devices used by numerous operatives.
Who runs the farms?
Typically, Americans in need of extra income. The FBI found 90 laptops when it raided Christina Chapman’s home outside Phoenix in October 2023. Over three years, the former waitress had helped North Koreans illegally collect $17.1 million from more than 300 companies, including Nike, “a premier Silicon Valley” tech firm, and one of the “most recognizable media and entertainment companies in the world,” said prosecutors. Chapman earned $177,000 for the service and was sentenced last month to eight years in prison; she said she was recruited on LinkedIn by a China-based firm and didn’t know she was aiding North Korea.
Why does the regime need this cash?
Because it’s been shut off from much of the global economy since 2006, when the country conducted its first nuclear test. Hit with crippling international sanctions, Pyongyang looked for new ways to fund the ruling Kim family regime and its nuclear weapons program. Under Kim Jong Il, the totalitarian government expanded its drug trafficking operations, setting up industrial-size meth labs inside North Korea and shipping the product overseas. But when he died in 2011 and was succeeded by his son, Kim Jong Un, the dictatorship diversified into cybercrime, using hacker soldiers recruited from the country’s IT-focused universities to steal cash and valuable data from major banks, businesses, cryptocurrency exchanges, and government databases. And the boom in remote work during the pandemic gave North Korea another valuable revenue stream to tap.
Has the remote-worker scheme been successful?
Very. It generates somewhere between $250 million to $600 million a year for North Korea, according to U.N. estimates. That’s a major chunk of revenue for one of the world’s poorest and most economically isolated countries. And the money often keeps rolling in even after operatives are discovered and dismissed by their U.S. employers. The North Korean workers routinely install malicious software inside company networks, allowing them to hold sensitive data and intelligence hostage, or lock down a business’s computer systems entirely, until a ransom is paid. “This is very adaptive,” said FBI agent Elizabeth Pelker. “Even if [the hacker] knows they’re going to get fired at some point, they have an exit strategy.”
Is the U.S. trying to counter the North Korean threat?
Over the past year, the FBI has arrested multiple American citizens accused of running laptop farms and charged numerous North Korean operatives based overseas. The U.S. last month placed sanctions on Song Kum Hyok, a member of Kim’s military intelligence agency, who in 2022 began choreographing the mass theft of names, Social Security numbers, and other personal information from Americans to create aliases for the remote workers. The Treasury Department also sanctioned Gayk Asatryan, a Russian businessman accused of signing a 10-year contract with Pyongyang in 2024 to host up to 80 North Korean IT workers in Russia. Adam Meyers, a counter-adversary expert at cybersecurity firm Crowdstrike, said the crackdown by law enforcement has “put a big dent” in North Korea’s “ability to operate laptop farms” in the U.S. But that doesn’t mean the threat will disappear—only move. “As it gets increasingly expensive or difficult to get remote jobs here in the U.S., they’re pivoting to other locations,” said Meyers. “They’re getting more traction in Europe.”
The great crypto heist
The IT worker scheme is just one way that North Korea lines its pockets. The regime also has a highly skilled army of digital thieves who target cryptocurrency firms, many of which operate with limited regulatory oversight and have weak security systems. North Korean hackers pilfered a total of $661 million from the crypto industry in 2023, according to Chainalysis, a crypto-investigations firm. They doubled that to $1.3 billion last year with 47 separate heists, making the Hermit Kingdom responsible for more than 60% of the crypto stolen worldwide. Earlier this year, a suspected North Korean–run hacking collective known as the Lazarus Group made off with a record $1.5 billion after breaching the Dubai-based crypto exchange ByBit. The country’s hackers have also shown a talent for cleaning the stolen funds, which are transferred between multiple cryptocurrencies to make tracing difficult. As a result, an unusually high 80% to 90% of the loot ends up in Pyongyang’s coffers. “They’re the most sophisticated crypto launderers we’ve ever come across,” said Tom Robinson, founder of blockchain-analytics firm Elliptic.
