North Korea has always been a formidable adversary, targeting economic gains through cryptocurrency heists. But 2025 saw the evolution of North Korean IT worker schemes, with an influx of firms potentially being affected by the tactic.

Perhaps the most famous example is cybersecurity firm KnowBe4, which was targeted by a fake worker in 2024. The company discovered the employee, thought to be part of a North Korean scheme, after its security team detected suspicious activities coming from a workstation. The fake employee was using Raspberry Pi to download malware, manipulate session history files and execute unauthorized software.

KnowBe4 detected and stopped the fake IT worker before any access was granted or data compromised, the firm says. “Our detection systems worked exactly as designed,” says Brian Jack, CISO at KnowBe4.

But others have not been so lucky. Research shows fake worker schemes are impacting firms more broadly. Earlier this year, Google researchers found Korean schemes were increasingly targeting Europe and beyond, with many companies unaware they’re being infiltrated.

This is “not just a security problem”, says Jack. “It is a business risk that touches recruiting, HR, IT, legal and finance. The threat actors behind these schemes are sophisticated, well-resourced and evolve their tactics. They are counting on organisations to stay silent and handle incidents quietly.”

North Korean Activity 

North Korea’s cyber activity is driven by a combination of financial necessity, intelligence collection, and long-term strategic access, says Santiago Pontiroli, Acronis TRU lead security researcher. “Over the past decade, cyber operations have become one of the regime’s most reliable tools for generating revenue in the face of international sanctions.”

North Korea has always been financially motivated, through the theft of intellectual property and cryptocurrency, says Blackwired CEO, Jeremy Samide. “DPRK are one of the only state sponsored adversaries considered financially motivated. They have created an enterprise for illicit activity through the development and financing of its infrastructure planted around the world.”

What has changed most notably through 2024 and 2025 is the shift away from “purely external intrusion” towards “abuse of legitimate access,” says Pontiroli. “Rather than breaking in, North Korean operators increasingly aim to be hired as remote IT workers inside real companies, gaining steady income, trusted network access, and the option to pivot into espionage, data theft, or follow on attacks.”

IT Worker Schemes 

The remote IT worker scheme has already proven successful for North Korean adversaries.

“DPRK uses stolen identities to gain employment in US and Western companies in order to steal data and intellectual property,” says Samide. “They target remote jobs and opportunities with positions of system access.”

The workers claim to be US based with IT experience, “but in reality, they are North Korean or proxied by North Korean networks,” he explains.

Over time, the threat actors have developed deep expertise in software engineering, mobile applications, blockchain infrastructure, and cryptocurrency ecosystems says Tom Hegel, distinguished threat researcher, SentinelLABS.

SentinelLABS  research has identified “multiple front companies,” often with apparent footprints in China. “We reviewed thousands of job applications from fabricated, DPRK-linked personas attempting to infiltrate our organisation, even though we are a major cybersecurity firm. If they are targeting us this aggressively, every remote-friendly business should assume they are a potential target,” says Hegel.

In addition to individual cases, security researchers and law enforcement have attributed much of North Korea’s activity to sustained campaigns, most notably the long running Chollima operation, says Pontiroli. “Under Chollima, facilitators often receive corporate issued laptops at domestic addresses and then provide remote access to operators overseas, effectively concealing their true location. Salaries are routed through layered financial infrastructure, including US bank accounts, cryptocurrency and intermediaries, with proceeds ultimately benefiting the regime.”

Contagious Interview

In parallel, cybersecurity researchers have observed related campaigns with distinct names and tradecraft. A malicious campaign dubbed Contagious Interview involves threat actors masquerading as recruiters or employers to lure job seekers, particularly in tech and cryptocurrency sectors, into fake interviews that deliver malware such as BeaverTail, InvisibleFerret, and variants such as OtterCookie, says Pontiroli.

“In Contagious Interview, prospective applicants are invited to supposed job assessments where malicious packages are delivered under the guise of coding exercises or interview materials, ultimately compromising devices and enabling credential theft or deeper access on victim networks.”

It’s highly likely the North Korean remote worker scheme may have existed for more than a decade, says Ian Thornton-Trump, CISO at Inversion6.

Over recent years, North Korea’s cyber operations were “relatively unsophisticated, noisy and focused on Bitcoin wallets and exchanges,” he points out. “Perhaps those noisy attacks were a distraction from the long running campaign of North Korean remote worker placement into organisations.”

As remote working became prominent during the pandemic, North Korea may have managed to turn the global crisis into “a national golden opportunity,” says Thornton-Trump.

Prominent North Korean Threat Groups

When looking into some of the most prominent DPRK groups, Lazarus Group (APT38) appears to stand out based on the frequency of reporting, says Yashraj Solanki, cyber threat intelligence analyst at Bridewell.

Operating under the Reconnaissance General Bureau (RGB), Lazarus Group's primary focus has been financial theft and sabotage, he says.

Also assessed to be operating under the same directive is Kimsuky (APT43) whose primary goal is espionage, says Solanki.

Another North Korean threat group worth mentioning is Andriel, which also operates under RGB. “They have a historic record of targeting South Korean government agencies, military organisations and other local entities, in addition to targeting financial entities such as ATMs, banks and cryptocurrency exchanges,” says Solanki. 

Meanwhile, Famous Chollima has scaled its income-generation operations by securing remote IT roles under false identities, posing as legitimate employees to evade sanction, says Zeki Turedi, field CTO Europe at CrowdStrike.

Because North Korea is largely cut off from global trade, these fake-worker schemes have become a “critical financial lifeline,” with salaries from these jobs directly funding the regime’s weapons programmes, he says.

He describes how CrowdStrike continues to observe DPRK operators using forged identities, remote “laptop farms,” and disciplined workflows enhanced by generative AI resumes, deep fake interviews, and AI tools that let them “manage multiple illicit jobs at once.”

In 2026, this is set to evolve further. DPRK has invested heavily in both audio and video deep fake technologies, AI and a paid surrogate infrastructure to help carry out malicious activities. This will be a growing problem for the U.S. and western organisations, says Samide.

North Korea's IT worker scheme is also poised to become a playbook for other states. Governments facing sanctions or seeking deniable capabilities will be tempted to deploy cyber operators as remote freelancers and contractors, blending into the global talent market to gather intelligence and generate revenue. “As variants of the fake IT worker model appear in other countries, a new class of insider risk will emerge,” says Hegel.

Countering The Threat

Today, fake worker schemes remain an “active and growing threat,” says Jack. KnowBe4 offers training to customers to combat this and strengthen their security culture, he says.

Security leaders must assume that the hiring pipeline itself is part of the attack surface, says Hegel. “This is not a problem security teams can solve in isolation. Talent acquisition, HR, procurement, and business leaders need to work in lockstep with security to understand how North Korean operators behave, how their personas are constructed, and where their tactics show up in the recruitment process.”

Harden the hiring process, agrees Solanki. “Video-based interviews should be made mandatory. Actively look for inconsistencies that might indicate deep fakes. Ask candidates to perform head gestures that will disrupt the use of deepfakes. Consider using biometric when verifying individual identities, as they are harder to spoof. Asking interview questions that are unscripted ,such as checking their knowledge across local spots can expose them.”

Kate O'Flaherty Cybersecurity and privacy journalist