Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

North Korean Remote IT Worker Fraud: Managing Insider Threat, Sanctions and Employment Risk

Skadden Publication

Eytan J. Fisch Ryan D. Junck Nicola Kerr-Shaw William E. Ridgway David A. Simon Alexandra Flores Devaanjana Goel

Executive Summary

  • What’s new: Recent U.S. DOJ, FBI and Treasury actions highlight the evolution of North Korea-affiliated worker fraud schemes, which involve the use of stolen identities, fabricated credentials and domestic facilitators to secure remote IT positions at companies (both in the U.S. and globally) and funnel wages back to sanctioned governments.
  • Why it matters: Companies that inadvertently hire these operatives face costly data breaches, cybersecurity threats and potential criminal liability as the number of fraudulent employment applications only continues to rise.
  • What to do next: Organizations should consider reviewing and strengthening their hiring, monitoring, insider threat and incident response protocols to mitigate financial, reputational and legal exposure as enforcement activity ramps up.

__________

In recent years, a sophisticated fraud scheme has emerged that poses a serious and growing threat to companies worldwide: the infiltration of corporate workforces by fraudulent remote workers, including employers and contractors operating on behalf of sanctioned foreign regimes, most often the Democratic People’s Republic of Korea (North Korea).

These operatives are typically highly skilled information technology (IT) workers dispatched across the globe. They use fabricated identities and an array of technical tools — including deep fake artificial intelligence (AI) — to secure legitimate employment, with the proceeds funneled back to North Korea in violation of international sanctions.

The remote work revolution has brought tremendous flexibility and opportunity to the modern economy, but it has also opened new vulnerabilities that state-sponsored actors are actively exploiting.

This article provides an overview of how these schemes operate, the risks they pose to employers, recent enforcement developments and practical steps companies can take to protect themselves.

The Scam and the Risks

Mechanics of the Scam

To evade international sanctions, North Korea deploys skilled IT workers abroad to secure remote employment in wealthier nations. These individuals typically target freelance or contract positions in software and application development, graphic design, database management and general IT support.

Throughout the application process, they use tools designed to obfuscate their true locations and identities — often employing deepfake AI videos to participate in interviews and field questions convincingly. Applicants furnish fake documentation, fabricated references and manufactured work portfolios that are frequently generated using AI tools capable of bypassing automated applicant tracking systems.

Once hired, these workers often rely on AI code assistants to generate mediocre code, enabling a single operative to hold multiple corporate jobs simultaneously without triggering performance concerns. Workers then route the revenue from these overlapping roles back to the government.

In North Korea, the funds ultimately support state-sponsored weapons of mass destruction and ballistic missile programs.

In some cases, U.S. facilitators have aided the scheme by operating “laptop farms” — locations where company-issued equipment is housed so that fraudulent workers can remotely access it and maintain the illusion of working from a legitimate address.

The tactics, techniques and procedures of these North Korea-linked remote IT worker schemes are increasingly sophisticated, involving the use of:

  • Stolen or synthetic identities.
  • Reused or overlapping resumes.
  • Voice over Internet Protocol (VoIP) phone numbers.
  • Fake portfolio websites.
  • Discrepancies between claimed residence, identity documents and equipment-shipping addresses.
  • Use of U.S.-based facilitators to host company laptops.
  • Installation of remote administration tools (e.g., Chrome Remote Desktop, AnyDesk, TeamViewer, RustDesk, GoTo/LogMeIn).
  • Use of IP-based keyboard-video-mouse (KVM) devices.
  • Connections through virtual private networks (VPN) or proxy infrastructure.

Such workers will also be reluctant to participate in live video or spontaneous verification calls.1

The FBI has also warned that North Korea-linked IT workers have used AI and face-swapping technology during video interviews and have reused phone numbers and email addresses across multiple applicant personas.2

The scale of this threat is staggering — and growing. The United Nations estimates that remote workers have generated between $250 million and $600 million annually for North Korea, with operatives active in over 40 countries.3 Experts report significant year-over-year increases in identified cases and predict the figures will continue to climb.

