← Liz Gore Vibrant digital illustration of a tattooed woman with pink a pink buzzcut in left frame procrastinating by playing videos and then the same tattooed woman with a pink buzzcut in the right frame actually stuyding cybersecurity. 3 arrows are in the middle of the image between the two frames.

North Korean Playbook

2025-09-08

North Korean IT Worker Fraud Prevention Playbook for HR Teams

Or: How to Avoid Accidentally Funding a Nuclear Program While Trying to Hire a React Developer

Executive Summary: Plot Twist - Your Remote Developer Might Be a Spy

Here’s some news that’ll make your Monday morning coffee taste bitter: Over 300 U.S. companies have fallen victim to North Korean IT worker fraud schemes. The FBI isn’t sugarcoating it either - they’ve straight up said this is “just the tip of the iceberg.”

Between 2020 and 2022, over 300 companies (including several Fortune 500s) unknowingly hired North Korean workers. And here’s the kicker: these aren’t just folks trying to make a living. They’re part of a state-sponsored scheme that’s evolved from “let’s steal paychecks” to “let’s steal your data and hold it hostage.”

So here’s the uncomfortable truth: If your company hires remote IT workers, you’ve probably interviewed a North Korean operative. Maybe you even hired one. Gulp.

How the Scheme Works: Like Ocean’s Eleven, But With More Malware

The Business Model (Surprisingly Well-Organized)

Think of this as North Korea’s most successful startup. They deploy thousands of skilled IT workers operating in teams of dozens to over a hundred fake applicants. It’s like a really twisted version of a gig economy, except the gig is international fraud and the economy funds weapons programs.

These folks are usually chilling in countries that are North Korea-friendly, like China, Russia, and Malaysia. They’re not exactly working from a cybercafe in Pyongyang.

The Identity Theft Process (More Creative Than Most Halloween Costumes)

Step 1: Steal someone’s identity Step 2: Make it look legit Step 3: Profit (literally)

They use everything from passports to Social Security cards - sometimes the real deal obtained through identity theft, sometimes forgeries that range from “pretty good” to “did a toddler make this with crayons?”

The Technology Arsenal (Welcome to the Future, I Guess)

  • AI-Enhanced Photos: They take stock photos and give them the AI treatment to create professional headshots, I see them all over LinkedIn.
  • Stolen Identities: Valid IDs grabbed from data breaches or bought from willing participants (yes, some Americans are literally selling their identities for cash)
  • Deepfake Technology: Real-time deepfakes during video interviews. Black Mirror, meet your recruiting department.
  • Laptop Farms: U.S.-based collaborators maintain fleets of devices that North Korean workers access remotely, like AirBnB but for cybercrimes.

Red Flags: When Your Spidey Senses Should Be Tingling

🚨 Critical Warning Signs (“Houston, We Have a Problem” Moments)

Resume and Application Red Flags

  • Inconsistent Information: When someone’s LinkedIn says they’re from Boston but their resume says Dallas and their GitHub profile claims San Francisco. Pick a lane, buddy.
  • Perfect Documentation: If the resume is so perfect it looks like it was written by ChatGPT… it probably was.
  • Template Similarities: When all the portfolio websites look like they came from the same “Freelancer Websites for Dummies” template.
  • Email Patterns: Multiple candidates with emails like “[email protected]” and “[email protected].” Subtle, guys. Real subtle.

Communication Red Flags

  • Video Avoidance: “Sorry, my camera is broken” for the fifth interview in a row. What is this, 2020?
  • Platform Switching: “Hey, can we move this conversation to Signal/Telegram/CarrierPigeon?”
  • Cultural Misses: When someone claiming to be from Texas says their favorite sport is badminton. Nothing against badminton, but… come on.

Financial and Payment Red Flags

  • Requests to use payment services linked to China
  • “Can you pay me in Bitcoin?” (LOL this should immediately raise eyebrows)
  • Bank accounts that change more often than a teenager’s relationship status

Step-by-Step Detection Methods (Your New Hiring Superpower)

Phase 1: Initial Application Screening (The First Line of Defense)

Step 1: Play Detective with Documentation

  • Cross-check your system for duplicate resumes. If two “different” people have identical work histories, either you’ve found twins separated at birth, or something’s fishy.
  • Reverse image search those professional headshots. Stock photo websites are your friend here.

Step 2: Contact Information Verification (Phone a Friend… Literally)

  • Check if phone numbers are VoIP services. Not all VoIP is bad, but when combined with other red flags, it’s worth noting.
  • Google those email addresses. If they pop up on 47 different freelancer profiles, that’s not normal networking.

