Background: How DPRK Uses Remote IT Workers as a Revenue Stream

In recent years, the United States and its allies have documented a state‑sponsored program in which North Korea sends information‑technology workers (ITWs) overseas to earn hard currency and obtain access to intellectual property. The program is intended to circumvent sanctions and finance the regime’s weapons programs[1]. Through front companies and a global network of facilitators, North Korean nationals pose as U.S. or other foreign citizens to secure remote jobs. A June 2025 press release from the U.S. Department of Justice described how federal agents searched 29 “laptop farms” across 16 states and seized 29 financial accounts, 21 fraudulent websites, and roughly 200 computers[2]. The schemes involve North Korean individuals fraudulently obtaining employment with more than 100 U.S. companies by using stolen or fake identities. Facilitators in the United States, China, the UAE, and Taiwan created shell companies and hosted laptop farms to help the workers appear to be based in the U.S.[3]. Once hired, these ITWs stole sensitive information such as export‑controlled military data and virtual currency[4].

Size and Scope of the DPRK ITW Program

MetricEvidenceSource
Number of identities linked to the programResearchers tracked over 130 fake personas, many with stolen or fabricated IDs[5].Okta threat intelligence via DigitrendZ
Job interviews attemptedITWs pursued 6,500+ interviews across more than 5,000 companies from 2021 to mid‑2025[6]; similar numbers are cited by other analyses[7].Okta & third‑party research
Industries targetedInitially focused on tech and cryptocurrency, ITWs now target finance, healthcare, public administration, engineering, payment processing, AI, government and professional services[8][9].Okta analysis & Realist Juggernaut
Annual incomeIndividual ITWs can earn around $300 k per year, and coordinated teams may generate over $3 million annually[10].38 North

Okta and other security firms note that approximately 50% of targeted organizations operate outside the technology sector, and roughly 27% are located outside the United States[11]. ITWs no longer limit themselves to software‑development roles; they increasingly apply for finance, payroll, customer service, and engineering support positions, which provide access to payment systems and sensitive data[12]. Analysis by The Realist Juggernaut observed attempts to penetrate government agencies in the U.S., the Middle East, and Australia, including AI‑focused firms and healthcare providers[13]. The research emphasizes that this is now a global, industrialized workforce supporting a state‑sponsored economic cyberoperation[14][15].

Tradecraft and Tactics

North Korean ITWs employ sophisticated tactics to evade vetting:

  • Identity fraud and document forgery: They use stolen U.S. identities, forged documents, and morphed photographs to bypass routine vetting. Some operatives purchase pre‑verified freelancer accounts or hire facilitators who supply stolen identities and company‑issued laptops[16]. The ease of buying forged IDs (often under $100) and the ability to switch aliases when compromised create a persistent threat[17].
  • Remote access infrastructure: Facilitators run “laptop farms” in the U.S.; KVM switches allow overseas workers to access employer‑provided laptops remotely[18]. Front companies and websites mimic legitimate businesses to lend credibility[19].
  • Generative AI in hiring: Research suggests ITWs use generative AI (e.g., ChatGPT) to prepare interview responses and generate code samples[20]. Generative AI also helps create digital footprints that look authentic, such as GitHub contributions or social‑media activity[21].

Once embedded, ITWs can exfiltrate sensitive data, commit ransomware or fraud, or move laterally within networks. The U.S. indictment of facilitator Zhenxing Wang and accomplices alleges that compromised identities of over 80 U.S. citizens were used to obtain remote jobs at more than 100 U.S. companies, causing at least $3 million in losses[22]. One incident involved the theft of export‑controlled data from a Californian defense contractor[23].

Financial Impact: Crypto Theft and Revenue Generation

North Korean cyber units also engage in direct theft. According to blockchain analysis firm Elliptic, North Korea‑linked hackers stole over $2 billion in cryptoassets during 2025, the largest annual total on record[24]. This brings the known cumulative value of crypto stolen by the regime to more than $6 billion[25]. Much of the revenue finances Pyongyang’s nuclear and missile programs[26]. The 2025 total dwarfs previous years (e.g., $1.35 billion in 2022), largely due to a $1.46 billion theft from the crypto exchange Bybit[27]. Other 2025 victims include LND.fi, WOO X, and Seedify, with more than thirty additional hacks attributed to North Korea[28].

Elliptic notes that the methods are shifting; instead of exploiting technical vulnerabilities, the majority of 2025 losses resulted from social engineering attacks against individuals, exposing the human side of security[29]. The regime launders stolen assets through multiple rounds of mixing, cross‑chain transactions, obscure blockchains, and tokens created by laundering networks[30]. Blockchain’s transparency still allows investigators to trace flows, but the arms race is ongoing[31].

