How North Korea Infiltrated the Global Tech Sector

North Korea, the world’s most sanctioned and isolated regime, has successfully placed employees inside hundreds of American companies. They are not the Cold War-era sleeper agents typically depicted in espionage thrillers; instead, they are remote workers using falsified identities to pretend to be operating from Japan, South Korea, or even inside the United States. These operatives are performing real work, at least some of the time.

They attend virtual meetings, write code, and collect paychecks in organizations ranging from artificial intelligence startups to financial institutions and media outlets. Cybersecurity firm KnowBe4 discovered this vulnerability the hard way when the company hired what they believed to be a principal software engineer for their internal artificial intelligence team. Multiple video interviews, background checks, and references all appeared to check out seamlessly, until the individual received their official work computer and, within hours, attempted to install malware.

KnowBe4’s systems were robust enough to detect and block the attack, but if a premier cybersecurity firm could be infiltrated, the broader tech sector faces an unprecedented and pervasive threat.

The Strategic Pivot to Digital Exploitation

Since 2020, as the global workforce shifted aggressively toward remote operations, North Korean workers leaped at the new opportunities presented, generating hundreds of millions of dollars for Pyongyang. However, the financial windfall is only one component of the issue; far more pressing is the unprecedented access these operatives have acquired. Defense contractors holding classified weapons technology, artificial intelligence companies, and major financial institutions have all been compromised.

Some operatives have been caught, but the total number of embedded agents remains unknown, alongside the looming question of what happens when Pyongyang decides these assets are worth more as saboteurs than as revenue streams. For decades, North Korea has endured a series of ever-expanding international sanctions that systematically choked off its economy. As this economic isolation progressed, the regime began to rely more heavily on imports from its two closest allies, Russia and China, as well as foreign currency operations conducted overseas to remain afloat.

The regime’s historical approaches to generating illicit revenue included everything from counterfeiting foreign currencies to trafficking narcotics, which often paid significant dividends. When hackers stole $81 million from Bangladesh’s central bank in 2016—an act that was quickly traced back to Pyongyang—it initially seemed as though the country had executed a lucky, one-off heist. In reality, North Korea had been deliberately pivoting toward these far more sophisticated operations for years.

Dating back to the early 2010s, the regime realized that as the rest of the world fully entered the digital age, it would be uniquely positioned to exploit systemic vulnerabilities if it strategically developed the right capabilities. Consequently, Pyongyang launched a massive investment campaign in computer science education within North Korean schools, going so far as to create specialized universities dedicated to churning out thousands of capable programmers. This educational initiative was a dual-track strategy.

On one hand, the regime was training dedicated hackers for offensive cyber warfare, demonstrated by their successful breach of Sony Pictures in 2014, an attack that ultimately halted the theatrical release of “The Interview,” a film containing a less-than-flattering depiction of Kim Jong Un. Simultaneously, they were beginning to train legitimate software developers for a far more long-term objective: to essentially become digital sleeper agents working remotely as employees of technology companies around the world. Institutions like Kim Chaek University of Technology and Kim Il Sung University established highly specialized programs.

Pyongyang University of Science and Technology joined the effort as well, with elite secondary schools across the capital feeding talented and computer-savvy youths directly into these advanced programs. By some estimates, North Korea was graduating as many as 30,000 students studying information technology-related subjects. The regime began deploying these trained programmers overseas as early as the mid-2010s.

By September 2018, Western intelligence was beginning to catch on; the United States Treasury sanctioned two sister companies operating as fronts—Yanbian Silverstar in China and Volasys Silver Star in Russia—for running North Korean IT workers behind false identities. Yet, this enforcement action was barely scratching the surface of the operation. By 2019, United Nations monitors estimated that at least one thousand North Korean workers had been dispatched overseas, though even that figure likely vastly understated the true scale of the program.

All they needed was a global opening, and timing would soon provide openings everywhere.

The Pandemic Catalyst and the Mechanics of Deception

When the COVID-19 pandemic struck in early 2020, remote work transitioned from a supplementary benefit to an absolute business necessity overnight. North Korea’s IT workforce was handed the opportunity of a lifetime, and they wasted precious little time in seizing it. While the regime had not explicitly prepared for a pandemic-driven work-from-home revolution and seemed initially caught off guard by the sheer volume of opportunities, they adapted with remarkable speed.

As companies scrambled to determine how to onboard employees they would never meet in person, North Korea recognized that its most significant historical barriers—physical presence, in-person interviews, and local background checks—had simply evaporated. Just as international sanctions had effectively shut down their traditional revenue streams, the rapid reorganization of the entire global economy created a massive vulnerability that made Pyongyang’s new strategy incredibly effective. The period between 2020 and 2021 represents a silent explosion of this infiltration phenomenon that is only now fully coming to light.