Cybersecurity threat reporting from leading global cybersecurity companies emphasizes the insider threat, identity fraud and cyber resilience dimensions of the North Korea remote IT worker challenge. Cybersecurity technology company CrowdStrike tracks this activity as “FAMOUS CHOLLIMA” and has reported North Korea-linked actors posing as insiders at more than 100 primarily U.S. technology companies through falsified or stolen identity documents.4

Cybersecurity firm Mandiant tracks related activity as UNC5267 and has observed North Korea-linked IT workers using stolen identities, contractor roles, laptop farms, remote administration tools, VPN infrastructure and multiple simultaneous jobs to obtain and maintain access to corporate systems.5

Unit 42, the consulting arm of cybersecurity company Palo Alto Networks, emphasizes that no single control is sufficient and recommends a layered approach combining identity verification, IT asset management, IP/location analysis, endpoint controls, human resources (HR) training and insider-risk monitoring.6

Risks for Employers

  • Cybersecurity threats and data breaches. The FBI has warned that North Korea-linked IT workers have increasingly engaged in data extortion, impacting intellectual property and trade secrets — holding code hostage, publicly releasing proprietary code in some instances, copying code repositories to personal accounts or cloud storage, and harvesting credentials or session cookies for future compromise opportunities. Taken together, these actions can lead to significant data breaches, requiring notification to individuals and authorities in several jurisdictions.
  • Sanctions and export control violations. Employing workers from sanctioned jurisdictions like North Korea can open a company to sanctions violations. Depending on the nature of the work and information accessed, companies may also face exposure under U.S. export control laws.
  • Financial costs. The costly remediation measures required to address the aftermath of these schemes can include forensic investigations, system overhauls, legal fees and potential regulatory penalties.
  • Regulatory breaches. Data breaches and operational disruptions can trigger significant regulatory consequences, including public notification obligations and the potential for data breach litigation.
  • Reputational harm. Beyond the immediate operational disruption, companies may suffer erosion of client trust and loss of business relationships, particularly where regulatory notifications are required.

Enforcement Landscape

As the threat continues to grow, law enforcement officials and regulators have begun taking action against wrongdoers and setting expectations for corporations. Both the Department of Justice (DOJ) and the Office of Foreign Assets Control (OFAC) have publicly warned companies of the dangers posed by fraudulent remote workers acting on behalf of nations deemed hostile.

Individual Perpetrators

To date, DOJ has charged more than 40 individuals for their participation in remote worker schemes, including U.S. nationals who have helped facilitate the illegal conduct. Defendants have been indicted on charges of and related to:

  • Wire fraud
  • Money laundering
  • Identity theft
  • Violations of U.S. sanctions laws
  • Conspiracy

Recent DOJ cases and related enforcement activity focus both on North Korea nationals and domestic and third-country facilitators:

  • In May 2026, DOJ announced that two U.S. nationals had been sentenced to 18 months in prison for their roles in receiving and hosting laptops from IT companies in their homes to enable their North Korean co-conspirators from overseas.7
  • In January 2025, DOJ indicted three North Korean nationals and three facilitators (both U.S. and foreign) in relation with a multiyear scheme to install North Korean nationals as remote workers to generate revenue for the North Korean regime and evade sanctions.8

Targeted Companies

Notably, neither DOJ nor OFAC has filed any enforcement actions against companies that have inadvertently hired these individuals. These companies have been characterized as “victims” that have been “systematically target[ed]” by bad actors.9

That said, companies are not in the clear. Both DOJ and OFAC have issued warnings about the seriousness of this threat, signaling that they expect companies to be vigilant against workers attempting to circumvent U.S. laws. Companies with deficient compliance programs that lead to the hiring of such workers could face criminal exposure.

Should DOJ and OFAC begin pursuing actions against employers, they have a wide range of tools at their disposal:

  • DOJ actions can include criminal charges, deferred prosecution agreements and substantial fines.
  • OFAC responses can range from the issuance of a warning letter to the imposition of monetary penalties. Companies may also face punishment for violations of export control laws.

Red Flags, Preparation and Remediation

Given the evolving enforcement landscape and the clear signals from federal authorities that companies are expected to take proactive measures, organizations should consider implementing robust screening and monitoring protocols.

Common Red Flags

Companies should consider training hiring managers and IT security teams to watch for the following warning signs, both during the application process and with existing workers:

  • LinkedIn profiles that appear credible at a glance but lack genuine company page links, show limited connections or activity, or use slightly altered employer names.
  • Candidates or workers who are reluctant to appear on unscheduled or live video, whose video feeds consistently have technical issues or whose on-screen appearance is inconsistent between calls.
  • References that cannot be independently verified.
  • Multiple or inconsistent addresses associated with the candidate — such as discrepancies across identity documents, LinkedIn profiles and home addresses — or requests to change payroll information or deliver work equipment to different addresses.
  • Network logins from non-U.S. locations, or multiple logins into a single account from various IP addresses within a short time period.
  • Multiple remote workers logging in from the same IP address.
  • Use of VoIP phone numbers, reused email addresses, overlapping resumes, copied portfolio language or recurring online profiles across multiple applicant personas.
  • Corporate laptops that are shipped to, geolocated at or remotely accessed from locations inconsistent with the worker’s claimed residence or identity documents.
  • Workers remaining logged into accounts for days at a time.
  • Inconsistencies in name spelling, nationality, claimed work location, contact information, or employment and education history across documentation.
  • Overly simplistic portfolio websites or social media profiles.
  • Requests for payment in virtual currency.
  • Atypical working hours or an inability to reach the worker in a timely manner.
  • Unauthorized use of remote desktop or VPN tools, or unusually high levels of network latency.
  • Installation or attempted installation of multiple remote administration tools, mouse-jiggling software, IP-based KVM devices, or VPN services associated with anonymization or foreign infrastructure.
  • Inconsistent performance levels, with work often appearing AI-generated or poorly executed.
  • Appearing underprepared or overly flustered in interviews despite extensive listed qualifications.

