North Korean IT Workers Exploit AI to Infiltrate Global Companies, Evade Sanctions

North Korean spies posing as remote workers have infiltrated hundreds of companies, says CrowdStrike | TechCrunch

Researchers at security giant CrowdStrike say they have seen hundreds of cases where North Koreans posing as remote IT workers have infiltrated companies to generate money for the regime, marking a sharp increase over previous years. Per CrowdStrike's latest threat hunting report, the company has identified over 320 incidents over the past 12 months, up by 220% from the year earlier, in which North Koreans gained fraudulent employment at Western companies working remotely as developers. The scheme relies on North Koreans using false identities, resumes, and work histories to gain employment and earn money for the regime, as well as allowing access for the workers to steal data from the companies they work for and later extort them. The aim is to generate funds for North Korea's sanctioned nuclear weapons program, which has so far made billions of dollars for the regime to date. It's not known exactly how many North Korean IT workers are currently working for unknowing U.S. companies, but some have estimated the number to be in the thousands. According to CrowdStrike, the North Korean IT workers, which the company calls "Famous Chollima" using its naming scheme of hacking groups, rely on generative AI and other AI-powered tools to draft resumes and modify or "deepfake" their appearance during remote interviews. While the scheme is not new, North Koreans are increasingly succeeding at getting jobs, despite sanctions laws preventing U.S. companies from hiring North Korean workers. CrowdStrike said in its report that one of the ways to prevent hiring sanctioned workers is by implementing better identity verification processes during the hiring phase. TechCrunch has anecdotally heard of some crypto-focused companies asking prospective employees to say critical things about North Korea's leader, Kim Jong Un, in an effort to weed out potential spies. The would-be North Korean employees are often highly monitored and surveilled, making any such request impossible and likely outing the fraudulent worker. Over the past year, the U.S. Department of Justice has sought to disrupt these operations by going after the U.S.-based facilitators who help run and operate the scheme for their North Korean bosses. These operations have included targeting the individuals who run "laptop farm" operations, which include racks of open laptops used by the North Koreans to remotely do their work as if they were physically located in the United States. Prosecutors said in a June indictment that one North Korean operation stole the identities of 80 individuals in the U.S. between 2021 and 2024 to get remote work at more than 100 U.S. companies.

North Korean IT worker infiltrations exploded 220% over the past 12 months, with GenAI weaponized at every stage of the hiring process