AI‑Generated Fake Documents: A New Vector of Abuse

In April 2025, a Polish venture capitalist, Borys Musielak, demonstrated how generative AI can be used to produce convincing identity documents. Using OpenAI’s GPT‑4o, he generated a fake replica of his own passport in five minutes; he wrote that most automated Know‑Your‑Customer (KYC) systems would likely accept it[32]. Musielak argued that photo‑based KYC was now “game over” and called for a shift to digital identities[33]. Reports noted that the AI‑generated passport bypassed basic KYC checks on platforms like Revolut and Binance[34], raising concerns about mass identity theft and fraud. Within hours, OpenAI began rejecting similar prompts, indicating a reactive safety measure[35].

Security researchers amplified the warning. HYPR CEO Bojan Simic wrote that advances in AI make forging passports, driver’s licenses, and other IDs disturbingly easy[36]. Generative models can now replicate document structures, fonts, and images with high fidelity, undermining legacy document‑verification systems[37]. HYPR’s analysis lists passports, driver’s licenses, national ID cards, and birth certificates among documents now easily counterfeited[38]. Because most digital KYC processes rely on image uploads rather than physical security features (e.g., holograms or watermarks), AI‑generated fakes are “virtually indistinguishable from the real thing”[39]. The blog argues that solely document‑based verification is obsolete and emphasizes multi‑factor identity verification[40].

North Korean ITWs and Generative AI

The infiltration threat intersects with AI forgery in two ways:

  1. Preparation and interview deception: Research cited by 38 North found that DPRK ITWs use tools like ChatGPT to prepare technical interview answers and generate code samples, helping them appear qualified[41].
  2. Identity fabrication: DPRK operatives already use stolen or falsified IDs. The availability of AI‑generated passports and driver’s licenses will likely make these schemes easier and cheaper to execute, increasing the volume of plausible identities. Because forged IDs can be purchased for under $100[42] and AI makes creation faster, the barrier to entry is further lowered.

Why Legacy KYC and Hiring Practices Are Failing

Fragmented identity verification: The recruitment sector lacks standardized “Know Your Employee” checks. Unlike financial services, recruitment processes seldom involve robust Anti‑Money‑Laundering (AML) or Know‑Your‑Customer (KYC) standards. As a result, verification varies widely across industries and countries[43].

Remote‑first policies: The shift to remote work during the COVID‑19 pandemic widened verification gaps. Applicants can fabricate digital presences (e.g., LinkedIn profiles, GitHub repositories) while using VPNs and stolen identities to mask their origins[44]. Third‑party recruiters often prioritize speed and cost over thorough checks, making companies vulnerable[45].

Limited HR awareness: HR professionals often lack training on sanctions risks and the geopolitical context. They may not recognize red flags such as inconsistent time zones, refusal to use video, or mismatched social‑media histories[46]. Because HR is rarely integrated into compliance and security functions, this creates systemic vulnerabilities[47].

Dependence on static images: Automated KYC systems usually compare a user’s photo ID against a selfie. As Musielak’s experiment and HYPR’s analysis show, AI can produce both convincing fake documents and deepfake selfies[48][49]. Without stronger checks (e.g., cryptographic verification via a document’s embedded NFC chip), these systems can be fooled[50][51].

Recommendations to Counter the Threat

For Companies and Employers

  1. Implement multi‑factor identity verification: Use government‑issued IDs with cryptographic features (e.g., NFC chips) and require live video verification combined with biometric checks. Avoid relying solely on uploaded images of documents. Adopt behavioral biometrics and anomaly detection (e.g., analyzing keystroke patterns or geolocation) to detect impostors[52].
  2. Enhance recruitment due diligence: Train recruiters to look for red flags such as inconsistent time zones, mismatched employment histories, and refusal to appear on video. Use third‑party identity verification services and cross‑reference applicant data (e.g., tax records or utility bills). Conduct surprise verification calls and repeated checks during employment[53].
  3. Adopt least‑privilege access and network segmentation: New hires and contractors should receive only the minimum system permissions needed and operate within segregated network segments to limit lateral movement[54].
  4. Develop insider‑threat programs and ongoing monitoring: Monitor access patterns for anomalies (e.g., unusual login times or large data transfers). Conduct regular audits and red‑team exercises that simulate DPRK infiltration attempts[55].
  5. Collaborate on intelligence sharing: Participate in industry information‑sharing groups (e.g., ISACs) and coordinate with law enforcement to identify suspicious hiring patterns and potential infiltration attempts[56].

