North Korea's Remote Tech Infiltration: How State Agents Penetrate U.S. Companies

Watch the Episode

Video originally published on November 29, 2025.

The pandemic-driven shift to remote work opened a silent backdoor for a regime long isolated by sanctions. North Korean operatives, armed with falsified identities and sophisticated tradecraft, have embedded themselves as software engineers, data scientists and support staff inside hundreds of American firms. Their presence grants Pyongyang direct access to cutting-edge AI models, financial systems and classified defense technology, while simultaneously funneling hundreds of millions of dollars into a sanctioned economy. Unlike traditional espionage that requires years of recruitment and cultivation, this operation exploits the structural vulnerabilities of remote hiring at industrial scale.

Key Takeaways

North Korea transformed from crude revenue schemes to sophisticated IT infiltration by investing heavily in computer-science education starting in the early 2010s, producing an estimated 30,000 IT graduates annually from specialized universities.
The COVID-19 pandemic eliminated traditional hiring safeguards—physical interviews, on-site checks, local verification—allowing the operation to explode between 2020 and 2021 at industrial scale.
Laptop farms in the U.S. and facilitator networks using stolen American identities enable operatives to bypass geographic security checks by routing connections through legitimate domestic ISPs.
Generative AI tools like ChatGPT and Claude, combined with deepfake video technology, have elevated the sophistication of fake identities to the point where even cybersecurity firms like KnowBe4 have been successfully infiltrated.
The operation targets high-value sectors systematically: AI startups developing military applications, defense contractors with classified access, blockchain firms, and government agencies, generating an estimated half-billion dollars annually while stealing sensitive technology.
Unlike traditional Cold War espionage requiring years of agent cultivation, this operation exploits structural vulnerabilities in remote hiring to achieve scalable penetration with minimal risk, creating potential digital sleeper cells across hundreds of companies.

The Strategic Pivot: From Counterfeiting to Code

For decades, North Korea relied on crude revenue schemes—counterfeiting foreign currencies, trafficking drugs, and running illicit arms deals—to survive under expanding international sanctions. The 2016 Bangladesh Bank heist, in which hackers stole $81 million, appeared at first to be an opportunistic one-off. In reality, it signaled a strategic pivot that had been underway since the early 2010s. Pyongyang recognized that as the world entered the digital age, technical expertise could be weaponized more effectively than conventional espionage tradecraft. The regime launched a massive investment in computer-science education, establishing specialized programs at Kim Chaek University of Technology, Kim Il Sung University, and Pyongyang University of Science and Technology. Elite secondary schools across the capital funneled computer-savvy students directly into these institutions, which by some estimates were producing 30,000 IT graduates annually. This was a dual-track strategy: one cohort trained for offensive cyber warfare—exemplified by the 2014 Sony Pictures hack that halted the theatrical release of "The Interview"—while another cohort prepared for long-term infiltration as legitimate remote developers. By mid-2018, the operation had matured enough to attract Western attention. The U.S. Treasury sanctioned Yanbian Silverstar in China and Volasys Silver Star in Russia for operating as fronts that deployed North Korean IT workers under false identities. UN monitors estimated at least one thousand workers had been dispatched overseas by 2019, though that figure almost certainly understated the true scale. The regime had built the infrastructure and trained the workforce; all it needed was an opening. COVID-19 provided exactly that.

