'These actors are no longer relying solely on traditional cybercrime': Experts uncover another massive North Korean fake IT worker scam network

News
By published

North Koreans want to work in US IT firms for all the wrong reasons

Hacker silhouette working on a laptop with North Korean flag on the background
(Image credit: Getty Images)
  • Nisos uncovers large DPRK employment fraud campaign embedding operatives in US tech firms
  • 22 agents submitted 166k+ applications, landing 21k+ interviews and 76 job offers using stolen identities, AI tools, and local stand‑ins
  • Targets were mostly software/data roles; scheme blended deception and AI tactics to generate salaries and access systems for regime revenue

Security researchers have uncovered a massive North Korean operation aimed at getting state-sponsored operatives hired in US-based technology firms.

Nisos published an in-depth report detailing how the group used stolen identities, AI tools, remote access technologies, and even locals, to get hired.

Shockingly, the campaign resulted in 76 job offers, roughly 3.5 offers per agent.

Latest Videos From

Heavy use of AI

Nisos said the investigation started when a suspected North Korean operative applied for a remote AI architect position with the company.

Working with law enforcement, the company uncovered a cell of 22 individuals who have, between December 2024 and September 2025, submitted at least 166,893 job applications, landing more than 21,645 interviews with US companies.

The operation was well organized, Nisos said, and had administrators, managers, team leads, operatives, and more. Members communicated via Discord, used performance-tracking dashboards, and identity brokers.

Each operative managed multiple employment personas at the same time, and tracked different metrics such as number of applications submitted, interviews completed and offers received.

To increase their legitimacy, the scammers relied heavily on AI. They used AI-generated resumes, AI-assisted interview coaching, as well as real-time response generation during interviews. Furthermore, they used voice-training applications to improve their chances of securing the job, and when they were required to show up in person or go through onboarding sessions, they brought local stand-ins who were later paid in ERC20 cryptocurrency (Ethereum).

Most of the time, they targeted software engineering, development, and data-related roles (70%). Salaries for these positions ranged between $55,000 and $230,000.

“DPRK employment fraud has evolved into a highly organized and scalable operation that blends human deception, technical tradecraft, and AI-enabled tactics,” said Ryan LaSalle, CEO of Nisos. “What makes this threat particularly concerning is that these actors are no longer relying solely on traditional cybercrime. They are embedding themselves within organizations, collecting salaries, gaining access to systems and data, and generating revenue for the regime through seemingly legitimate employment.”

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.