A rising number of top-tier tech companies in the U.S. have unknowingly employed North Korean cyber agents disguised as remote IT professionals, with the operatives channeling lucrative tech salaries back to Pyongyang to support the regime's weapons program.
Cybersecurity leaders warn that the scope of the deception is broader than previously believed, impacting numerous Fortune 500 firms. The trend is driven by a national shortage of cybersecurity talent and the ongoing popularity of remote work arrangements following the pandemic.
These North Korean agents are constantly refining their tactics—using advanced AI tools and enlisting U.S.-based collaborators to set up operations across the country—raising serious concerns among Chief Information Security Officers (CISOs) and technology executives.
Though it's hard to pinpoint the exact number of companies affected, many industry leaders are now publicly sharing their experiences. Law enforcement agencies continue to investigate and expose the intricate tactics being used.
“I’ve talked to a lot of CISOs at Fortune 500 companies, and nearly every one that I’ve spoken to about the North Korean IT worker problem has admitted they’ve hired at least one North Korean IT worker, if not a dozen or a few dozen,”
— Charles Carmakal, CTO, Google Cloud’s Mandiant
Interviews with a dozen leading cybersecurity experts reveal that the threat is serious and growing. Several experts acknowledged that their own companies had been targeted and were struggling to contain the damage. During the same briefing, Iain Mulholland, Google Cloud’s CISO, confirmed that North Korean operatives had been spotted “in our pipeline,” although he didn’t specify whether they had been screened out or hired.
SentinelOne, a cybersecurity firm, has been vocal about its experience. In a recent report, the company revealed it had received nearly 1,000 job applications tied to the North Korean scheme.
“The scale and speed of this operation, as used by the North Korean government to generate funds for weapons development, is unprecedented,”
— Brandon Wales, former executive director at CISA and current VP at SentinelOne
Experts outline a repeated pattern: Operatives build fake LinkedIn profiles, impersonate U.S. citizens using stolen data such as addresses and Social Security numbers, and apply for high-paying roles in bulk. At the interview stage, they deploy AI-powered deepfake technology to mimic the real person in real-time.
“There are individuals located around the country who work in software development whose personas are being used,”
— Alexander Leslie, Threat Intelligence Analyst, Recorded Future
Once hired, these agents navigate onboarding using stolen credentials and request laptops to be shipped to U.S. addresses. These addresses often lead to "laptop farms"—homes filled with dozens of work devices operated by Americans paid to assist the scheme.
CrowdStrike began tracking this infiltration trend in 2022 and identified 30 affected companies within the first week of launching a monitoring program. Since early 2024, advancements in AI have only strengthened these operatives’ capabilities. According to an interagency advisory from the FBI, Treasury, and State Department, each operative can earn as much as $300,000 annually.
“This money is directly going to the weapons program, and sometimes you see that money going to the Kim family,”
— Meyers
In one significant case, American citizen Christina Chapman pleaded guilty in February to collaborating with North Korean agents for three years, helping them steal identities and manage a $17 million laptop farm operation that employed North Koreans at more than 300 U.S. companies.
“It’s hard for us to say how many humans are actually operating these personas, but somewhere in the thousands of unique personas,”
— Greg Schloemer, Senior Threat Analyst, Microsoft
In January, the U.S. Justice Department charged two Americans for enabling another North Korean scheme that brought in over $800,000 from more than 60 companies over six years.
FBI Special Agent Elizabeth Pelker explained at the RSA Conference in San Francisco that once one operative is in, they often refer others, leading to networks of up to 10 imposters within the same organization.
Even after dismissal, many operatives leave behind malware or backdoor access, extorting companies for ransom or stealing sensitive data.
“This is very adaptive,” Pelker said. “Even if [the hackers] know they’re going to get fired at some point, they have an exit strategy for them to still … have some sort of monetary gain.”
Authorities are targeting U.S.-based "laptop farm" operators as a key strategy to dismantle the scam’s infrastructure.
“If the FBI goes and knocks on that door and puts that person in cuffs and takes all the laptops away, they’ve lost 10 to 15 jobs, and they’ve lost a person who they’ve already invested in that relationship with,”
— Schloemer
The scheme is expanding internationally. CrowdStrike reports similar patterns in the U.K., Poland, Romania, and other European nations. Recorded Future has also traced activity in South Asian regions.
Still, legal and compliance fears prevent many companies from speaking up.
“That North Korean IT worker has access to your whole host of web development software, all the assets that you’ve been collecting. And then that worker is being paid by you, funneled back into the North Korean state, and is conducting espionage at the same time,”
— Leslie
“We don’t want there to be a stigma to talking about this,”
— Wales
“It is really important that everyone be open and honest, because that is the way that we’re going to deal with this, given the scale of what we are facing.”
