North Korean IT Workers Exploit AI to Infiltrate Hundreds of Companies Globally

North Korean spies posing as remote workers have infiltrated hundreds of companies, says CrowdStrike | TechCrunch

Researchers at security giant CrowdStrike say they have seen hundreds of cases where North Koreans posing as remote IT workers have infiltrated companies to generate money for the regime, marking a sharp increase over previous years. Per CrowdStrike's latest threat hunting report, the company has identified over 320 incidents over the past 12 months, up by 220% from the year earlier, in which North Koreans gained fraudulent employment at Western companies working remotely as developers. The scheme relies on North Koreans using false identities, resumes, and work histories to gain employment and earn money for the regime, as well as allowing access for the workers to steal data from the companies they work for and later extort them. The aim is to generate funds for North Korea's sanctioned nuclear weapons program, which has so far made billions of dollars for the regime to date. It's not known exactly how many North Korean IT workers are currently working for unknowing U.S. companies, but some have estimated the number to be in the thousands. According to CrowdStrike, the North Korean IT workers, which the company calls "Famous Chollima" using its naming scheme of hacking groups, rely on generative AI and other AI-powered tools to draft resumes and modify or "deepfake" their appearance during remote interviews. While the scheme is not new, North Koreans are increasingly succeeding at getting jobs, despite sanctions laws preventing U.S. companies from hiring North Korean workers. CrowdStrike said in its report that one of the ways to prevent hiring sanctioned workers is by implementing better identity verification processes during the hiring phase. TechCrunch has anecdotally heard of some crypto-focused companies asking prospective employees to say critical things about North Korea's leader, Kim Jong Un, in an effort to weed out potential spies. The would-be North Korean employees are often highly monitored and surveilled, making any such request impossible and likely outing the fraudulent worker. Over the past year, the U.S. Department of Justice has sought to disrupt these operations by going after the U.S.-based facilitators who help run and operate the scheme for their North Korean bosses. These operations have included targeting the individuals who run "laptop farm" operations, which include racks of open laptops used by the North Koreans to remotely do their work as if they were physically located in the United States. Prosecutors said in a June indictment that one North Korean operation stole the identities of 80 individuals in the U.S. between 2021 and 2024 to get remote work at more than 100 U.S. companies.

Is Your Coworker a North Korean? Remote Scammers Infiltrate 300+ Companies

North Koreans are increasingly infiltrating US companies through remote work, with incidents rising more than 220% in the last year, according to cybersecurity vendor CrowdStrike. CrowdStrike's annual threat hunting report says North Korean IT workers infiltrated "over 320 companies in the last 12 months." It warns that North Koreans are using generative AI to help dupe companies into hiring them and "sustain" the rapid pace of successful infiltration. The report echoes earlier findings from CrowdStrike and the FBI. In April, a CrowdStrike executive said the company was uncovering North Korean IT worker schemes almost daily. In June, US investigators also warned about North Koreans obtaining remote IT jobs at over 100 US companies, sometimes with the help of people living in the US. This includes one Arizona woman who's been jailed for helping the North Koreans access and remotely use the corporate-issued laptops from within the US. CrowdStrike adds that generative AI tools have made it easy for North Koreans to fake profile images and write authentic-looking resumes and cover letters to apply for remote IT jobs. The same AI tools can also be used during video calls to deepfake the North Korean's identity, changing their face in real-time. "Using a real-time deepfake plausibly allows a single operator to interview for the same position multiple times using different synthetic personas, enhancing the odds that the operator will get hired," CrowdStrike wrote in the report. Those generative AI programs also excel at English-language translation and computer coding. It's why CrowdStrike has detected the North Koreans tapping large language models to help them pass coding tests and during daily correspondence with employers. Hiring North Korean workers can expose companies to serious risks. In past cases, they've stolen sensitive data in attempts to extort their employers for more money. Affected companies are also effectively helping the North Korean government by distributing funds to the regime, which is currently facing strict sanctions. In response, CrowdStrike has been urging companies to scrutinize their remote hires closely. This includes implementing "real-time deepfake challenges" during video call interviews. For example, a deepfake can collapse if a hand passes over the video caller's face.

