North Korean operatives have embedded themselves inside American companies by posing as legitimate remote technology workers, using stolen identities, AI-generated credentials, and U.S.-based infrastructure to funnel hundreds of millions of dollars annually back to Pyongyang, according to U.S. officials and cybersecurity investigators.

The scheme has expanded dramatically since the rise of remote work during the COVID-19 pandemic, which removed in-person verification from most tech hiring processes and created an opening that North Korea's state-backed apparatus has exploited with increasing sophistication. U.S. officials estimate the operation now touches hundreds of companies and generates hundreds of millions of dollars each year for the regime of Kim Jong Un, money that flows directly into the country's nuclear weapons and ballistic missile programs.

On March 12, the U.S. Treasury Department's Office of Foreign Assets Control sanctioned six individuals and two companies accused of running and supporting the scheme. The targets operate across North Korea, Vietnam, Laos, and Spain, and include Amnokgang Technology Development Company, a North Korean IT firm accused of dispatching workers overseas and procuring military and commercial technology through its foreign network. Officials also sanctioned Nguyen Quang Viet, CEO of Vietnam-based Quangvietdnbg International Services Company Limited, who allegedly converted approximately $2.5 million into cryptocurrency for North Korean operatives between mid-2023 and mid-2025. Treasury estimates the broader scheme generated nearly $800 million in 2024 alone.

How the Operation Works

The basic structure of the scam begins with a fabricated identity. Operatives steal or purchase dormant LinkedIn accounts, forge identity documents, and use AI tools to generate culturally appropriate names, email addresses, and headshots for job applications. Microsoft's threat intelligence unit identified two North Korean hacking clusters — designated Jasper Sleet and Coral Sleet — that use voice-changing software during remote interviews to mask accents, and AI face-swapping applications to insert North Korean operatives' faces into stolen identity documents.

Once hired, the workers often operate from China or other third countries, while U.S.-based facilitators — sometimes paid for their cooperation — receive and manage the company-issued computers. These physical locations are referred to as "laptop farms": the company's hardware sits inside a house or apartment in the United States, and the actual North Korean worker accesses it remotely from abroad, creating the appearance of domestic employment.

Investigators at Virginia-based cybersecurity firm Nisos found that suspected North Korean IT workers apply to thousands of jobs using multiple fabricated personas, coordinating applications, interviews, and references within organized teams to maximize hiring rates. Salaries, which in some roles exceed $300,000 per year, are largely remitted back to North Korea.

The scheme has also extended into European markets. Cybersecurity firm Google Threat Intelligence Group found indications that North Korean operatives had set up laptop farms in the United Kingdom. Jamie Collier, the firm's lead adviser in Europe, noted that recruitment has not traditionally been treated as a security issue, and that operatives are specifically targeting that gap. Rafe Pilling, director of threat intelligence at Sophos' counter-threat unit, described it as "a mini army of North Koreans" systematically targeting high-salary, fully remote tech jobs. Amazon's security chief Stephen Schmidt disclosed in January that the company had blocked more than 1,800 suspected North Korean operatives from obtaining jobs since April 2024 — and said the targeting was "not Amazon specific" but happening "at scale across the industry."

A Caught Case: The Nisos Investigation

Nisos, whose CEO documented the investigation publicly, encountered a suspected North Korean operative when the individual applied for an open role at the company. The resume appeared to have been generated using AI, mirroring the posted job description with precision and claiming experience with tools that had not existed as long as the applicant claimed. During interviews, the candidate frequently looked off-screen, consistent with consulting AI coaching tools in real time.

Nisos investigators introduced a test: they asked the candidate about "Hurricane George" — a real storm from 1998 — and its present-day impact on the Florida location the candidate claimed as his home. The candidate described damage and local disruption without hesitation.

Rather than simply rejecting the candidate, Nisos extended a fraudulent offer and proceeded with a controlled onboarding, shipping a specially instrumented laptop. The device was routed to a Florida-based laptop farm. Investigators captured images of the setup, documented the operatives' patterns across multiple simultaneous jobs, and identified other U.S. companies whose systems had already been infiltrated by the same group. They notified those companies and worked with law enforcement. When the fake employment was canceled and the laptop requested back, the operative provided a return address different from the one on his original application — indicating the farm had relocated.

Parallel Cyber Threats

The same North Korean apparatus that runs the IT worker scheme also conducts traditional cyber espionage. A March 16 report from South Korean cybersecurity firm Genians Security Center documented a campaign by the Konni threat group — linked to other Pyongyang-sponsored clusters including Kimsuky and APT37 — that used spear-phishing emails disguised as appointment notices for North Korean human rights lecturers. The emails carried malicious files that, once executed, installed remote-access malware on victims' computers.

What made the campaign notable was its subsequent stage: after gaining access, the attackers took control of the victim's KakaoTalk desktop session and used the victim's own contact list to redistribute malicious files to additional targets — turning each compromised machine into a distribution node for the next stage of the attack.

An October report from an 11-country multilateral sanctions monitoring team described North Korea's cybercrime apparatus as "a full-spectrum national program operating at a sophistication approaching the cyber programs of China and Russia," with virtually all of its malicious cyber activity carried out under the supervision of entities already sanctioned by the United Nations for their role in North Korea's weapons programs. The U.S. Treasury Department said in November that North Korea had stolen more than $3 billion over the preceding three years through attacks on financial systems and cryptocurrency platforms.

What Companies Are Being Told to Do

U.S. officials and cybersecurity firms have urged companies to treat hiring as a security function rather than solely an HR function. Microsoft recommends conducting job interviews on live video or in person for all remote technical roles, and has published guidance on detecting deepfakes during video calls — including pixellation at the edges of faces, inconsistencies in how light interacts with AI-generated images, and irregularities around eyes, ears, and glasses.

Internal red flags include resumes that mirror job postings with unusual precision, claimed experience with tools that predate their actual existence, candidates who look off-screen or pause unusually during technical questions, inconsistent addresses across the application and onboarding process, and resistance to demonstrating prior work live on screen.

The Treasury Department's sanctions explicitly warn that financial institutions risk penalties for processing payments to sanctioned entities. U.S. persons and companies are broadly prohibited from conducting any transactions with the designated individuals and organizations. The sanctions designations freeze any U.S.-controlled assets belonging to the targets and are meant to cut off the financial infrastructure that allows wages to be converted and remitted back to Pyongyang.