An estimated 100,000 North Korean workers – excluding IT workers – are earning the regime an estimated $500 million a year by working around the globe in defiance of international sanctions. In 2017, there were an estimated 65,000 North Koreans deployed abroad, and these operations have only grown. Scattered across 40 countries, North Koreans are pressed into service in everything from garment factories and building sites to hospitals and restaurant kitchens, with most of their wages going back to the North Korean state.
Of these, IT workers may be the regime’s gold mine. Though only about 3,000 are thought to work abroad (and another 1,000 inside the country), they rake in an estimated $250 million to $600 million annually for Pyongyang, potentially as much as all other sectors put together.
This is nothing new. North Korea has relied on the export of its labour force as a key component of its sanctions evasion and revenue-generation strategy for over a decade. The IT operations are the digital extension of this entrenched labour-export system, ensuring larger revenue potential. Understanding this state-managed apparatus of labour export provides the context to design more effective measures to disrupt the North Korean IT worker network.
Legacy control
The recruitment, oversight, and labour conditions of North Korean IT workers closely mirror the longstanding mechanisms used in other deployments of overseas workers. Over the years, the regime has deployed its citizens across a range of industries, including construction, logging, textiles, and restaurants, in a model rooted in ideological control, central planning, and systemic exploitation. As much as 90% of an individual’s income may be funnelled back to the regime to fulfil monetary quotas.
The selection process for these foreign deployments is stringent but also marked by corruption and social stratification. Candidates are mostly men from families loyal to the regime (they have reliable ‘songbun,’ according to North Korea’s socio-political classification system). Most are married with children, which also serves as an added mechanism of control through the threat of reprisal against family members. Provincial People’s Committees have significant influence in nominating individuals, and bribery is widespread at this stage. Candidates often offer cash, gifts, or favours to local officials to secure recommendations. Final selection is overseen by a network of state organs, including the Ministry of State Security and various branches of the Korean Workers’ Party. Background checks are exhaustive, with a primary emphasis on ideological purity and loyalty.
Once deployed, North Korean workers are subjected to intense surveillance and control. Passports are confiscated and workers are placed under round-the-clock monitoring by designated ‘minders’ or supervisors. Working conditions are harsh and highly regimented, with labour days stretching up to 16 hours.
In the IT sector, the state’s established apparatus of control and exploitation is adapted but not relaxed. North Korean IT workers, whether operating remotely or embedded in Western organisations, are still subjected to ideological, financial, operational, and even physical control. They are recruited from elite universities or military-affiliated institutions where a rigorous process of grooming ensures that only those with both technical aptitude and ideological reliability are advanced into the state’s cyber workforce.
The path into this ‘cyber career’ is also seen as a rare opportunity for modest social mobility. Benefits such as food subsidies, improved housing and increased stipends during overseas assignments are extended to select IT operatives. However, the underlying exploitative dynamics persist; workdays remain excessively long, breaks are limited, and the vast majority of earnings are confiscated by the state. A portion of this revenue is reinvested into maintaining cyber operations and infrastructure, including command-and-control networks and operational logistics.
The shift from manual labour to IT work has not altered the existing system but has instead only expanded the regime’s reach. IT workers may enjoy certain privileges, but they remain tightly bound to the same apparatus of control and surveillance.
Reusing the same playbook
In both physical and virtual domains, North Korean workers have successfully embedded themselves in sensitive and high-value environments, often without detection. For IT worker operations, the regime obfuscates infrastructure, uses front companies, forges identities and launders cryptocurrency to keep them hidden. These are not new, they are well-established components of Pyongyang’s playbook. What has changed is not the strategy itself, but the domain in which it is applied.
Just as IT operatives secured varied roles within Fortune 500 companies under false identities, earlier cases show similar patterns of infiltration. For example, between 2014 and 2016, North Korean labourers were contracted to repair a Royal Danish Navy patrol vessel, a two-ton warship. Official documentation, including pay slips and contracts, confirmed their involvement. Here, North Korean workers could have had direct access to classified naval technologies and infrastructure belonging to NATO allies.
Similarly, North Korean-run restaurants across Asia are rarely just about cuisine. These restaurants often act as fronts for stashing passports, laundering money, housing operatives or masking sanctioned commercial transactions. In cyberspace, fake software firms fabricate online personas, and shared developer accounts serve the same strategic function of concealing identity and creating plausible deniability.
Maritime sanctions evasion tactics offer a revealing analogue. North Korean vessels have routinely employed Automatic Identification System (AIS) geo-spoofing – transmitting false GPS signals or assuming the identities of legitimate ships in order to mask sanctioned activity. In cyberspace, a similar ‘multi-layered approach’ is used to conceal the technical infrastructure behind IT operations. Operatives rely on virtual private networks (VPNs), proxy servers, and IP routing techniques to obscure the origin of traffic, mask server locations, and route communications through multiple jurisdictions.
Even a tactic as obscure as vessel identity laundering has a digital parallel. Just as ships would be cosmetically altered and re-documented to assume new identities, North Korean IT workers now use ‘layered obfuscation identity strategies’ to get hired and often rotate through accounts, recycle verified credentials, and maintain dormant digital personas for future use. These personas are often interconnected across platforms, sharing usernames and project names, creating a layered and misleading web of activity.
The use of local nationals as facilitators or middlemen masks Pyongyang’s involvement in foreign ventures. Mostly, these facilitators are hired as shipping agents, proxy business owners or financial intermediaries. That same role persists in supporting the regime’s IT operations in different parts of the world. These individuals have facilitated North Korean IT operatives by receiving and reshipping company-issued laptops, setting up remote access, creating and registering fake business entities, acquiring IDs and licenses and accessing job platforms or payment accounts. Whether knowingly complicit or simply opportunistic, facilitators enable a system designed for deniability and are often discarded once operational needs shift or risks escalate.
Continuity and adaptation
The North Korean IT worker threat is not episodic; rather, it is a long-term, state-managed strategy fine-tuned to exploit the shift towards a globalised remote workforce. Disrupt one operation and Pyongyang will adapt, shifting platforms, rotating identities, and training replacements. These operations are not only about generating currency or bypassing sanctions but also creating a foothold within organisations for future cyber operations that may involve espionage, theft or sabotage. Indictments and prosecutions can raise the cost of participation but rarely eliminate the utility these schemes provide Pyongyang. Facilitators may become harder to recruit, but they do not become obsolete and are often repurposed into new operational roles. Additionally, there have been reports of growing use of AI-enabled tooling, which could reduce reliance on intermediaries and lower the risk of human exposure.
Understandably, scrutinising a construction crew at a border is relatively simpler than identifying a developer logging in from behind a VPN. However, the risks remain pertinent. Without stronger safeguards, North Korea will continue to exploit its workforce and manipulate the international hiring system.
For governments, the lesson is clear. Countering North Korea’s IT workforce requires more than dismantling individual accounts or infrastructure. It demands a deep understanding of the regime’s labour-export tactics and coordinated, long-term planning. Many of these lessons can be drawn from earlier overseas deployments, which were never just labour export schemes but tightly managed intelligence and revenue operations involving facilitators, obfuscation, and systemic exploitation.
Addressing this threat effectively requires tightening oversight of recruitment and freelance platforms, improving financial monitoring, strengthening international coordination, and addressing the human dimension. The latter can be done by creating reporting mechanisms, hotlines, and, where possible, offering protections to migrant workers coerced into these schemes. Only by treating North Korean IT workers as part of this broader state-run apparatus can policymakers begin to disrupt Pyongyang’s revenues and reduce the exploitation at its core.
Related Posts
.jpg){kind=link}