A detailed cybersecurity investigation has uncovered how North Korea is running a highly organized network of fake IT professionals who quietly secure jobs at companies around the world. These workers, posing as legitimate remote employees, are not only generating substantial income for the regime but may also be gaining access to sensitive corporate systems and data.
The findings come from a joint study conducted by IBM X-Force and Flare Research. Their report, titled “Inside the North Korean Infiltrator Threat,” offers a closer look at how the operation is structured, how individuals are recruited and placed into jobs, and what organizations can do to protect themselves.
Although security experts have been aware of North Korean IT worker schemes for some time, the report suggests the scale, coordination, and professionalism behind these efforts are far greater than previously assumed.
A Global Network Generating Millions
The investigation points to a vast international operation involving tens of thousands of individuals working across multiple countries. These workers reportedly generate hundreds of millions of dollars each year, providing a steady stream of revenue for the North Korean state.
Some individuals within this network are believed to earn exceptionally high salaries by securing remote roles with foreign companies, particularly in the technology sector. These earnings, when aggregated, contribute significantly to the country’s broader financial strategies.
However, the issue extends beyond financial gain. By embedding themselves within legitimate businesses, these workers can potentially access confidential information, proprietary systems, and internal communications. This raises serious concerns not only for corporate security but also for national security, especially in industries dealing with sensitive technologies.
A Well-Structured Operational System
One of the most striking aspects of the report is the level of organization within the fake IT worker ecosystem. Rather than operating randomly, the network follows a structured model with clearly defined roles.
Recruiters are responsible for identifying potential candidates and conducting initial screenings. Their role closely mirrors that of legitimate hiring professionals, including reviewing qualifications and carrying out interviews. Once candidates pass this stage, their profiles are forwarded to facilitators.
Facilitators act as decision-makers, determining whether a candidate is suitable for placement. They oversee the broader operation, ensuring that individuals meet both technical requirements and operational expectations.
At the core of the system are the IT workers themselves. These individuals are typically skilled in areas such as full-stack development, .NET technologies, and content management systems like WordPress. Their technical competence is essential to maintaining credibility once they secure employment.
The network also relies on collaborators or intermediaries—often individuals based in Western countries—who provide identities or assist with logistical aspects of the operation. In some cases, these collaborators may knowingly participate, while in others, their identities may be misused without full awareness.
How Fake Candidates Are Created and Deployed
The recruitment process is carefully designed to avoid suspicion. Candidates are often told they are applying to work for early-stage or “stealth” startups that have little public presence. This lack of verifiable information helps reduce scrutiny during the hiring process.
A recurring tactic involves the use of placeholder company names such as “C Digital LLC,” which appear legitimate but offer minimal traceable details. Candidates are then trained on how to approach job applications and interviews, particularly when targeting companies in Western markets.
To increase their chances of success, individuals are provided with fabricated identities, often based in the United States. These identities may be entirely fictional or tied to real individuals whose personal information has been compromised or shared.
In addition, workers establish or gain access to accounts on major freelancing and professional networking platforms like Upwork, LinkedIn, and Freelancer. These platforms serve as key entry points for securing contracts and full-time roles.
Day-to-Day Work and Collaboration
Once hired, these fake IT workers often perform effectively, which helps them avoid detection. The report indicates that many roles are not handled by a single individual but by teams working collaboratively behind the scenes. This shared workload allows them to meet deadlines and maintain consistent output.
Researchers uncovered internal records, including timesheets, that tracked daily activities such as the number of job applications submitted and messages sent to potential clients. This level of organization reflects a professional approach to managing large-scale operations.
In some cases, workers are able to build trust within organizations and gain access to more sensitive systems over time. This increased access can open the door to potential data theft or further exploitation.
Language differences, which might otherwise pose a barrier, are addressed through heavy reliance on translation tools. Applications like Google Translate are widely used to interpret job descriptions, draft communications, and interact with colleagues.
Technology That Helps Them Stay Hidden
The report also highlights specific tools that help these workers maintain anonymity and coordinate their efforts. One such tool is a VPN service known as OConnect or NetKey, which is believed to enable secure connections to infrastructure within North Korea.
Another commonly used application is IP Messenger, an open-source messaging tool that allows direct communication without relying on centralized servers. This reduces dependence on mainstream platforms and makes monitoring more difficult.
By combining these tools, workers can mask their true locations, communicate securely, and access corporate systems without raising immediate suspicion.