Pandemic Opportunity: The Collapse of Traditional Safeguards

When COVID-19 forced companies to adopt remote work overnight in early 2020, North Korea's IT workforce seized an opportunity of historic proportions. The pandemic eliminated the traditional safeguards that had constrained the operation: physical interviews, on-site background checks, and local verification all evaporated as business necessities overrode security protocols. Companies scrambled to fill talent shortages, often accepting "good enough" candidates willing to work for lower wages. The period between 2020 and 2021 represents a silent explosion of infiltration that is only now fully coming to light. Initial operations were almost embarrassingly simple. Operatives created LinkedIn profiles claiming to be developers from South Korea, China, Europe, or the United States, applied to dozens of remote positions, and accepted whatever they could secure. Blockchain developer Eric Chen's experience at Injective was typical: he hired a developer in mid-2020 with decent credentials who interviewed adequately and seemed eager to start. Performance issues—bugs in the code, missed deadlines—eventually led to termination after a few months. Chen never suspected he had employed a North Korean operative until police contacted him three years later. Multiply that story by hundreds, possibly thousands, across the tech industry. The operation professionalized rapidly throughout 2021. Resumes became polished, code quality improved, and cover stories grew more credible. As vaccines rolled out and lockdowns lifted, the regime faced a potential threat: companies discussing return-to-office mandates. But the worker shortage persisted, and once remote work had been normalized, outsourcing to workers believed to be in Japan or South Korea became routine. The May 2022 joint advisory from the State Department, Treasury, and FBI confirmed the operation had reached industrial scale: thousands of highly skilled DPRK IT workers were posing as non-North Korean nationals to win remote contracts. The advisory detailed the mechanics—VPNs, stolen identity documents, proxy accounts—and warned that individual workers could earn over $300,000 annually, though they typically kept only five to ten percent. Federal officials provided a checklist of red flags: multiple logins from disparate countries, heavy use of Chinese payment services and cryptocurrency, biographical inconsistencies, and refusal of live video calls. But the warning came too late for many companies, and Pyongyang was too deeply invested to withdraw. Instead, the regime adapted, treating the advisory as a training manual on what to avoid. Operational security improved substantially: suspicious login patterns disappeared, and the focus shifted from quantity to quality—higher-value positions at strategically significant firms.

Infrastructure Evolution: Laptop Farms and AI-Enhanced Deception

The post-2022 phase introduced sophisticated infrastructure designed to defeat enhanced security measures. "Laptop farms" emerged as a critical enabler. Matthew Knoot's Tennessee operation exemplified the model: company laptops arrived at his address, he unboxed them, connected them to his home network, installed remote-access software, and suddenly each device became a perfect shell—connected through a legitimate American ISP, bypassing every geographic security check. Before his August 2024 arrest, investigators determined that Knoot had placed at least a dozen DPRK operatives in U.S. and UK companies, facilitating the transfer of hundreds of thousands of dollars. Christina Chapman's Arizona operation represented an even more ambitious scale. Working with Ukrainian facilitator Oleksandr Didenko, she created over 300 fake freelancer accounts based on stolen American identities, each capable of passing E-Verify and standard background checks. By her May 2024 arrest, these accounts had placed North Korean operatives at more than 300 U.S. companies, including a major television news network, an aerospace and defense contractor, and numerous Fortune 500 firms. The unsealed DOJ case revealed that operatives had gained access to classified military technology, though specific company names were withheld. The rise of generative AI platforms transformed the operation completely. North Korean operatives began using ChatGPT to generate tailored cover letters and resumes with fewer grammatical errors, and relied on AI to perform tasks they might otherwise have struggled with. The hacking group Kimsuky, linked to Pyongyang, was caught using ChatGPT to generate fake South Korean military IDs for phishing emails. Anthropic reported that North Koreans had used Claude to create convincing resumes and portfolios, pass coding tests, and complete actual technical assignments at real companies. Deepfake technology enabled real-time facial manipulation during video interviews, allowing operatives to appear as the stolen identity they were impersonating. The KnowBe4 incident in mid-2024 demonstrated how sophisticated the deception had become. The cybersecurity firm—whose entire business model involves teaching others to avoid getting hacked—hired a North Korean operative for their internal AI team. The candidate passed four video interviews, cleared background checks, and provided references. The operative's photo was AI-enhanced from stock photography, and the references checked out because the stolen identity was otherwise valid. Only when the operative attempted to install malware on July 15, 2024, at 9:55 PM EST—moments after receiving his company-provided Mac workstation—did KnowBe4's endpoint-detection-and-response software trigger alerts. The Security Operations Center quarantined the device by 10:20 PM, less than thirty minutes after the suspicious activity began. The CEO's decision to go public proved prescient: after declaring that "if it can happen to us, it can happen to almost anyone," dozens of other companies came forward with similar infiltrations. The far more dangerous operatives were those who showed up, performed their jobs competently, collected paychecks, and quietly maintained access for months or years without drawing any attention whatsoever.

