Your Newest Employee Might Be a Scammer

How North Korean IT workers are infiltrating American companies through elaborate identity theft schemes

Last month, a mid-sized financial services firm in Atlanta discovered something unsettling about a great remote developer. For six months, Christina had been crushing deadlines, writing great code, and generally being a regular employee. There was just one small problem: Christina’s work wasn’t being done by Christina.

The real person behind the work was a North Korean IT worker using her credentials, part of a large operation affecting hundreds of American companies. By the time the company realized what had happened, internal intellectual property had been stolen, and significant payroll had been siphoned off to the sanctioned country.

Here's how the operation works

North Korea maintains thousands of highly skilled IT workers who need jobs. American companies need remote developers. In between sits a network of facilitators who bridge this gap using stolen identities, fake resumes, and "laptop farms."

Christina Chapman ran one of these farms from her Arizona home. When FBI agents raided it in October 2023, they found more than 90 company laptops, each meticulously labeled with the U.S. company name and the fake identity assigned to it. Fortune 500 laptops sat next to devices from luxury retailers and aerospace manufacturers. She'd even shipped 49 devices overseas, including multiple packages to a Chinese city on the North Korean border.

Chapman’s laptop farm

The scale is impressive: Chapman's operation alone involved 309 U.S. companies, including a top-five television network, Silicon Valley tech companies, an aerospace manufacturer, and major automotive brands. The scheme used 68 stolen American identities and generated over $17 million. The North Korean workers attempted to infiltrate U.S. government agencies, targeting positions at Immigration and Customs Enforcement and the Federal Protective Service, though these attempts failed.

Chapman would physically log into each laptop, making it appear the work originated from Arizona. She'd handle video calls using deepfake technology or careful staging. Court documents show she was set to forward nearly $300,000 to the North Korean workers when she was arrested.

The workers themselves are genuinely skilled. They graduate from top technical universities in Pyongyang and undergo additional training in modern frameworks and languages. Unlike typical scammers who disappear quickly, these workers often maintain their positions for months or years, delivering real value while secretly funneling money to the regime and occasionally exfiltrating data.

Realistic Risk

If you're running a 50-person software company or a 200-employee financial firm, your risk is higher than you might think. These operations specifically target mid-sized companies that have embraced remote work but lack the risk management functions and security infrastructure of larger firms.

The math is compelling for the perpetrators. A single remote developer position paying $150,000 annually can net the North Korean government over $100,000 per year after expenses. Multiply that by hundreds of positions, and you're looking at a revenue stream worth tens of millions annually. This directly funds the North Korean regime.

Your company is particularly vulnerable if you:

  • Hire contractors or employees for fully remote positions
  • Work with sensitive data or financial systems
  • Have a fast hiring process to fill urgent needs
  • Lack dedicated security staff
Red Flags

The typical infiltration follows a predictable pattern. It often starts on a Friday afternoon when your team is scrambling to fill a critical role. A recruiter forwards a stellar resume. The candidate interviews well, demonstrates strong technical skills, and can start immediately. The references check out. The background check comes back clean.

But something feels slightly off. Maybe they're reluctant to turn on their camera, claiming bandwidth issues. Perhaps they insist on using their own equipment for "productivity reasons." They might request payments to a fintech app rather than traditional direct deposit.

Here's what the fraudsters typically say:

"Hi, this is David from TechStaff Solutions. I have a perfect candidate for your senior developer role. He's available immediately and has extensive experience with your exact tech stack."
"I prefer to keep my camera off during calls - I find it helps me focus better on the technical discussion."
"Could we set up payment through Wise or Payoneer? I've had issues with traditional banks in the past."
"I'll need to use my own laptop for security reasons. I have specialized development tools configured that would take weeks to set up on new hardware."
Practical Countermeasures

The good news is that these schemes, while sophisticated, have consistent tells.

Video Interview Requirements: Require cameras during at least one interview. Maybe not all of them, but at least one. If someone claims technical issues, offer to reschedule or use a different platform, especially with the rise of AI face-swapping apps.

Background Checks: Standard background checks often pass because the stolen identities are real. Also, look for mismatches: Does the address on their application match what the background check returns? Does their claimed work history align with their LinkedIn profile? Contact previous employers directly using the numbers provided on their official websites, rather than those listed on your resume.

Insist on Company Equipment: This is non-negotiable. Ship laptops with security configurations and business-grade endpoint detection and response (EDR) software pre-installed. If someone pushes back hard on this standard practice, that’s a major red flag. Remember, Chapman's operation relied entirely on hosting company laptops - don't make it easy for them.

Do the Reference Checks: Many companies skip real reference checks. Don't. Call the main company number (not the one provided) and ask for HR to verify employment. North Korean operations often use other fake employees as references.

As U.S. Attorney Jeanine Ferris Pirro warned:

"If this happened to these big banks, to these Fortune 500, brand name, quintessential American companies, it can or is happening at your company."

The call is coming from inside the house - or rather, from a laptop farm in suburban Arizona connected to North Korea.

We don’t need to be overly paranoid or treat every remote worker with suspicion. But establishing reasonable processes that protect both your company and legitimate employees is valuable and can help add friction for those who would exploit your trust.

In a world where your next hire might be a sanctioned government's revenue stream, a little healthy skepticism goes a long way.

Have a project in mind? Let’s talk

Get in touch

Read more

Pentesting Next.js Server Actions

A Burp Extension for Hash-to-Function Mapping

Blind Enumeration of gRPC Services

When you're handed an SDK with no documentation and told "the backend is secure because it's proprietary," grpc-scan helps prove otherwise

Privilege Escalation With Jupyter From the Command Line

A recent penetration test led to an interesting way to escalate privileges on a Jupyter instance running as root.
Cybersecurity Risk Advisory and Professional Services (i.e. hackers)
Montana Office
563 Ash Rd, Suite B
Kalispell, MT 59901
Pages
AboutResourcesServicesContactPrivacySecurityTrust
Resources
CyberPricesSaas HardeningBad PasswordsPrinciplesStartup Security Workbook
Stay in the know
Practical content, no fluff.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.