CrowdStrike report details scale of North Korea's use of AI in remote work schemes -- 320 known cases in the last year, funding nation's weapons programs

The Democratic People's Republic of Korea is using generative AI tools to land agents jobs at tech companies to fund its weapons programs. CrowdStrike's latest Threat Report includes new information about China's increased targeting of North American telecommunications companies, Russia's continued efforts to support its invasion of Ukraine with cyberespionage, and other trends the security firm witnessed from July 2024 to June 2025. (Presumably excluding the period during which a faulty update to its software brought down global infrastructure.) But of particular interest is the sheer scale of North Korea's AI-supported tech worker schemes. The company said that in the last 12 months, it has "investigated over 320 incidents where [North Korean] operatives obtained fraudulent employment as remote software developers" and that the hackers have "been able to sustain this pace by interweaving GenAI-powered tools that automate and optimize workflows at every stage of the hiring and employment process." Resumes? Fake. Social accounts? Fake. The person shown during a video call, the headshots, the messages they send? Fake, fake, fake. "Once hired, [these] workers use GenAI code assistants [and] translation tools to assist with daily tasks and correspondence related to their legitimate job functions," CrowdStrike said. "Though an average employee may use GenAI in a similar manner, these tools -- especially those enabling English-language communication -- are especially crucial [to this group]. These operatives are not fluent in English, likely work three or four jobs simultaneously, and require GenAI to complete their work and manage and respond to multiple streams of communication." We knew this had been happening -- the Justice Department announced in July that it had made a flurry of arrests, sanctions, and investigations related to North Korea's fake tech workers. I noted at the time that U.S. officials started issuing warnings about these schemes in 2022 and that Google reported a similar uptick in activity related to these efforts in March, so CrowdStrike isn't pulling back the mask for the first time, as it were. But this new Threat Report drives home just how big the problem is. It's kind of like watching an episode of "Scooby Doo" where the gang first reveals that some normal-seeming dude is a criminal. But so is that dude, and this other dude at that other company, and... wait, actually those are the same person using a combination of laptop farms and chatbots to seem like different people, and whoops it turns out Velma's an imposter too, and that's why that HBO show was so bad. Oh, and unlike a cartoon villain, North Korea will continue to get away with this. CrowdStrike's recommendations for identifying these imposter hackers include, among other things, the adoption of "enhanced identity verification processes during the hiring phase that include rigorous background investigations and corroboration of online professional profiles" and the implementation of "real-time deepfake challenges during interview or employment assessment sessions." But those approaches incur additional costs -- and North Korea will find ways to circumvent them.

North Korean IT worker infiltrations exploded 220% over the past 12 months, with GenAI weaponized at every stage of the hiring process

