Recruitment Red Flags: Spotting DPRK IT Remote Workers
The job market these days is competitive, but personal branding can push a profile to the top of the stack. Just ask North Korean threat actors, who have been using well-polished LinkedIn profiles to find their next well-paid position.
The FBI and private sector security partners briefed the cybersecurity community at the 2025 RSA Conference (RSAC) in San Francisco this week about the persistent problem of remote IT workers from the Democratic People’s Republic of Korea (DPRK) evading sanctions by generating revenue for the regime in the form of paychecks from private companies.
“It is a very sophisticated threat,” says Bryan Vorndran, assistant director of the FBI’s Cyber Division, in a session at RSAC. “The threat has evolved as industry and the government has evolved to counter it. And it’s very pervasive.”
The U.S. federal government began warning private companies about this tactic in 2022, explaining that North Korea dispatches thousands of skilled IT workers around the world to generate revenue to contribute towards the country’s weapons of mass destruction (WMD) and ballistic missile programs—violations of U.S. and UN sanctions.
Three years later, the North Korean regime continues to see success with the remote hiring scheme, which now leverages artificial intelligence (AI) tools to help threat actors create more convincing fake profiles that lead to real job leads.
The tactic grew during the COVID-19 pandemic, when remote work became more common and the North Korean regime realized individuals could get legitimate jobs, at scale, from private companies, says Adam Meyers, senior vice president of threat intelligence at cybersecurity firm Crowdstrike, who joined the session with Vorndran.
Crowdstrike’s annual threat briefing published earlier this year revealed that the regime is evolving and that the remote IT worker problem, tracked by the firm as threat actor FAMOUS CHOLLIMA, is becoming a widespread one.
“Notably, FAMOUS CHOLLIMA innovated their currency generation operations in 2024 by leveraging their IT worker schemes at scale across the globe,” Crowdstrike wrote. “During 2024, Crowdstrike Falcon Adversary Overwatch threat hunters responded to 304 FAMOUS CHOLLIMA incidents, with nearly 40 percent of these representing insider threat operations.”
How the Scheme Works
Threat actors are leveraging generative artificial intelligence (genAI) to create LinkedIn profiles that attract the attention of recruiters looking to fill open positions. The threat actors will then go through a virtual interview process, often using stolen identity documents to bolster that they are a real person. They are then ultimately hired, typically for a remote IT position. Everything from the company’s perspective seems to check out with this new recruit.
Then, during onboarding, things typically take a turn. The new employee will suddenly have a family emergency that requires them to travel and request to have their new work equipment—such as a laptop—sent to a new destination that doesn’t match the information they provided to HR during the hiring process.
This new location is usually a laptop farm where someone is paid to keep the laptop on and connected to the Internet so the threat actor outside of the United States can access it remotely. Some of the individuals storing the laptops are doing so unwittingly, says FBI Special Agent Elizabeth Pelker, who is the Bureau’s specialist on this activity and was also at RSAC.
Most of these individuals are recruited online to just host the laptops, thinking they are doing some people based in China a favor, Pelker adds. The Bureau will see one to two laptops at a location or, on the extreme end, up to 90 at one residence.
And while it seems unbelievable, these threat actors have been extremely successful. Pelker says that the FBI has issued at least 200 victim notifications to companies about the tactic. Microsoft, on the other hand, is tracking thousands of personas and identities used by North Korean IT workers, says Greg Schloemer, senior threat intelligence analyst at Microsoft, who also joined the panel.
“Even amidst the evictions and mitigations that the private sector has done, we continue to see a high volume of activity,” Schloemer explains. “Any organization is a target.”
Once on the payroll, these threat actors might then provide another one of their contacts with access to the corporate network to install malware, which is mainly being used for cryptocurrency and platform credential theft, Schloemer adds. These actors can also use their access to potentially conduct other malicious activity, including stealing proprietary data or conducting data extortion after being fired from their positions.
“This threat is very adaptable; they have an exit strategy and a plan to have some monetary gain,” Pelker says.
For instance, the FBI’s Internet Crime Compliant Center (IC3) published an alert in January 2025, warning private companies of data extortion and sensitive data theft by North Korean IT workers. The advisory also cautioned about the threat of credential theft.
“North Korean IT workers could attempt to harvest sensitive company credentials and session cookies to initiate work sessions from non-company devices and for further compromise opportunities,” the advisory said.
The threat actors were predominantly targeting companies based in the United States. But Meyers says that law enforcement actions to disrupt laptop farms based in the country have resulted in the threat actors looking abroad.
These actors have been identified in the United Kingdom, Romania, and Poland, and in some cases they have been on the payroll of a private company for at least 14 months. Meyers said the scheme will continue to evolve with the threat actor “going to look for easy money they can quickly make, and do it in a deniable and not easily traceable manner.”
One concerning potential development of this threat, Schloemer says, is the potential for the relationship between the clusters of threat actors conducting this remote IT worker campaign and the potential theft of intellectual property related to defense, nuclear, and aerospace capabilities.
“We need robust detection and response recommendations so we don’t end up in a future scenario where IT remote workers enable really critical national security theft,” Schloemer adds.
Flags to Look for
There are many benefits of having a remote workforce, including that you can recruit the best talent from across the globe to work for your company. But that approach also comes with some risks when you’re only interacting with candidates online—especially ones trained to beat the system.
Schloemer says there are two facets to detecting these threat actors: technical indicators and behavioral indicators.