Benefiting from hindsight, the initial wave of operations was almost embarrassingly simple. Operatives would create LinkedIn profiles claiming to be software developers from South Korea, China, Europe, or the United States, apply to dozens of remote positions simultaneously, and accept whatever employment they could secure. On some level, they were almost ideal applicants; after all, they were entirely willing to work for whatever comparatively low wages they were offered.

In the sheer chaos of early pandemic hiring, when major companies were losing millions of dollars from operational disruption, a standard of “good enough” became the prevailing norm. Blockchain developer Eric Chen’s experience at the firm Injective was highly typical of this early period. The developer he hired in mid-2020 possessed decent credentials, performed adequately in interviews, and seemed genuinely eager to start working.

Over time, performance issues emerged, specifically persistent bugs in the code, which compounded to the point where Chen fired the developer after a few months and hired a replacement. It never occurred to him that he had unknowingly employed a North Korean operative until law enforcement contacted him three years later. Multiplying that singular story by hundreds, or possibly thousands, across the broader tech industry provides a realistic feel for the sheer scale of the operation.

That precise pattern repeated across multiple fronts, largely focusing on financial institutions, software development firms, fintech startups, and artificial intelligence companies. Throughout 2021, the North Korean operation professionalized rapidly after experiencing its early growing pains. The operatives’ resumes became significantly more polished, their coding submissions became less buggy, and their handlers began investing heavily in much more credible cover stories.

As the worst phases of the pandemic concluded—with vaccines rolling out, lockdowns lifting, and society returning to a general sense of normalcy—this shift initially posed a risk to the regime’s newfound revenue stream. Companies began discussing bringing their employees back to the physical office. However, the work-from-home model remained in overdrive due to a significant global worker shortage, leaving companies desperate to hire whoever they could find.

Once remote work had been thoroughly normalized, outsourcing labor to workers that companies believed to be located in Japan or South Korea was hardly a conceptual leap.

Federal Warnings and the Evolution of Tradecraft

The major wake-up call for the corporate sector arrived in May 2022, when the State Department, the Department of the Treasury, and the FBI issued a joint advisory warning that thousands of highly skilled North Korean IT workers were actively posing as non-North Korean nationals to land remote jobs with Western companies. By that point, the operation had already been running at an industrial scale for nearly two years. Federal investigators laid out the precise scheme: workers from the Democratic People’s Republic of Korea (DPRK) were utilizing virtual private networks (VPNs), stolen identity documents, and proxy accounts to mask their true locations and consistently win contracts on freelance platforms.

Individual workers were capable of earning over $300,000 annually, even though the regime typically only allowed them to keep five to ten percent of those earnings for themselves. The federal warning was far from theoretical. The joint advisory cited one specific case where DPRK workers had already stolen over $50,000 from a United States firm in thirty separate, small installments—a calculated, slow-drip theft explicitly designed to slip past standard fraud detection algorithms.

Other companies were reporting increasingly strange behavioral patterns: developers whose English proficiency seemed to shift dramatically between written and spoken communication, or applicants who flawlessly aced complex technical interviews but inexplicably stumbled on basic follow-up calls. Investigators successfully traced these anomalies to the multi-operator tradecraft that North Korean teams were deploying. Different operatives handled different parts of the same fake identity, with some teams deploying artificial intelligence translation tools or voice changers to seamlessly maintain the ongoing deception.

The government advisory provided companies with a specific checklist of red flags to monitor. These included multiple logins from widely separated international countries, heavy reliance on Chinese payment services and cryptocurrency transfers, glaring biographical inconsistencies across professional profiles, and remote workers who rigidly refused live video calls or could not receive physical hardware at their listed home addresses. Furthermore, federal officials warned that while the vast majority of these workers performed legitimate software development to avoid detection, their privileged contractor access provided them with potential pathways into secure corporate networks for future cyber intrusions or illicit technology procurement.

The operation had been publicly called out, but Pyongyang was already far too entrenched in the game to simply wrap up shop. Being the most heavily sanctioned nation on earth meant North Korea faced a limited number of additional consequences the international community could impose to ramp up pressure. Consequently, the US advisory effectively became a training manual for North Korean operatives on what operational security errors to avoid in the future.

Their tradecraft improved substantially; the sloppy logins from far-flung global locations vanished, and over time, the operatives became significantly harder to detect. The regime also strategically shifted its focus toward quality over quantity in terms of the jobs obtained. They began specifically targeting higher-value positions at more strategically significant technological firms, rather than simply maximizing the sheer volume of low-level positions they had acquired.