Step 3: Technical Profile Analysis (Get Your Sherlock Holmes On)

  • Check IP addresses from applications. If someone claims to be in Ohio but their IP traces to a VPN exit node in Romania, ask questions.
  • Look for accounts logged in continuously for days. Humans need sleep. Bots and remote operators? Not so much.

Phase 2: Interview Process (Where the Magic Happens)

Step 4: Enhanced Video Interviews (Trust, But Verify)

  • Mandatory Video Calls: No exceptions. “My camera is broken” is not an acceptable answer in 2025.
  • Record Everything: Future you will thank present you when you need to analyze that suspicious interview.
  • Multiple Sessions: Consistency is key. Deepfakes are impressive, but they’re not perfect.

Step 5: Deepfake Detection (Welcome to the Future, It’s Weird Here)

  • Ask them to turn their head, move closer to the camera, or wave. Put their hand in front of their face. Pat their head and rub their tummy. Simple movements that trip up deepfake technology.
  • Watch for weird lighting that doesn’t match their supposed environment.
  • If their mouth movements don’t quite sync with their voice, that’s not lag - that’s a red flag.

Step 6: Skills Testing (Put Your Money Where Your Mouth Is)

  • Make them complete technical tests on your environment, not theirs. Do not give access to anything.
  • Watch for weird behavior like excessive screen switching or unusual keyboard patterns.

Phase 3: Background Verification (The Final Boss Level)

Step 7: Independent Verification (Don’t Take Their Word for It)

  • Call previous employers directly. Use the numbers from the company website, not the ones they gave you.
  • Verify education with schools directly. Bursar offices love getting these calls (okay, they don’t, but they’ll help).

Step 8: Reference Checks (References Should Reference… Something)

  • Video call references when possible. If they’re also camera-shy, that’s suspicious.
  • Ask references specific questions about projects and work styles. Vague answers are red flags.

Prevention Strategies (Building Your Fortress)

Enhanced Onboarding Process (Making It Harder for the Bad Guys)

Shipping and Equipment Security (Where Packages Go to Die)

  • Ship equipment only to UPS stores requiring ID verification. No more “send it to my cousin’s house.”
  • If they want equipment sent somewhere other than their address, they better have a really good explanation and documentation.

Identity Verification Requirements (Trust, But Verify… A Lot)

  • For sensitive roles, require fingerprints. It’s 2025 - this isn’t unreasonable.
  • Compare IDs with video call participants. Make sure the person on camera matches the person on the ID.
  • No system access until background checks clear. I know, I know, they want to “hit the ground running,” but patience is a virtue.

Technical Controls (Your Digital Bodyguards)

Network Monitoring (Big Brother, But for Good Reasons)

  • Monitor for VPN usage and remote desktop software. Not all VPN use is bad, but unusual patterns are worth investigating.
  • Use intrusion detection software. If someone’s laptop starts doing weird things on day one, that’s not normal.

Access Controls (The Principle of “Not So Fast, Buddy”)

  • New employees get minimal access until they prove they’re legit.
  • Monitor for unusual activity, especially tiny transactions. Death by a thousand papercuts is real in fraud.

Third-Party Risk Management (Trust Your Staffing Agency, But Cut the Cards)

Staffing Firm Oversight

  • Share your concerns with recruiting partners. They should be aware of this threat too.
  • Ask about their vetting processes. If they say “we look at resumes,” that’s not enough anymore.

What to Do If You Suspect You’ve Hired a North Korean Worker

Immediate Actions (Don’t Panic, But Do Act Fast)

Step 1: Don’t Freak Out (But Do Pay Attention)

  • KnowBe4 caught their North Korean hire before any damage was done. Good security controls work.
  • Document everything. Screenshots, email threads, weird conversations - save it all.

Step 2: Call in the Cavalry (Your Security Team)

  • Loop in your CISO immediately. This is their jam.
  • Use security tools to monitor the suspected employee’s device activity.

Step 3: Lock It Down (Containment is Key)

  • Restrict system access immediately. Better safe than sorry.
  • Don’t let them know you’re onto them until security says it’s okay.

Reporting Requirements (Yes, You Have to Tell on Them)

Law Enforcement Notification

  • FBI wants to know about this stuff. They have a whole department for it.
  • Internet Crime Complaint Center (IC3) is your friend here.

Legal Considerations (The Fun Stuff)

  • Unknowingly paying North Korean workers can violate sanctions. Awkward.
  • Get your lawyers involved. They love this kind of challenge.