For Governments and Regulators

  1. Establish recruitment integrity standards: Introduce regulations analogous to AML/KYC for sensitive industries, mandating identity verification, documentation of recruitment processes, and sanctions screening[57]. Treat hiring as a continuous, risk‑based process rather than a one‑time identity check[58].
  2. Strengthen cross‑sector collaboration: Create hubs where cyber units, financial regulators, HR sectors, and private companies can share intelligence on fraudulent identities and infiltration attempts[59].
  3. Promote digital identity frameworks: Support adoption of electronic ID (eID) wallets and NFC‑enabled identity documents to provide hardware‑level authentication, as suggested by Musielak and others[60][61]. Integrate these into cross‑border KYC and recruitment procedures.
  4. Sanction facilitators and front companies: Continue to identify and sanction individuals and entities that aid DPRK ITW schemes. The June 2025 DOJ action demonstrates that targeting enablers, such as those running laptop farms or creating shell companies, can disrupt revenue generation[62][63].

Conclusion

North Korea has industrialized the use of remote IT workers and cryptocurrency theft as a means to generate revenue and acquire sensitive data, directly supporting its nuclear and military ambitions. U.S. and international law‑enforcement actions have exposed the scale of this program: hundreds of fake identities, thousands of job interviews, hundreds of U.S. companies infiltrated, and billions of dollars stolen[64][65]. The use of generative AI, both for producing fake documents and preparing interview responses, has lowered the barrier to entry and threatens to overwhelm traditional document‑based verification[66]. To counter this evolving threat, organizations must adopt multi‑factor identity verification, strengthen hiring practices, limit access privileges, and share intelligence across sectors. Regulators should introduce recruitment integrity standards and encourage digital identity solutions. Without these reforms, the world’s remote workforce will remain a vulnerable vector for state‑sponsored infiltration and fraud.

[1] Rude Baguette. (2025, October 5). “They were already inside”: U.S. uncovers North Korea’s secret army of remote tech workers infiltrating global companies for cash and data. https://www.rudebaguette.com/en/2025/10/they-were-already-inside-u-s-uncovers-north-koreas-secret-army-of-remote-tech-workers-infiltrating-global-companies-for-cash-and-data/

[2] U.S. Department of Justice, Office of Public Affairs. (2025, June 30). Justice Department announces coordinated, nationwide actions to combat North Korean remote information technology workers’ illicit revenue-generation schemes. https://www.justice.gov/opa/pr/justice-department-announces-coordinated-nationwide-actions-combat-north-korean-remote

[3] [4] [18] [19] [22] [23] [62] [63] [64] See footnote 2

[5] DigiTrendz. (2025, October 2). North Korea’s IT workers expand targets beyond tech and crypto. https://digitrendz.blog/north-koreas-it-workers-expand-targets-beyond-tech-and-crypto

[6] [8] [11] [12] [54] [55] [56] See footnote 5

[7] The Realist Juggernaut. (2025, September 30). DPRK IT worker scheme goes global: from crypto to AI, healthcare and government. https://therealistjuggernaut.com/dprk-it-worker-scheme-goes-global-from-crypto-to-ai-healthcare-and-government

[9] [13] [14] [15] See footnote 7

[10] 38 North. (2025, October). The global threat of DPRK IT workers. https://www.38north.org/2025/10/the-global-threat-of-dprk-it-workers/

[16] [17] [20] [21] [41] [42] [43] [44] [45] [46] [47] [52] [53] [57] [58] [59] See footnote 10

[24] Elliptic. (2025, October 7). North Korea-linked hackers have already stolen over $2 billion in 2025. https://www.elliptic.co/blog/north-korea-linked-hackers-have-already-stolen-over-2-billion-in-2025

[25] [26] [27] [28] [29] [30] [31] [65] See footnote 24

[32] RedHatPentester [@redhatpentester]. (2023, March 22). X post [Tweet]. https://x.com/redhatpentester/status/1975275423639724201?s=12&t=O2soWA8NUeHAmRZ0A6hpxQ

[33] [50] [60] See footnote 32

[34] The Times of India. (2025, April 7). AI getting dangerous: Polish researcher uses ChatGPT-4 o to generate fake passport in 5 minutes! Etimes. https://timesofindia.indiatimes.com/etimes/trending/ai-getting-dangerous-polish-researcher-uses-chatgpt-4-o-to-generate-fake-passport-in-5-minutes/articleshow/120058999.cms

[35] Security Affairs. (2025, May 2). ChatGPT-4 o to create a replica of his passport in just five minutes. https://securityaffairs.com/176224/security/chatgpt-4o-to-create-a-replica-of-his-passport-in-just-five-minutes.html

[36] HYPR. (2025, April 15). The AI forgery epidemic: The growing threat of AI-generated fake documents. https://www.hypr.com/blog/the-ai-forgery-epidemic

[37] [38] [39] [40] [48] [49] [66] See footnote 36

[51] See footnote 35

[61] See footnote 34

Verified. Audited. SOC 2 certified.

ATO Protect Demo Request