What followed was a masterclass in rapid adaptation.

Laptop Farms, Facilitator Networks, and AI-Enhanced Infiltration

The 2022 advisory exposed how VPNs originating from China were being flagged by corporate security and how time zone mismatches were giving operatives away. North Korean handlers knew they needed to make their digital footprints appear entirely authentic. This requirement birthed the “laptop farm” model, primarily relying on domestic facilitator networks.

Individuals like Matthew Knoot became early pioneers of this method, setting up proxy networks through which computers physically located in the United States could be remotely accessed by North Korean operatives. Starting around 2022, corporate laptops began arriving at Knoot’s Tennessee address. He would unbox the machines, connect them to his home network, and install remote access software.

Suddenly, that specific laptop became a perfect corporate shell—connected through a legitimate American internet service provider, seamlessly bypassing every geographic security check a company might run. The exact degree to which Knoot may have known he was specifically facilitating North Korean infiltration remains a matter of legal dispute, but running an IT data center from a residential basement at the behest of shadowy international figures clearly crossed legal boundaries. The lucrative economic side of the equation undoubtedly tipped the scales toward asking fewer questions.

Before his arrest in August 2024, federal investigators found that his facilitation network successfully placed at least a dozen DPRK operatives in United States and United Kingdom companies, laundering hundreds of thousands of dollars while keeping a generous cut for himself. Similarly, Christina Chapman’s operation in Arizona serves as a prime case study of how far the physical infrastructure had evolved by 2024. Working in tandem with Ukrainian facilitator Oleksandr Didenko, Chapman created over three hundred fake freelancer accounts based entirely on stolen American identities, each fully capable of passing E-Verify and standard corporate background checks.

By the time of her arrest in May 2024, these fraudulent accounts had successfully placed North Korean operatives at over 300 different US companies. The subsequent unsealing of her federal case by the Department of Justice revealed the staggering extent of the compromise without specifying all company names. Affected entities included a major television news network, an aerospace and defense contractor, and numerous Fortune 500 companies that had unknowingly granted DPRK operatives direct access to their internal systems, and in some critical cases, classified military technology.

While Chapman’s operation was one of the largest disrupted, similar networks almost certainly remain active. Yet, even the sophisticated laptop farm setup was rapidly becoming outdated due to the explosive rise of generative AI platforms, which transformed the infiltration game completely. North Korean operatives began utilizing tools like ChatGPT to generate highly tailored cover letters and resumes completely free of the grammar mistakes that previously served as red flags.

They increasingly relied on artificial intelligence to perform the actual coding jobs they might have otherwise underperformed at. The Pyongyang-linked hacking group Kimsuky was caught using ChatGPT to generate fake South Korean military IDs attached to phishing emails. Furthermore, the AI firm Anthropic reported that North Korean actors had used their Claude model to create convincing portfolios, pass complex coding tests, and complete actual technical assignments for real employers.

The AI stood ready at the regime’s behest, perfectly illustrated by the mid-2024 KnowBe4 incident where an operative used AI-enhanced stock photography and stolen valid references to secure an internal AI team position before immediately attempting a malware deployment.

Economic Scale, Defense Sector Breaches, and Geopolitical Implications

The financial scale of this ongoing infiltration is staggering. When Fortune and Microsoft published their joint estimate that North Korean IT workers generate hundreds of millions of dollars annually, the figures seemed almost too immense to believe. However, the mathematics are straightforward: if merely five thousand workers each earn six-figure salaries, the operation generates half a billion dollars per year.

Many of the compromised positions, particularly within blockchain development, artificial intelligence, and specialized software engineering, pay considerably more than standard rates. This vast influx of capital allows Pyongyang to comfortably bypass international financial sanctions and directly fund its military modernization projects. Yet, the revenue generation is only one facet of the broader threat matrix; the unauthorized access to sensitive national security data poses a far more severe long-term risk.

The identity and access management company Okta has identified a small but highly persistent stream of North Korean operatives actively applying for positions at US state and federal agencies throughout 2023 and 2025. These infiltration attempts targeted not only federal agencies but also Middle Eastern and Australian government entities. The operatives demonstrated an extensive focus on government contractors and service providers, which often maintain less rigorous vetting procedures than direct government agencies but command nearly equal network access.

In 2025, the Justice Department revealed that over 100 US companies had been definitively compromised just within the specific cases they successfully prosecuted. The defense sector breaches carry the most immediate national security implications. Between January and April 2024, a North Korean operative embedded at a California defense contractor successfully exfiltrated data explicitly marked as highly sensitive technical data subject to strict export controls.