High-Value Targets: Defense, AI, and Financial Infrastructure

The infiltrated positions are not limited to low-skill support roles. The operation has systematically targeted sectors where technical expertise translates directly into strategic advantage: artificial-intelligence startups developing military applications, blockchain and fintech firms handling high-value transactions, media outlets with data-analytics teams, and defense contractors with access to classified weapons technology. Financial institutions and blockchain developers have been especially attractive because they often pay six-figure salaries and handle transactions that can be exploited. If five thousand DPRK workers each earn a six-figure salary, the regime pockets roughly half a billion dollars annually—a conservative estimate given that many positions pay considerably more. AI companies represent a priority target because their research feeds autonomous targeting systems, predictive maintenance tools for military hardware, and intelligence-analysis platforms. Okta documented a marked increase in North Korean attempts at AI firms precisely when those firms began developing military applications. The timing is not coincidental: as Washington and Beijing face off in an AI arms race, Pyongyang has positioned itself to exploit a niche where it has become uncharacteristically well-equipped. Defense sector breaches carry the most immediate national-security implications. Between January and April 2024, a North Korean operative at a California defense contractor exfiltrated technical data marked as highly sensitive and subject to strict export controls. Those files on military technology went directly to North Korea's intelligence agencies, providing both insight into adversary capabilities and free resources for indigenous weapons development. Okta identified a "small but persistent" stream of North Korean operatives applying for positions at U.S. state and federal agencies throughout 2023 and 2025. These attempts targeted not just federal agencies but also Middle Eastern and Australian government entities, with extensive focus on government contractors and service providers who often have less intense vetting procedures than direct government posts but come with nearly equal access. The Justice Department revealed in 2025 that over 100 U.S. companies were compromised just in the cases that resulted in prosecution—not the full universe of known infiltrations, but only those where charges were brought. The actual footprint is almost certainly far larger.

Geopolitical Implications: Sanctions Evasion and the Russia Connection

The financial proceeds from IT-worker infiltration bypass international sanctions, providing Pyongyang with hard currency to fund military modernization and support for Russia's war in Ukraine. Treasury official Bradley Smith explicitly noted that funds from IT workers help "enable [North Korea's] support of Russia's war in Ukraine," likely referring both to cash used to produce weapons for Russia and to IT workers directly supporting Russian technical projects. As of October 2025, North Korea had deployed approximately 15,000 troops to fight alongside Russia in Kursk, with between 600 and 4,700 killed in combat according to recent battlefield reports. The regime is also supplying Russia with massive quantities of artillery shells. In return, Russia is transferring advanced military technology, primarily submarine and warship development assistance. This technical exchange became visible in April 2025, when North Korea launched a 5,000-ton destroyer—the largest and most heavily armed surface warship the regime has ever constructed. The vessel, based in part on Russian naval designs, features vertical launch systems designed to fire land-attack and anti-ship cruise missiles. The implications extend beyond bilateral cooperation. For decades, Pyongyang has been dependent on generous aid from Beijing and Moscow to prop up its crippled economy, offering little in return beyond its role as a buffer state. Now the regime possesses a valuable commodity: classified information from defense contractors, AI firms, and financial institutions. What North Korea can offer its patrons has fundamentally changed. The Multilateral Sanctions Monitoring Team—established after Russia vetoed renewal of the UN Panel of Experts—documented in October 2025 that North Korean IT workers and hackers had stolen approximately $2.8 billion in cryptocurrency between January 2024 and September 2025. Operations increasingly target firms in strategic sectors including artificial intelligence, defense, and blockchain infrastructure. This represents an evolution in state-sponsored espionage tradecraft. Traditional Cold War espionage required years to recruit and cultivate agents, with high risk of exposure and limited scalability. North Korea's IT-worker operation exploits structural vulnerabilities in remote hiring to achieve industrial-scale penetration at minimal risk. The operatives are not sleeper agents in the traditional sense; they are economic actors performing legitimate work while simultaneously serving as potential intelligence assets and sabotage vectors. The FBI has warned that the placement of DPRK operatives provides "significant disruption capability" should Pyongyang choose to activate it. Every embedded operative represents not just stolen wages or pilfered data, but a potential digital sleeper cell awaiting orders.

