The UN estimated the North Korean IT worker scam has generated $250 million to $600 million every year since 2018.
Fortune news editor Amanda Gerut explains. https://t.co/0gfJweWgdp pic.twitter.com/18lupXKlVU
— FORTUNE (@FortuneMagazine) April 11, 2025
Thousands of North Korean IT workers have infiltrated the Fortune 500—and they keep getting hired for more jobs.
Fortune 500 companies have unwittingly hired thousands of software engineers who claim to be American developers but are actually North Korean citizens using stolen or fake identities. Through legitimate employment, the IT workers are illegally funneling their salaries to Kim Jong Un’s regime to fund prohibited weapons of mass destruction and ballistic missile programs. The U.S. Treasury, State Department, and FBI collectively estimate the IT workers scam has generated hundreds of millions each year since 2018.
About 95% of the résumés Harrison Leggio gets in response to job postings for his crypto startup g8keep are from North Korean engineers pretending to be American, the founder estimates. He even once interviewed a job seeker who claimed to have worked at the same Manhattan-based cryptocurrency exchange as he did, during the time he worked there.
https://fortune.com/2025/04/07/north-korean-it-workers-infiltrating-fortune-500-companies/
Dozens of Fortune 100 companies have unwittingly hired North Korean IT workers, according to report
“North Korean IT workers often have multiple jobs with different organizations concurrently, and they often have elevated access to production systems, or the ability to make changes to application source code,” Carmakal said.
“There is a concern that they may use this access to insert backdoors in systems or software in the future. Every Fortune 100 organization should be thinking about this problem.”
https://therecord.media/major-us-companies-unwittingly-hire-north-korean-remote-it-workers
Since our September 2024 report outlining the Democratic People’s Republic of Korea (DPRK) IT worker threat, the scope and scale of their operations has continued to expand. These individuals pose as legitimate remote workers to infiltrate companies and generate revenue for the regime. This places organizations that hire DPRK IT workers at risk of espionage, data theft, and disruption.
In collaboration with partners, Google Threat Intelligence Group (GTIG) has identified an increase of active operations in Europe, confirming the threat’s expansion beyond the United States. This growth is coupled with evolving tactics, such as intensified extortion campaigns and the move to conduct operations within corporate virtualized infrastructure.
https://cloud.google.com/blog/topics/threat-intelligence/dprk-it-workers-expanding-scope-scale
How to prevent:
Scan your remote devices, to make sure no one remotes into those. Better vetting, making sure that they are physically where they are supposed to be. Better resume scanning for career inconsistencies. Get these people on video camera and ask them about the work they are doing. The laptop’s shipping address different from where they are supposed to live/work is a red flag.
https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us