Those stolen files detailing advanced military technology were funneled directly to North Korea’s intelligence agencies. This data serves the dual purpose of allowing the regime to analyze the capabilities of adversarial technology while providing free engineering resources to accelerate their own indigenous weapons development. The timing of these defense industry revelations becomes particularly ominous when contextualized alongside North Korea’s rapidly deepening military buildup and shifting geopolitical alliances.

As of October 2025, North Korea had deployed approximately 15,000 troops to fight alongside Russian forces in the Kursk region, with battlefield reports indicating at least 600 and potentially as many as 4,700 of those soldiers had been killed in combat. Furthermore, Pyongyang has been reportedly supplying Russia with massive quantities of artillery shells that continue to be utilized in the ongoing conflict. The United States Treasury’s Bradley Smith explicitly noted that illicit funds generated by IT workers help enable North Korea’s material support for Russia’s war in Ukraine.

This likely refers both to the regime utilizing newfound cash to rapidly produce munitions for Moscow and potentially directing its embedded IT workers to directly support Russian technical projects. In return, Russia is actively transferring advanced military technology to Pyongyang, primarily focusing on submarine and surface warship development assistance. This high-level technical exchange became glaringly visible in April 2025, when North Korea botched the launch of a new 5,000-ton destroyer.

Although the vessel was damaged and later recovered, the ship—based heavily on Russian naval designs—features vertical launch systems designed to fire land-attack and anti-ship cruise missiles. It stands as the largest and most heavily armed surface warship the isolated regime has ever constructed, underscoring the severe consequences of its technological espionage.

The AI Arms Race and the Looming Threat of Digital Sabotage

The artificial intelligence sector has emerged as a particularly prioritized target for North Korean infiltration. As Washington and Beijing face down in an increasingly confrontational standoff regarding the global AI arms race, Pyongyang is deploying its unique digital assets into a niche technological field where it has become uncharacteristically well-positioned. Security firm Okta documented a marked increase in North Korean attempts to penetrate AI companies at the exact moment these firms began developing military applications, such as autonomous targeting systems, predictive maintenance algorithms for defense hardware, and advanced battlefield analysis tools.

The operatives who spent time embedded inside these cutting-edge companies undoubtedly accomplished more than merely collecting paychecks, yet the exact number of agents currently maintaining access remains dangerously unknown. The tangible impact of this infiltration is already manifesting globally. The Multilateral Sanctions Monitoring Team, formed after Russia vetoed the renewal of the UN Panel of Experts, published an extensive report in October 2025 documenting the scale of the theft.

The report detailed that North Korean IT workers and state-sponsored hackers successfully stole approximately $2.8 billion in cryptocurrency between January 2024 and September 2025. These operations are increasingly abandoning broad targets in favor of highly strategic sectors, specifically focusing on artificial intelligence, defense contracting, and blockchain architecture. Despite the escalating threat, the private sector’s response remains dangerously fragmented.

Okta successfully identified 130 DPRK-linked identities, which likely represents just a fraction of the personnel Pyongyang is pouring into the tech sector. Those 130 specific actors alone were tied to conducting over 6,500 initial interviews across 5,000 different companies, predominantly in the United States, though targeting outside the US recently ticked up to 27 percent. Cybersecurity firm CrowdStrike investigated 320 separate infiltration incidents over the past year alone—a massive 220 percent year-over-year increase.

This surge indicates both that corporate awareness is slowly growing and that the infiltration attempts are occurring with far greater frequency. Mid-market companies, standard staffing firms, and non-tech sectors such as healthcare and finance find themselves particularly exposed. They largely lack the expensive threat intelligence feeds and dedicated security teams that enterprise-level tech giants can easily deploy.

Industry reports highlight that remote roles of any description are fully in scope for the scheme, with healthcare organizations becoming increasingly targeted due to their combination of high salaries, chronic staffing shortages, and urgent hiring needs. The tech industry has not been entirely passive. Microsoft has suspended over 3,000 Outlook accounts believed to be directly tied to North Korean IT operations and is continuously rolling out enhanced detection capabilities within its enterprise software.

However, the operatives continue to adapt. Applicants have grown adept at utilizing AI deepfake technology during live video interviews, altering their facial features in real time to match the stolen identities provided in their applications. Currently, corporate recruiters can easily defeat this software by simply asking the interviewee to wave a hand in front of their face, which disrupts the deepfake rendering long enough to reveal the operative’s actual identity.

