Sign in Subscribe
15 min read Articles

Thousands of North Koreans have secretly infiltrated US and European companies as remote IT workers

North Korea's secret remote workers are a major threat facing U.S. and European businesses today, taking jobs in Fortune 100 and smaller companies alike. Here's how to recognize and combat the threat.
a photo of North Korean propaganda, featuring a man holding a book, gesturing to the North Korean flag, which reads in Korean: "Let's march forward towards a new victory!"
A photo showing propaganda in North Korea. (Image: Mark Fahey, CC BY 2.0 via Wikimedia)

It's not often that I get to say "I scared the shit out of someone at a cocktail party," because I don't go to many cocktail parties. But recently a business executive who worked in the nebulous world of finance asked me what I do for a living, and the conversation naturally drifted into the direction of what concerns me most in the world of cybersecurity today.

"If I had to choose," I said, while trying desperately to keep the conversation light, "...it's got to be the literally tens of thousands of North Koreans who have over the years tricked unsuspecting Western companies, including in the United States and increasingly Europe, into hiring them as remote workers using dossiers of forged resumes and fake passports. This is so they can get a job and — get this, I kid you not — actually do the job so that they can earn wages for the regime, all the while they're quietly stealing corporate data so they can extort the company later for even more money."

"Which, isn't even half the problem," I continued, taking a sip of my drink as the horror built up in the executive's eyes. 

"North Korea is sanctioned up to its teeth; it's eyewateringly illegal to transact with any North Korean, so that if — or rather, when — you get caught with a North Korean on your books, either because you've lost a gob full of money or need to call the FBI for help, it's ultimately on you."

The guy's face drained to the color of my martini, and clearly this is why I'm not invited to cocktail hour.

The slightly longer version is that North Korea is one of, if not the most significant and persistent digital threats in the world today. Likened akin to a "state-sanctioned crime syndicate” than any semblance of a functioning government, North Korea's primary goal is to fuel its internationally sanctioned nuclear weapons and ballistic missile programs at all costs, and they will hack into anyone to achieve that, including stealing as much money and crypto as possible.

Not to put too fine a point on this, but North Korea is like nowhere else in the world. It's a country in almost complete isolation and subject to a near-total information vacuum. The North Korean people face regular and unfathomable human rights abuses, and the country is almost entirely and permanently hungry. But the country's unending propaganda blames the outside world, and anyone who questions the official line can face summary execution for defying it. The North Korean regime has an almost unlimited desire to make nukes and missiles and destroy its enemies, and will do anything, absolutely anything, it can to get there. The North Korean regime is not — I repeat not — messing about.

What might be helpful is to stop thinking of North Korean hackers as this:

a photo of a North Korean soldier, in full uniform, sat at a computer looking nervous as hell, as Kim Jong Un sits next to him in a black coat, looking at the computer screen.
A North Korean soldier uses a computer in front of Kim Jong Un. (Image: ABC/file photo)

Because actually, they're more like this:

a team of North Koreans looking over books and textbooks working at a table, surrounded by computers, in a lab/apartment where the North Korean IT workers' scheme is being run from; the photo is monochrome and grainy.
A still from a DOJ handout showing North Korean IT workers' scheme. (Handout: DOJ)

All to say, this is not some poxy threat, and the numbers show it's clearly working. North Korea has been linked to some of the biggest crypto thefts in history, including $1.5 billion stolen from crypto exchange Bybit. This single breach contributed to the country raking in over $2 billion in stolen funds this year alone without having to rely on the global financial system that it's shut out from using.

But one of the more pervasive threats that continues to rake in hundreds of millions of dollars every year is what I described earlier, known as the "North Korean remote IT workers." Much like it sounds, the scheme involves enlisting thousands of its citizens into forced labor by getting hired at overseas companies and performing work to make money for their government masters.

There are vast numbers of these workers across North Korea, and neighboring countries like China and Russia, where some workers are sent; numbers that you can barely get your head around. These are hackers who work in teams and around the clock at all hours, whose very existence is solely dedicated to hacking into your company, and then the next.

Security researchers say North Koreans are embedded in at least hundreds of companies around the world and this number is rising rapidly, including small businesses to multinational conglomerates. Countless organizations have unwittingly hired remote employees without realizing that they're granting the keys to their kingdom to a foreign hacker who is willing to steal everything they have.

There will be many who think, "this can't happen to us because we're too small or insignificant," or "my company's data isn't valuable," said literally no executive ever. You might not have any crypto or any financial assets that you'd think would be attractive to a hacker, but you might have a customer who does, or even a customer of a customer with bank accounts or money flows. North Korea has the time, resources, and endless patience to get what they want. Do not underestimate them.

In this article, we will look at the North Korean threat from the remote IT workers, why it's something every business owner, founder, and executive should be aware of, and some practical things you can do to identify suspected North Korean workers before it's too late. More after the fold…

This article is for subscribers on the Astonishing admins tier only


You might also like...

19
Dec
'25

Apple nuking a customer's account over a bad gift card is a warning for everyone

One long-time Apple customer was left with no recourse after a bad gift card triggered a full account and device lock-out.
2 min read
a photo of an Apple MacBook's computer screen closer-up, displaying the dock on its desktop, in a slightly blue tinted light
12
Dec
'25

Last-minute cybersecurity and privacy gifts your friends and family won't hate

Running out of gift ideas for the security or privacy buff in your life? Here are some thoughtful suggestions, including what tech you might want to avoid.
10 min read
Photo of a programmer's laptop with a red-backlit keyboard, with many energy drinks and holiday twinkly lights, in a darkened room.
06
Dec
'25

I've investigated 'stalkerware' for five years. Here's what I've learned

Stalkerware is a pervasive surveillance used by millions around the world, but these operations keep getting hacked and leaking victims' private phone data.
11 min read
a screenshot showing a Riverside film studio setup, with Zack Whittaker on the left and documentary journalist Daisy Maskell on the right.
26
Nov
'25

Banning TP-Link won't save America from its own terrible cybersecurity

TP-Link routers face a ban in the U.S. over the company's alleged links to China, but shoddy cybersecurity is the real insider threat to the United States.
6 min read
a photo of the back of a TP-Link wireless router
14
Nov
'25

It's far too easy to find leaked passports and driver's licenses online

Passports and driver's licenses are easy to find online, thanks to a dizzying array of websites and apps that require a copy but aren't keeping the data safe.
5 min read
It's far too easy to find leaked passports and driver's licenses online