Terrifying new fronts have emerged in a highly successful employment- fraud scheme in which trained North Korean operatives get jobs at companies around the globe under fake or stolen identities. The number of companies that hired North Korean software developers grew a staggering 220% during the past 12 months -- and most of their success is due to automating and optimizing the workflow involved in fraudulently obtaining and holding tech jobs, Crowdstrike's 2025 Threat Hunting report released on Monday revealed. The IT workers infiltrated more than 320 companies in the past 12 months. To level set: The North Korean IT worker scheme is a vast conspiracy to evade punishing financial sanctions on the Democratic People's Republic of Korea due to authoritarian ruler Kim Jong Un's human-rights abuses and relentless quest to develop weapons of mass destruction. To dodge the sanctions and make money to keep funding its nuclear program, North Korea now trains young men and boys in tech, sends them to elite schools in and around Pyongyang, and then deploys them in teams of four or five to locations around the world including China, Russia, Nigeria, Cambodia, and the United Arab Emirates. The workers are each required to earn $10,000 a month, according to a defector, and have managed to do so by getting remote jobs doing IT work at U.S. and European companies while earning good salaries, court records show. Since 2018, the UN estimates, the scheme has generated between $250 million to $600 million per year on the backs of thousands of North Korean men. For the Fortune 500, the IT worker scheme has been a flashing red alert about the evolution of employment-fraud schemes. Court records show hundreds of Fortune 500 companies have unknowingly hired thousands of North Korean IT workers, in violation of sanctions, in recent years. In some cases, the IT worker scheme is purely about generating stable revenues for the regime. In others, FBI investigators have found evidence IT workers share information with more malicious hackers that have stolen nearly $3 billion in crypto, according to the UN. Crowdstrike's investigations revealed North Korea's tech workers, an adversary Crowdstrike dubs "Famous Chollima," used AI to scale every aspect of the operation. The North Koreans have used generative AI to help them forge thousands of synthetic identities, alter photos, and build tech tools to research jobs and track and manage their applications. In interviews, North Koreans used AI to mask their appearance in video calls, guide them in answering questions, and pass technical coding challenges associated with getting software jobs. Critically, they now rely on AI to help them appear more fluent in English and well-versed in the companies where they're interviewing. Once they get hired, the IT workers use AI chatbots to help with their daily work -- responding in Slack, drafting emails -- to make sure their written offerings appear technically and grammatically sound and to help them hold down multiple jobs simultaneously, CrowdStrike found. "Famous Chollima operatives very likely use real-time deepfake technology to mask their true identities in video interviews," the report states. "Using a real-time deepfake plausibly allows a single operator to interview for the same position multiple times using different synthetic personas, enhancing the odds that the operator will get hired." Crowdstrike investigators have observed North Korean IT workers searching for AI face-swapping applications and paying premium prices for subscriptions to deepfake services during active operations. Adam Meyers, senior vice president of CrowdStrike's counter adversary operations, told Fortune his team generally investigates one incident a day related to the North Korean IT worker scheme. The program has broadened beyond U.S. borders as U.S. law enforcement has cracked down on domestic operations with indictments and advisories, and as more U.S. companies have tightened their security practices and girded their defenses. Last month, a 50-year-old Arizona woman, Christina Chapman, was sentenced to 8.5 years in prison in July after pleading guilty for her role in operating a "laptop farm" from her home. Prosecutors said she accepted and maintained 90 laptops and installed remote-access software so North Koreans could work for U.S. companies, prosecutors said. Authorities revealed Chapman's operation alone helped the workers get 309 jobs that generated $17.1 million in revenue through their salaries. Nearly 70 Americans had their identities stolen in the operation, authorities said. These weren't just attacking smaller companies with looser hiring infrastructure; Nike was one of the companies impacted, according to its victim impact statement in Chapman's case. The sneaker and activewear giant unwittingly hired a North Korean operative affiliated with Chapman. Nike did not respond to Fortune's requests for comment. "U.S. law enforcement has put a big dent in their ability to operate the laptop farms, so as it gets increasingly expensive or difficult to get remote jobs here in the U.S., they're pivoting to other locations," said Meyers. "They're getting more traction in Europe." Meyers said Crowdstrike has seen new laptop farms established in Western Europe across to Romania and Poland, which means the North Korean workers are getting jobs -- typically as fullstack developers -- in those countries and then having laptops shipped to farms there. The scheme is the same as it works in the U.S.: A supposedly Romanian or Polish developer will interview with a company, get hired, and a laptop will get shipped to a known laptop-farm destination in those countries, he said. In other words, instead of shipping devices and onboarding materials to an actual resident where the supposed developer works, the laptop gets shipped to a known farm address based in Poland or Romania. Typically, the excuse is the same type that has proven effective at U.S. companies, said Meyers. The developer will claim to be having a medical or family emergency necessitating a change in the shipping address. "Companies need to stay vigilant if they're hiring overseas," said Meyers. "They need to understand these risks exist not just domestically, but overseas as well." Amir Landau, malware research team leader at defense firm CyberArk, told Fortune traditional cyber defenses are likely to eventually become insufficient against the threat as genAI used by the North Koreans becomes advanced enough to break through companies' defense wards. Therefore, what companies need to do to defend themselves requires a fundamental shift in thinking in terms of how much trust and access companies grant their own employees. The military and intelligence principle of a "need-to-know basis," which originated during World War II, will become more important, said Landau. Not every developer needs to know or have access to certain assets or documents, even after they've been with a company for a certain amount of time, he explained. Landau also advocates for minimum and limited-time privileges for developers, giving them a short window of time for work, rather than unlimited access that could eventually make a company vulnerable. Landau also said companies should take some additional common-sense measures in the hiring process. If a job applicant gives a reference, don't call the phone number or message the email address you've been given. Look them up and get in touch with what you see from public databases, he advised. If someone's personal information sounds bizarre or inconsistent, pay attention. Use the internet to double check what you can find against what you've been told. "There are a lot of small things you can do to defend against these threats," he said. And ultimately, while small companies are typically more vulnerable, that doesn't mean larger companies aren't also susceptible to fraud schemes, Landau said. Meyers said as long as the IT workers can find work, they'll keep evolving their tactics through the use of genAI. "These are basically exploited people from North Korea making money for the regime," said Meyers. "As long as they can continue to generate revenue, they're going to keep doing this."