Join us at Binding Hook Live on October 27 at Underbelly Boulevard Soho in London
Join us at Binding Hook Live
Request an invite
Main Logo Expert commentary on tech and security

North Korean operatives invent identities to infiltrate industries

Chandana Seshadri 29 April 2025
Share On:
North Korean IT workers are no longer just breaching organisations – they’re being hired by them. This is because companies treat identity management as a compliance issue instead of a serious national security threat
Main Top Image
Photo: Christina @ wocintechchat.com/Unsplash

By forging identities, complete with fabricated digital work histories and developer profiles on platforms like GitHub, North Korea operatives are systematically exploiting vulnerabilities in identity management to secure legitimate jobs in global industries.

Although the full extent of this infiltration is unknown, open-source reporting and federal indictments suggest the presence of thousands of such operatives across the globe. Coordinated teams can earn millions for the regime’s weapons programme. 

In addition to raising revenues, these workers present a complex threat, blending identity fraud, insider threat, data exfiltration, and the manipulation of trusted platforms in recruitment. These tactics form a decentralised model of infiltration – one that uses weaknesses in identity management, payment infrastructure, and compliance ecosystems to embed operatives within global workforces.

The blueprint for securing work

North Korean IT operatives use layered identity obfuscation strategies to secure employment. These range from fabricating personas and faking resumes to relying on third-party facilitators and stealing identities. These operatives often claim to reside in the US, Canada, Japan, and Singapore but are primarily located in China, Russia, and, in smaller numbers, Africa and Southeast Asia. 

They specifically apply for freelance and remote work opportunities. Supported by fake work histories and convincing digital footprints on LinkedIn and GitHub, they use job boards like Upwork, Telegram, and Netlify to secure work. Some operatives also attempt to buy high-reputation accounts on underground marketplaces to bolster their credibility. 

Resumes cited in open-source reports show several key characteristics, such as proficiency in multiple programming languages and fake testimonials using stolen images from professional profiles of CEOs and directors likely from LinkedIn. Additionally, these profiles demonstrate inconsistencies in personal information, like phone numbers and emails, across different job platforms.

One notable case involves the cybersecurity firm KnowBe4, which unknowingly hired a North Korean IT worker. The individual used AI-manipulated images to create a convincing persona. Although standard hiring procedures were followed to hire a software engineer for their internal IT AI team – including interviews, background checks, and reference checks – the company’s security operations centre flagged unusual behaviour immediately after the company workstation was activated. Malware was loaded, session histories were manipulated, and unauthorised software was installed. When the company attempted to follow up via a call, the individual became unresponsive and disappeared.

The role of facilitators

Recent US indictments highlight how third-party facilitators are crucial to sustaining the IT worker ecosystem. In one case, Matthew Knoot of Tennessee allegedly operated ‘laptop farms’, maintaining computers at his residence to obscure North Korean IT workers’ true location. Knoot also assisted in securing stolen identities of US individuals to receive company hardware and installed remote desktop applications. This enabled the North Koreans to work remotely from China, creating the illusion that the work was being conducted domestically.  

Similarly, Christina Chapman ran a laptop farm in Arizona and allegedly helped North Korean IT workers steal over 60 US identities and access remote roles at more than 300 US companies, including some in the Fortune 500. Chapman and her associates reportedly created false payroll records, laundered earnings, and filed false documents to US federal agencies. Their network is believed to have generated at least $6.8 million for overseas IT workers, while leaving US individuals with fabricated tax liabilities and compromised identities. 

Where the identity management systems fall short

These tactics expose vulnerabilities in identity verification frameworks, particularly in recruitment, which may lack the resources needed to detect sanctioned state actors. However, the core weakness is not technical but organisational. There is a general lack of awareness about the implications of inadvertently hiring sanctioned actors. Without robust due diligence protocols, such threats may be dismissed as purely reputational. 

Human resources professionals, often the first line of defence in the hiring process, frequently lack the tools, training, and contextual understanding needed to identify red flags. Training typically focuses on compliance and harassment rather than impersonation by state threat actors.

On the financial side, while traditional financial institutions operate under stringent anti-money laundering and know your customer protocols, not all financial institutions facilitating payments abide by the same standards. Even where red flags are identified, legal action or regulatory alerts often fail to translate into operational guidance for payment processors. More generally, the tech sector lacks the well-established identity controls of the financial services industry. 

Emerging technologies further complicate detection. North Korean IT operatives have been observed using AI tools like ChatGPT to generate answers for technical and other interview questions. Recent open source reports also suggest these actors may be experimenting with AI-generated personas, using deepfakes during video interviews. To an untrained eye such tactics are increasingly indistinguishable from legitimate candidate behaviour.

Looking beyond identity threats

Identity manipulation is an initial enabler in North Korea’s revenue-raising operations, but the broader threat emerges after placement. Once embedded, these operatives represent a persistent internal threat, capable of exfiltrating proprietary data, conducting cyber-enabled extortion, and compromising organisational integrity. 

While public discourse often emphasises financial implications, specifically how the revenue generated by these operatives funds the regime’s weapons programme, this is only one facet of the overall threat. 

A recent US indictment illustrates the true scope of this risk. Over a six-year period, 14 North Korean nationals working through front companies such as Yanbian Silverstar and Volasys Silverstar sought employment within US-based companies and non-profits. They amassed approximately $88 million using stolen and fabricated identities. Some were reportedly under direct orders to earn at least $10,000 per month.

The indictment also revealed a further objective. Beyond earning a steady income, operatives engaged in extortion schemes, threatening to leak sensitive information unless companies paid ransoms. These payments were made to bank accounts based in China and controlled by North Koreans. 

Another notable case involved a technician who was hired by a firm operating in the US, UK, and Australia. After four months, the technician was terminated for poor performance. Shortly after, the company received a series of emails containing samples of stolen data and a demand for a six-figure cryptocurrency ransom. The worker had faked his employment history and personal identity and used the company’s virtual environment to exfiltrate files to a personal cloud account. 

Getting ahead of the threat

Addressing the threat posed by North Korean IT workers warrants a strategic rethink: identity verification must be treated as a core component of organisational resilience. Public and private sector guidance already calls for enhanced interview procedures, including camera-on protocols and consistency checks across resumes and online profiles. 

Furthermore, institutions should implement continuous vetting, especially of remote workers. This could involve verification of academic and employment histories, cross-checking with institutional records, and background checks via government portals like E-Verify (US) or international equivalents. 

Some firms are outsourcing vetting to third-party due diligence specialists. For instance, Palo Alto Networks’ Unit 42 collaborates with VCheck Global to combat identity fraud. Other measures include enhancing the training of HR professionals with real-world cases to improve their judgment and detection capabilities. Combined with improved technical training, this could aid in detecting suspicious behaviour.

Ultimately, policy responses must elevate this from a compliance issue or a niche financial crime risk to a national security challenge. To combat these threats, industry and government must coordinate to treat identity exploitation as a security vulnerability with strategic implications.

avatar
Chandana Seshadri

Related

Featured image
Binding Edge
The mechanisms of cyber-enabled information campaigning
Jelena Vićić / Richard Harknett 21 June 2024
Read more arrow
Featured image
Binding Edge
LGBTQ+ community grapples with hidden wave of digital abuse
Sara Seppanen 6 March 2024
Read more arrow
Featured image
Binding Edge
From hacktivism to development coordination, cyber conflict blind spots bring risks
Ric Derbyshire / Isabella Neumann / Veronika Datzer 26 March 2025
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.