Yet, the temporary nature of these detection methods underscores a grim reality: as AI systems inevitably improve, they will provide the same enabling effect for hostile actors that the initial remote work revolution provided in 2020. The international dimension compounds this coordination problem exponentially. Facilitator laptop farms have rapidly expanded across Southeast Asian countries, regions widely known for lax enforcement of cyber regulations and simultaneously serving as major hubs for legitimate tech outsourcing.

The known cases of infiltration represent only the operatives who made actionable mistakes or were caught in Justice Department sweeps. The broader evolution is undeniable: what began as a low-profile freelancing side gig for the Kim regime between 2018 and 2020 has morphed into an AI-enhanced fraud machine posing severe international security risks. With OpenAI securing a $200 million contract with the American Department of War, and military operations increasingly integrating private-sector AI agents, the stakes have never been higher.

The FBI has explicitly warned that the placement of these DPRK operatives provides significant disruption capability should Pyongyang choose to activate them. Every embedded operative represents a potential digital sleeper cell, creating a volatile collision between a global tech industry built on open collaboration and a totalitarian regime that views every corporate interaction as a potential intelligence operation.

Sources

1. https://www.techtarget.com/searchsecurity/news/366598834/KnowBe4-catches-North-Korean-hacker-posing-as-IT-employee
2. https://fortune.com/videos/watch/thousands-of-north-korean-it-workers-have-infiltrated-the-fortune-500/a2e13642-3b22-4f8b-8801-7479c283adb5
3. https://cyber.uk/areas-of-cyber-security/cyber-security-threat-groups-2/nation-state-hackers-case-study-bangladesh-bank-heist/
4. https://www.theguardian.com/film/2014/dec/18/fbi-north-korea-sony-pictures-hack-the-interview
5. https://www.aljazeera.com/features/2011/6/20/north-korea-recruits-hackers-at-school
6. https://www.wired.com/story/north-korea-stole-your-tech-job-ai-interviews/
7. https://www.zdnet.com/article/a-glimpse-into-the-world-of-north-koreas-hacking-elite/
8. https://www.iddataweb.com/shadow-workers/
9. https://theweek.com/tech/hermit-kingdom-it-remote-workers-north-korea
10. https://www.binance.com/en/square/post/14351807724042
11. https://ofac.treasury.gov/media/923126/download?inline
12. https://www.justice.gov/archives/opa/pr/justice-department-disrupts-north-korean-remote-it-worker-fraud-schemes-through-charges-and
13. https://www.justice.gov/opa/pr/arizona-woman-sentenced-17m-information-technology-worker-fraud-scheme-generated-revenue
14. https://wjla.com/news/local/north-korea-it-worker-fraud-scheme-scam-laptop-farm-300-american-companies-17-million-christina-marie-chapman-50-arrested-sentenced-north-korean-government-hacker
15. https://www.businessinsider.com/north-korea-china-hackers-infiltrate-companies-ai-resumes-military-id-2025-9
16. https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us
17. https://cyberscoop.com/cyber-firm-knowbe4-hired-a-fake-it-worker-from-north-korea/
18. https://www.okta.com/newsroom/articles/north-korea-s-it-workers-expand-beyond-us-big-tech/
19. https://koreajoongangdaily.joins.com/news/2025-10-31/national/northKorea/Captured-North-Korean-war-prisoners-in-Ukraine-ask-to-be-brought-to-South-Korea/2433800
20. https://www.wsj.com/world/asia/kim-jong-un-publicly-mourns-troops-killed-fighting-for-russia-for-first-time-169fb004?gaa_at=eafs&gaa_n=AWEtsqcNSCozvEQsxiaHjxwDhBFZkFUUPGE8qSrChm_ugINddWts8HJCZCruQvewhQA%3D&gaa_ts=6912bcf4&gaa_sig=o5AKKeXbil_NmFIUIhqUPNTQBM6MUUi7BQIoHw2nWemS3l7Kv0OjHs8D9kVnI3pjFDA3iYYat0SXmlF5dziTZw%3D%3D
21. https://home.treasury.gov/news/press-releases/jy2790
22. https://apnews.com/article/north-korea-russia-casualties-troops-cf71c682b57863e4e5207d2c86295738
23. https://beyondparallel.csis.org/north-korea-launches-the-choe-hyon-guided-missile-destroyer/
24. https://apnews.com/article/north-korea-cyber-nuclear-russia-un-sanctions-28b6681541a62d809c52e0f2625febc9
25. https://cyberscoop.com/crowdstrike-north-korean-operatives/
26. https://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/
27. https://www.darkreading.com/remote-workforce/north-korean-operatives-deepfakes-it-job-interviews