Detection Gaps and the Scale of Undetected Infiltration

The private sector's response remains dangerously fragmented. Okta identified 130 DPRK-linked identities—almost certainly a fraction of the true total—that conducted over 6,500 initial interviews across 5,000 companies. These actors initially focused on U.S. firms but have expanded, with 27 percent of targeted positions now outside the United States. CrowdStrike investigated 320 separate incidents in the last year alone, a 220 percent year-over-year increase that reflects both growing awareness and accelerating infiltration. Microsoft has suspended over 3,000 Outlook accounts believed to be tied to the operation and is rolling out enhanced detection capabilities in enterprise software. Mid-market companies, staffing firms, and non-tech sectors such as healthcare and finance are particularly vulnerable because they lack the threat-intelligence feeds and dedicated security teams that larger enterprises can deploy. One report highlighted that "remote roles of any description are in scope for the scheme… So long as the application, interview process, and the work itself can be performed remotely," with healthcare organizations increasingly targeted due to high salaries and chronic staffing shortages. Detection methods remain rudimentary and temporary. Deepfake technology used in video interviews can currently be exposed by asking the interviewee to wave a hand in front of their face, which disrupts the real-time facial manipulation long enough to reveal discrepancies. But the continual improvement of AI systems will almost certainly render such techniques obsolete, just as the pandemic rendered physical verification obsolete. The international dimension compounds the coordination problem. Laptop farms have proliferated across Southeast Asian countries, where enforcement is lax and tech outsourcing is a hub of economic activity—an uncomfortable overlap. We know about the hundreds of companies that caught infiltrators or were swept up in Justice Department cases, but no reliable count exists of how many operatives remain embedded and undetected. The operation's true scale remains unknown, and current trends suggest it will continue to expand rather than contract.

Countermeasures: Toward a Multilayered Defense

Mitigating the threat requires a fundamental rethinking of remote-hiring protocols, moving beyond checkbox compliance to adversarial threat modeling. Companies must implement AI-driven identity verification that cross-references government databases, biometric data, and device-origin analytics in real time. Background checks should be augmented with continuous monitoring rather than one-time validation: anomalous login locations, payment-method changes, and code-commit patterns can flag suspicious activity before significant damage occurs. Enhanced interview protocols must assume that video can be manipulated. Mandatory live video with dynamic, unpredictable requests—waving a hand, turning the head at specific angles, holding up objects—can defeat current deepfake technology, though these measures will require constant updating as AI improves. Organizations should demand physical delivery of equipment to verified addresses and employ hardware attestation to ensure devices have not been pre-compromised by third-party farms. Behavioral analytics offer another layer of defense. Operatives often exhibit subtle patterns: time-zone inconsistencies between stated location and active hours, communication styles that shift between written and spoken formats (indicating multiple handlers), and technical performance that varies unpredictably. Machine-learning models trained on these indicators can flag high-risk accounts for human review. Collaboration with intelligence agencies is essential but currently insufficient. Threat-intelligence feeds from Okta, CrowdStrike, Microsoft, and government sources must be integrated into hiring workflows, not treated as post-incident forensics. Smaller firms that lack in-house expertise should leverage managed security services that specialize in insider-threat detection. Industry-wide information sharing—modeled on financial-sector practices for fraud detection—could create a distributed early-warning system. A strategic reassessment of remote-work policies may be necessary for high-sensitivity roles. While a complete return to on-site work is impractical and would sacrifice competitive advantage in talent acquisition, a hybrid model that incorporates periodic in-person verification could restore a critical security layer. For roles involving classified information, access to sensitive intellectual property, or financial transaction authority, the risk calculus may justify stricter physical-presence requirements. The challenge is that stopping North Korea's operation would require something increasingly unlikely: a reversal of remote work and international cross-border collaboration. While many American companies have brought domestic workers back to the office, the general trend of outsourcing has not abated, and the AI industry shows little inclination to limit itself geographically. We are witnessing a collision between two incompatible systems: a global tech industry built on trust, open collaboration, and talent mobility, and a totalitarian regime that views every interaction as a potential intelligence operation. The resolution of that collision will define the security landscape for the next decade.