Best Practices – Interviewing and Onboarding

Organizations should consider implementing the following measures when evaluating candidates for remote positions and during the hiring process:

  • Use well-known and established recruiting agencies.
  • Conduct at least one in-person verification preemployment and/or use AI-detection tools during video interviews to confirm applicant identity and detect deepfake technology.
  • Conduct thorough preemployment background checks using trusted vendors.
  • Verify banking information against all other identity documents.
  • Verify employment and education history directly with the relevant companies and institutions, not through contact details provided by the candidate.
  • Confirm that personal and identity details are consistent across all submitted documentation.
  • Only send work equipment to the address listed on the worker’s identity documents.
  • Limit access privileges to minimum required for the role, ideally on a provisional basis until the work’s identity is fully verified.
  • During IT onboarding, require the worker to verify the corporate laptop serial number and confirm physical possession of the assigned device.
  • Use hardware-based multifactor authentication where feasible to tie access to physical possession of the verified corporate device.

Best Practices – Existing Workers

For workers already on board, companies should consider the following measures:

  • Conduct regular audits of payroll records to identify any “phantom” workers.
  • Implement strong monitoring of financial activity, including small or unusual payments and changes in vendor payment information.
  • Prevent workers from downloading unauthorized software — particularly VPNs or remote access tools — onto work laptops unless preauthorized.
  • Enforce strict device and access controls by binding corporate laptops to verified identities and restricting access by geography or Autonomous System Number (ASN).
  • Conduct periodic check-ins with new hires to reassess red flags.
  • Analyze login patterns to identify workers logging in from suspicious or frequently changing locations, or multiple workers logging in from the same IP address.

General Preparedness

Finally, companies should consider taking the following steps to protect themselves against such schemes:

  • Maintain robust anti-money laundering and sanctions compliance policies.
  • Maintain robust insider threat monitoring and related policies and procedures.
  • Include language in employment contracts permitting the auditing of employee usage of company systems.
  • Provide workers with the minimum access privileges required to perform their duties.
  • Train workers on how to spot and avoid social engineering tactics.
  • Build awareness of these schemes across the organization and maintain a robust whistleblowing system to encourage reports of suspected fraud.
  • Establish clear escalation procedures and provide staff training to ensure that suspected or confirmed cases of bad actor workers are dealt with promptly and efficiently, leveraging legal privilege where necessary.
  • Develop and maintain a response plan with immediate steps to take in the event a fraudulent worker is identified.

_______________

1 Mandiant, “Staying a Step Ahead: Mitigating the DPRK IT Worker Threat” (describing laptop farms, IP-based KVM devices, remote administration tools, VPN usage, video reluctance and mismatched shipment/residence locations), September 23, 2024.

2 FBI Internet Crime Complaint Center, “North Korean IT Workers Conducting Data Extortion” (Jan. 23, 2025).

3 United Nations Security Council, “Note by the President of the Security Council” (March 7, 2024), UN Doc S/2024/215.

4 CrowdStrike, “2024 CrowdStrike Threat Hunting Report: Nation-States Exploit Legitimate Credentials to Pose as Insiders” (Aug. 20, 2024).

5 Mandiant, “Staying a Step Ahead: Mitigating the DPRK IT Worker Threat” (Sept. 23, 2024).

6 Unit 42, “Global Companies Are Unknowingly Paying North Koreans: Here’s How to Catch Them” (Nov. 13, 2024).

7 DOJ, “Two U.S. Nationals Sentenced for Facilitating Fraudulent Remote Information Technology Worker Schemes to Generate Revenue for the Democratic People’s Republic of Korea” (May 6, 2026).

8 DOJ, “Two North Korean Nationals and Three Facilitators Indicted for Multi-Year Fraudulent Remote Information Technology Worker Scheme That Generated Revenue for the Democratic People’s Republic of Korea” (Jan. 23, 2025).

9 DOJ, “Justice Department Announces Coordinated, Nationwide Actions to Combat North Korean Remote Information Technology Workers’ Illicit Revenue Generation Schemes” (June 30, 2025).

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

BACK TO TOP