Terrifying new fronts have emerged in a highly successful employment- fraud scheme in which trained North Korean operatives get jobs at companies around the globe under fake or stolen identities. The number of companies that hired North Korean software developers grew a staggering 220% during the past 12 months -- and most of their success is due to automating and optimizing the workflow involved in fraudulently obtaining and holding tech jobs, Crowdstrike's 2025 Threat Hunting report released on Monday revealed. The IT workers infiltrated more than 320 companies in the past 12 months. To level set: The North Korean IT worker scheme is a vast conspiracy to evade punishing financial sanctions on the Democratic People's Republic of Korea due to authoritarian ruler Kim Jong Un's human-rights abuses and relentless quest to develop weapons of mass destruction. To dodge the sanctions and make money to keep funding its nuclear program, North Korea now trains young men and boys in tech, sends them to elite schools in and around Pyongyang, and then deploys them in teams of four or five to locations around the world including China, Russia, Nigeria, Cambodia, and the United Arab Emirates. The workers are each required to earn $10,000 a month, according to a defector, and have managed to do so by getting remote jobs doing IT work at U.S. and European companies while earning good salaries, court records show. Since 2018, the UN estimates, the scheme has generated between $250 million to $600 million per year on the backs of thousands of North Korean men. For the Fortune 500, the IT worker scheme has been a flashing red alert about the evolution of employment-fraud schemes. Court records show hundreds of Fortune 500 companies have unknowingly hired thousands of North Korean IT workers, in violation of sanctions, in recent years. In some cases, the IT worker scheme is purely about generating stable revenues for the regime. In others, FBI investigators have found evidence IT workers share information with more malicious hackers that have stolen nearly $3 billion in crypto, according to the UN. Crowdstrike's investigations revealed North Korea's tech workers, an adversary Crowdstrike dubs "Famous Chollima," used AI to scale every aspect of the operation. The North Koreans have used generative AI to help them forge thousands of synthetic identities, alter photos, and build tech tools to research jobs and track and manage their applications. In interviews, North Koreans used AI to mask their appearance in video calls, guide them in answering questions, and pass technical coding challenges associated with getting software jobs. Critically, they now rely on AI to help them appear more fluent in English and well-versed in the companies where they're interviewing. Once they get hired, the IT workers use AI chatbots to help with their daily work -- responding in Slack, drafting emails -- to make sure their written offerings appear technically and grammatically sound and to help them hold down multiple jobs simultaneously, CrowdStrike found. "Famous Chollima operatives very likely use real-time deepfake technology to mask their true identities in video interviews," the report states. "Using a real-time deepfake plausibly allows a single operator to interview for the same position multiple times using different synthetic personas, enhancing the odds that the operator will get hired." Crowdstrike investigators have observed North Korean IT workers searching for AI face-swapping applications and paying premium prices for subscriptions to deepfake services during active operations. Adam Meyers, senior vice president of CrowdStrike's counter adversary operations, told Fortune his team generally investigates one incident a day related to the North Korean IT worker scheme. The program has broadened beyond U.S. borders as U.S. law enforcement has cracked down on domestic operations with indictments and advisories, and as more U.S. companies have tightened their security practices and girded their defenses. Last month, a 50-year-old Arizona woman, Christina Chapman, was sentenced to 8.5 years in prison in July after pleading guilty for her role in operating a "laptop farm" from her home. Prosecutors said she accepted and maintained 90 laptops and installed remote-access software so North Koreans could work for U.S. companies, prosecutors said. Authorities revealed Chapman's operation alone helped the workers get 309 jobs that generated $17.1 million in revenue through their salaries. Nearly 70 Americans had their identities stolen in the operation, authorities said. These weren't just attacking smaller companies with looser hiring infrastructure; Nike was one of the companies impacted, according to its victim impact statement in Chapman's case. The sneaker and activewear giant unwittingly hired a North Korean operative affiliated with Chapman. Nike did not respond to Fortune's requests for comment. "U.S. law enforcement has put a big dent in their ability to operate the laptop farms, so as it gets increasingly expensive or difficult to get remote jobs here in the U.S., they're pivoting to other locations," said Meyers. "They're getting more traction in Europe." Meyers said Crowdstrike has seen new laptop farms established in Western Europe across to Romania and Poland, which means the North Korean workers are getting jobs -- typically as fullstack developers -- in those countries and then having laptops shipped to farms there. The scheme is the same as it works in the U.S.: A supposedly Romanian or Polish developer will interview with a company, get hired, and a laptop will get shipped to a known laptop-farm destination in those countries, he said. In other words, instead of shipping devices and onboarding materials to an actual resident where the supposed developer works, the laptop gets shipped to a known farm address based in Poland or Romania. Typically, the excuse is the same type that has proven effective at U.S. companies, said Meyers. The developer will claim to be having a medical or family emergency necessitating a change in the shipping address. "Companies need to stay vigilant if they're hiring overseas," said Meyers. "They need to understand these risks exist not just domestically, but overseas as well." Amir Landau, malware research team leader at defense firm CyberArk, told Fortune traditional cyber defenses are likely to eventually become insufficient against the threat as genAI used by the North Koreans becomes advanced enough to break through companies' defense wards. Therefore, what companies need to do to defend themselves requires a fundamental shift in thinking in terms of how much trust and access companies grant their own employees. The military and intelligence principle of a "need-to-know basis," which originated during World War II, will become more important, said Landau. Not every developer needs to know or have access to certain assets or documents, even after they've been with a company for a certain amount of time, he explained. Landau also advocates for minimum and limited-time privileges for developers, giving them a short window of time for work, rather than unlimited access that could eventually make a company vulnerable. Landau also said companies should take some additional common-sense measures in the hiring process. If a job applicant gives a reference, don't call the phone number or message the email address you've been given. Look them up and get in touch with what you see from public databases, he advised. If someone's personal information sounds bizarre or inconsistent, pay attention. Use the internet to double check what you can find against what you've been told. "There are a lot of small things you can do to defend against these threats," he said. And ultimately, while small companies are typically more vulnerable, that doesn't mean larger companies aren't also susceptible to fraud schemes, Landau said. Meyers said as long as the IT workers can find work, they'll keep evolving their tactics through the use of genAI. "These are basically exploited people from North Korea making money for the regime," said Meyers. "As long as they can continue to generate revenue, they're going to keep doing this."