North Korean Spies Posing as Remote Workers Have Infiltrated Hundreds of Companies, Says CrowdStrike
Researchers at security giant CrowdStrike have uncovered a sophisticated and growing threat in the form of North Korean spies posing as remote IT workers. These individuals have infiltrated hundreds of companies worldwide, using false identities, resumes, and work histories to gain employment and earn money for the regime.
The company's latest threat-hunting report reveals that there have been over 320 incidents of North Koreans gaining fraudulent employment at Western companies working remotely as developers in the past 12 months. This represents a staggering 220% increase from the year earlier, highlighting the growing sophistication and brazenness of these operations.
The scheme relies on North Koreans using advanced tools such as generative AI to draft resumes and modify or "deepfake" their appearance during remote interviews. Once hired, they gain access to sensitive data and can use it for extortion purposes, with the ultimate goal of generating funds for North Korea's sanctioned nuclear weapons program.
The program has so far generated billions of dollars for the regime, making it a significant source of revenue for Pyongyang. However, it is estimated that there are potentially thousands of North Korean IT workers currently working for unknowing U.S. companies, posing a significant threat to national security and corporate integrity.
A New Level of Sophistication
While the scheme is not new, North Koreans have increasingly succeeded at getting jobs despite sanctions preventing U.S. companies from hiring sanctioned workers. CrowdStrike attributes this success to the use of advanced tools such as generative AI and improved social engineering tactics.
The company's report highlights the importance of implementing better identity verification processes during the hiring phase to prevent hiring sanctioned workers. TechCrunch has heard of some crypto-focused companies asking prospective employees to provide critical information about North Korea's leader, Kim Jong Un, in an effort to weed out potential spies.
Disrupting the Operations
The U.S. Department of Justice has been actively working to disrupt these operations by targeting U.S.-based facilitators who help run and operate the scheme for their North Korean bosses. Prosecutors have identified several individuals involved in "laptop farm" operations, which involve racks of open laptops used by North Koreans to remotely do their work as if they were physically located in the United States.
One such operation stole the identities of 80 individuals in the U.S. between 2021 and 2024 to gain remote work at more than 100 U.S. companies. The Department of Justice has been working tirelessly to bring these individuals to justice, disrupting the financial flow of North Korea's sanctioned nuclear weapons program.
Prevention is Key
In light of this growing threat, it is essential for companies to take proactive steps to prevent hiring sanctioned workers. CrowdStrike's report emphasizes the importance of implementing robust identity verification processes during the hiring phase to ensure that only legitimate candidates are brought on board.
By staying vigilant and taking these precautions, companies can help protect themselves against this sophisticated threat and contribute to a safer and more secure digital landscape for everyone.