Some of these technical indicators might include using a public VPN service, remote management tools, and other programs and tools that are not typically allowed on corporate laptops.
On the behavioral side, flags might include frequent excuses for not attending meetings, last-minute cancellations, and shifts in location.
“Some other behavioral indications that a remote employee may be a DPRK IT worker include noticeable variability in quality of work or knowledge,” Schloemer explains. “For example: high performance on interview, but low performance on the job. Or an individual writing quality code, but then displaying an inability to explain how the code works—this might be an indication that multiple distinct operators are working the role behind the scenes.
“Additionally, look for different-looking individuals present on-camera in an interview process, versus on the job,” Schloemer continues. “Organizations should also look for poor work quality—although, notably, some DPRK IT workers are quite skilled and may be very high performers.”
Schloemer cautions, however, that as the threat actors mature it is becoming more difficult to detect them.
“We have to be adaptable as defenders and responders to be prepared to detect and respond to these changes,” Schloemer adds.
This is why it’s critical to educate frontline managers about the tell-tale signs of this activity. These individuals should be most tuned into what their direct reports are doing, behavioral changes, and general work performance.
Monitoring an employees’ performance and engaging in tough conversations with that individual are the biggest mitigation challenges that Crowdstrike has identified, Meyers says.
“A lot of managers don’t want to have those difficult conversations about performance,” Meyers explains, adding that a direct report might not be doing a great job but isn’t doing a terrible one either—they’re skating by. “That’s something everyone should think about, and that’s a way to home in on these threats we’re seeing. We have to take that seriously as an industry and managers of people.”
Owning and Mitigating the Risk
While there are risks associated with the DPRK remote IT worker scheme that security teams will be involved in assessing and mitigating, there is the sense within the community that this should not be a risk that the security team owns.
James Robinson, CISO of Netskope, says in an interview with Security Management that the tactic came up in discussions with other CISO this week at RSAC. The consensus from many was that this is a human resources problem that security needs to partner on but is not responsible for.
The Society of Human Resource Management (SHRM) is a major professional association for HR leaders with 340,000 members in 180 countries. A spokesperson for the association declined to comment on the DPRK remote worker scheme and guidance it has provided members about the tactic.
Regardless of who ultimately owns the risk, there are steps that security teams can take to help protect their business and identify these threat actors.
When Robinson first learned of the technique a few months ago, for instance, he says he requested a briefing on it from his local FBI Field Office for himself, the head of HR, and his company’s legal team—an action he called a “good process” and recommends other security leaders take. Netskope then began to put together an action plan to mitigate the risk of the threat.
The IC3 recommended conducting data monitoring, including practicing the principle of least privilege on networks and limiting privileges for installing remote desktop applications.
The agency also suggested monitoring and investigating unusual network traffic, monitoring network logs and browser session activity to identify data exfiltration through shared drives, cloud accounts, and private code repositories. Additionally, security teams could monitor endpoints for the use of software that allows for multiple audio or video calls to take place concurrently.
The IC3 also provided recommendations to strengthen remote-hiring processes. One of the biggest recommendations is to complete as much of the hiring and onboarding process as possible in person. Schloemer says that this can be an effective strategy against this threat actor that is looking for low-hanging fruit with few friction points.
“However, as we discussed during the panel, this is an especially agile and adaptable actor,” Schloemer adds. “If an organization were to implement such an in-person requirement, the actor could certainly adapt its ecosystem of enablers so that someone could appear in person to collect a device or complete a stage of the background check.”
There are more steps organizations can take to mitigate the risk of this tactic, including implementing identity-verification processes during interviews, onboarding, and throughout employment for remote workers, and cross-checking HR systems for other applicants with the same résumé or contact information.
“North Korean IT workers have been observed using artificial intelligence and face-swapping technology during video job interviews to obfuscate their true identities,” the IC3 said.
Additionally, organizations should consider reviewing applicants’ communication accounts since North Korean IT workers have reused phone numbers and email addresses on applications that are supposed to be for different people.
During the interview process, interviewees should consider asking “soft” interview questions that lead to information about location and education background, since many North Korean IT workers have claimed to attend non-U.S. educational institutions.
The IC3 also suggested verifying third-party staffing firms your organization works with to ensure they are following these recommendations.
Third-party staffing firms are one of the largest vectors for these actors to gain access to your organization, Schloemer says.
“That hiring process is a black box. You don’t have a lot of visibility into how that person was vetted,” Schloemer explains. “It’s worth having a conversation with them about this threat and do as much as you can to gain visibility into that process.”
Robinson says that after his briefing about this threat with the FBI, this is one of the first steps that Netskope took to address the issue and is one he recommends that other organizations take, along with connecting your staffing firm with the FBI for a briefing.
This could be especially important for companies looking to fill roles outside of the United States, where the threat actors might turn next, Pelker says.
“If you have a workforce not in the United States, make sure your partner teams are tracking this during recruiting, hiring, and as managers,” Pelker adds. “And if you identify someone who checks those red flag boxes, reach out to us at IC3.gov. We also have teams of FBI agents across the world.”
How each organization conducts these reviews of their workforces and handles this threat might look different because of their unique policies and regulations, but if they identify a DPRK remote IT worker in their workforce the response should be the same, Schloemer says.
“Once an organization has reached a high degree of confidence that an individual among their workforce is linked to DPRK IT worker activity, the most important step is terminating the user’s access to all systems and data as quickly as possible to prevent further compromise or disruptive and destructive action—like data theft or extortion,” Schloemer explains.
