Elite members of North Korean society fake their way into Western paychecks
Increased federal activity, including indictments over the past year, has drawn attention to a pattern that has been unfolding inside corporate hiring pipelines.
North Korean nationals are securing roles as remote IT contractors and full-time staff within organizations across North America and Western Europe, using standard hiring channels to get in.
Research by IBM X-Force and Flare outlines how these workers operate within a broader state-backed system tied to revenue generation and access to corporate environments. Their work can extend beyond employment to include theft of proprietary information, extortion, and support for other North Korean groups.
Workforce scale and revenue generation
Data from 2023 indicate that the number of overseas workers ranged between 3,000 and 10,000. A 2024 analysis identifies over 100,000 workers in 40 countries, including participation in sectors such as information technology.
Annual revenue tied to these activities reaches approximately $500 million. Individual IT workers may earn more than $300,000 a year.
North Korean IT workers are regarded as elite members of society and play a central role in advancing the government’s strategic objectives.
Workers are trained through specialized education systems and deployed through multiple government bodies and affiliated organizations. This creates a distributed structure that supports sustained global activity.
Recruitment and onboarding
The process starts with recruiters who identify and screen candidates. Job opportunities are presented as legitimate roles, often described as early-stage startup positions. Candidates are told they will learn job-hunting strategies and apply for remote roles using assigned profiles.
Candidates are informed that they will use identities tied to specific regions, including U.S.-based profiles, and must align with those working hours. They are also told that securing employment at external companies is their primary responsibility.
Interviews are brief and structured. One documented case includes two HR interviews lasting 15 mins each. English proficiency and technical capability are key selection criteria.
Once accepted, workers move into onboarding. Facilitators assign identities, profiles, and communication tools, and guide workers through resume updates, interview preparation, and initial job applications.
Identity creation and technical setup
Once onboarding is complete, the focus shifts to building a usable identity and the technical setup behind it. Profiles are created with fabricated names, edited images, and work histories tailored to specific regions. Workers look up local companies and universities to make resumes feel credible.
The technical side is just as important. Work is carried out on virtual machines or remote systems that appear to be located in the same region as the identity. Sometimes those systems sit on cloud infrastructure. In other cases, they belong to collaborators who provide remote access. One machine can support several identities at once.
Account creation usually starts with a throwaway email from a provider with minimal verification requirements. That account is then used to build out additional profiles on platforms like LinkedIn, GitHub, and Upwork.
Images are adjusted to fit the persona. Photos may be edited or generated, with backgrounds added or altered to avoid detection. GitHub profiles often include minimal or staged content that suggests development experience without showing real activity.
Behind the scenes, internal tools keep everything running. NetKey and OConnect provide network access. The RB Site tracks devices, infrastructure, and payments. NetkeyRegister supports account setup. For communication, workers rely on IP Messenger, which allows them to exchange information without using centralized platforms.
Job acquisition drives the operation
Getting hired is the objective. Keeping the job is secondary.
Workers apply at scale across both freelance and full-time roles. Freelance platforms are used to submit high volumes of bids, sometimes reaching hundreds in a single day. A small portion convert into paid work, ranging from $200 to $1,000 per project.
Full-time roles follow the same volume approach. Dozens of applications go out daily, sometimes exceeding 100. Assistants can push that number into the hundreds on multiple platforms.
Applications are tailored to match the identity being used. Location, experience, and education are adjusted so the profile fits the job market being targeted.
Collaborators complete hiring requirements
Full-time roles introduce stricter identity checks and payroll requirements, which workers cannot meet on their own. To get through these steps, they rely on collaborators or brokers who handle the parts of the hiring process that require a real, verifiable identity.
In some cases, these arrangements are ongoing, though it is not always evident whether identities are shared willingly, sold, or obtained without consent.
Finding collaborators is an active effort. Workers use LinkedIn and GitHub to identify potential partners, often focusing on self-employed individuals to preserve the appearance of independent work.
Some facilitators openly advertise for help, presenting themselves as candidates from places like Singapore or Hong Kong who are trying to access jobs in the United States or Europe.
Once a collaborator is in place, they take on the tasks needed to finalize employment. That can include passing background checks, providing identification, completing forms such as I-9 paperwork, receiving company-issued devices, and supplying banking and tax details.
In return, workers may offer a share of their earnings, and successful partnerships can lead to additional collaborators through referrals.
Work execution follows a repeatable pattern
Once hired, workers operate inside standard corporate environments. They gain access to tools like email, Slack, Jira, and development platforms. In some cases, that access extends into client systems.
Day-to-day work follows a consistent routine. Tasks are translated, researched, and often run through tools like ChatGPT before being translated again and submitted.
Google Translate plays a central role in this process. It is used to write messages, understand instructions, and communicate with others. Entire conversations may be pasted into the tool to bridge language gaps.
Internal tracking measures output and time
Internal documentation shows detailed tracking of activity. Workers log time down to the second and record the number of bids and messages completed.
Teams consist of two to three members, with rankings based on hours worked and output. Examples show workers averaging 14 hours per day and others averaging about 11 hours.
Researchers believe that ranking systems may reflect broader social practices, where individuals at lower positions are subject to peer-based self-criticism sessions.
Termination leads back to the start
Most roles last only weeks or months. Performance issues or communication gaps often lead to termination.
When that happens, workers return equipment through collaborators, abandon the identity, and start over. New profiles are created, new applications are submitted, and the cycle continues.
“Unlike traditional threat actors, defending an organization from North Korean IT worker infiltration is not solely the domain of security teams, but rather a joint effort between human resources, security operations, hiring managers, and interviewers,” researchers concluded.