Real-World Case Study: The KnowBe4 Incident (When Cybersecurity Experts Get Schooled)

In July 2024, KnowBe4 (yes, the cybersecurity company) hired what they thought was a legit software engineer. Plot twist: it wasn’t.

What Went Wrong:

  • The candidate passed four video interviews (using a real person with a stolen identity)
  • Background checks came back clean (because the stolen identity was real)
  • They used an AI-enhanced stock photo that looked professional

How It Was Caught:

  • The corporate laptop started downloading malware immediately upon receipt
  • Their Security Operations Center flagged the activity
  • When they called to ask about it, the “employee” became evasive and unresponsive

The Aftermath:

  • No data was stolen (good security controls for the win)
  • KnowBe4 went public with the story to warn other companies
  • They now ship equipment only to UPS stores requiring ID verification

The Lesson: Even cybersecurity companies can get fooled. Don’t feel bad if you’ve been targeted - these people are professionals.

Training Your Team (Knowledge is Power)

HR Team Education Points (Making Everyone Smarter)

Key Training Topics:

  • How to spot the red flags we’ve covered
  • What to do when something feels “off”
  • Legal requirements around verification vs. discrimination

Regular Updates:

  • This threat evolves constantly. Last year’s training isn’t enough.
  • Share war stories and case studies. Nothing drives home a point like “this actually happened to Company X.”

Building Cross-Functional Collaboration (Teamwork Makes the Dream Work)

Security-HR Partnership:

  • Security teams and HR need to work together. No more silos.
  • Create clear escalation procedures. When HR sees something weird, security should be the first call.

Technology Solutions and Tools (Your Digital Swiss Army Knife)

Identity Verification Services

  • Specialized companies exist just to verify identities. Use them.
  • Liveness detection technology can catch some deepfakes.

Network Security Tools

  • Endpoint detection and response (EDR) solutions are your friend.
  • Geolocation services can tell you where login attempts are really coming from.

Sanctions Compliance (Don’t Accidentally Fund a Nuclear Program)

  • OFAC doesn’t care if you didn’t know. Ignorance isn’t a defense.
  • Strict liability means you can be held responsible even without intent.

Employment Law Balance (Walking the Tightrope)

  • You need to verify identities without discriminating based on national origin.
  • Document your verification steps. If someone claims discrimination, you’ll need proof of consistent processes.

Evolution of Tactics (They’re Getting Smarter)

  • AI tools are making fake identities more convincing.
  • They’re expanding beyond IT into animation and other creative fields.
  • Front companies are popping up to add legitimacy.

Industry Impact (Who’s Being Targeted)

  • Cryptocurrency and blockchain companies are favorite targets.
  • AI development companies and the FinTech sector are seeing increased activity.
  • Really, any company with valuable IP is at risk.

Conclusion: You’re Not Just Hiring - You’re Defending America (No Pressure)

Look, nobody told you when you got into HR that you’d be on the front lines of national security. But here we are. The FBI literally said that if you hire remote IT workers, you’ve probably interviewed a North Korean operative.

The Good News:

  • This threat is detectable with the right knowledge and tools
  • Companies like KnowBe4 have shown that good security can catch these attempts
  • You’re not alone - law enforcement and cybersecurity companies are here to help

The Reality Check:

  • This is a sophisticated, well-funded, state-sponsored operation
  • Traditional hiring practices aren’t enough anymore
  • But with vigilance and proper procedures, you can protect your company

Remember: These people are professionals, but so are you. With the right training, tools, and mindset, you can spot them and stop them. Even just some routine relationship-building, small talk, idle chat can clue you in to a bad actor. Don’t be afraid to ask follow-up questions if something feels fishy. Your company’s data, your colleagues’ jobs, and (let’s be dramatic) national security depend on it.

No pressure or anything.

Additional Resources (Your New Best Friends)

  • FBI Internet Crime Complaint Center: www.ic3.gov (bookmark this)
  • Local FBI Field Office: www.fbi.gov/contact-us/field-office (make friends)
  • OFAC Sanctions Guidance: ofac.treasury.gov (light reading)
  • KnowBe4 Free Training Module: Because they learned the hard way so you don’t have to

Final Thought

If you take nothing else from this playbook, remember this: When something feels off during the hiring process, trust your gut. Your instincts have been honed by years of dealing with people, and they’re often right. Better to be cautious and wrong than trusting and sorry.

Stay vigilant out there, HR warriors.

← Liz Gore