Related Coverage

FAQ

How do North Korean operatives bypass video interview verification and background checks?

Operatives use AI-enhanced deepfake technology to manipulate their facial appearance in real time during video interviews, matching stolen identity photos. They combine this with stolen but otherwise valid identity documents that pass standard background checks, AI-generated cover letters from ChatGPT or Claude that eliminate grammatical errors, and laptop farms that route connections through legitimate U.S. ISPs to appear domestically located. Facilitators like Christina Chapman created over 300 fake accounts using stolen American identities capable of passing E-Verify, while operatives provide references that check out because the entire identity infrastructure is stolen but functional.

What specific red flags indicate a potential North Korean IT worker infiltration attempt?

Key indicators include multiple logins from geographically disparate countries within short timeframes, heavy reliance on Chinese payment services or cryptocurrency for payroll, biographical inconsistencies across professional profiles, refusal to appear on live video or to perform unpredictable physical actions during interviews, time-zone mismatches between stated location and active working hours, communication styles that shift noticeably between written and spoken formats suggesting multiple handlers, requests to have equipment shipped to addresses that don't match stated residence, and technical performance that varies unpredictably across tasks.

Why was the pandemic timing strategically significant beyond just creating remote-work opportunities?

The pandemic eliminated the structural barriers that had constrained North Korea's operation for years: physical interviews, on-site background checks, and local identity verification all vanished as business continuity overrode security protocols. Companies faced acute talent shortages and accepted 'good enough' candidates willing to work for lower wages, precisely the profile North Korean operatives offered. The simultaneous normalization of international outsourcing meant hiring someone believed to be in Japan or South Korea became routine rather than exceptional. This created a perfect storm where detection mechanisms disappeared just as demand for remote technical talent exploded, allowing an operation that had been running at modest scale since 2018 to achieve industrial penetration within eighteen months.

How does North Korea's IT infiltration differ from traditional Cold War espionage operations?

Traditional espionage required years to recruit, cultivate, and position agents, involved high risk of exposure through human intelligence networks, and scaled poorly due to the intensive resources needed per operative. North Korea's IT operation exploits structural vulnerabilities in remote hiring to achieve industrial-scale penetration with minimal risk: operatives apply through normal channels, perform legitimate work to avoid suspicion, and can be deployed by the hundreds or thousands simultaneously. Rather than sleeper agents awaiting activation, these are economic actors generating immediate revenue while simultaneously serving as intelligence assets and potential sabotage vectors. The operation is self-funding—operatives' salaries cover costs and generate profit—whereas traditional espionage was a net expense.

What makes defense contractors and AI companies particularly vulnerable to this infiltration?

Defense contractors often rely on subcontractors and service providers with less intense vetting procedures than direct government posts but nearly equal access to classified systems, creating a soft underbelly for infiltration. AI companies are attractive because they face chronic talent shortages, pay six-figure salaries, move quickly to fill positions, and their research directly feeds military applications like autonomous targeting systems and predictive maintenance tools. Both sectors normalized remote work and international hiring during the pandemic and have been slow to implement adversarial threat modeling in hiring. The technical nature of the work means operatives with legitimate computer-science training can perform competently enough to avoid detection while exfiltrating sensitive data.

What is the connection between IT worker revenue and North Korea's support for Russia in Ukraine?

Treasury official Bradley Smith explicitly stated that funds from IT workers help enable North Korea's support of Russia's war in Ukraine, referring both to cash used to produce artillery shells and military equipment for Russia and potentially to IT workers directly supporting Russian technical projects. The regime has deployed approximately 15,000 troops to fight alongside Russia in Kursk as of October 2025, with between 600 and 4,700 killed in combat. In return, Russia is transferring advanced military technology, primarily submarine and warship development assistance, exemplified by North Korea's April 2025 launch of a 5,000-ton destroyer based partly on Russian naval designs. The IT infiltration operation generates an estimated half-billion dollars annually, providing the hard currency needed to fund this military cooperation while bypassing international sanctions.

Sources

About the Author

Kyle M.

Kyle M. creates and presents analysis focused on military doctrine, strategic competition, and conflict dynamics.

About the Team →