You have a fake North Korean IT worker problem - here's how to stop it
- Reference: 1752404535
- News link: https://www.theregister.co.uk/2025/07/13/fake_it_worker_problem/
- Source link:
"Almost every CISO of a Fortune 500 company that I've spoken to — I'll just characterize as dozens that I've spoken to — have admitted that they had a North Korean IT worker problem," [1]said Mandiant Consulting CTO Charles Carmakal during a threat-intel roundtable, admitting that even Mandiant's parent company Google is not immune.
"We have seen this in our own pipelines," added Iain Mulholland, Google Cloud's senior director of security engineering.
[2]
"We've certainly seen applicants that fit into this category with various IOCs [indicators of compromise] that we've shared with partners and peers," Snowflake CISO Brad Jones told The Register .
[3]
[4]
These types of scams, largely originating from North Korea, or at least funneling money back to Pyongyang, have cost American businesses at least [5]$88 million over six years , the Department of Justice said last year.
In some cases, the fraudsters use their insider access to steal proprietary source code and other sensitive data, and then extort their employers with threats to leak corporate data if not [6]paid a ransom demand .
[7]
As US-based companies become more aware of the fake IT worker problem, the job seekers are increasingly [8]targeting European employers , too.
Nearly all executives who spoke to The Register in recent months have seen a flood of these types of applicants applying for open positions, most of them in engineering and software development, and all of them remote work.
In some instances, the scammers even used deepfake videos in attempts to get hired, including at a security company that uses AI to find vulnerabilities in code. "If they almost fooled me, a cybersecurity expert, they definitely fooled some people," Vidoc Security Lab co-founder Dawid Moczadło told us in an [9]earlier interview .
[10]
"We believe, at this point, every Fortune 100 and potentially Fortune 500 have a pretty high number of risky employees on their books," Socure Chief Growth Officer Rivka Little told us.
Using a fake identity…to apply for an identity job
Over the past few months, Socure has seen a ton of fake candidates applying for open jobs, according to Little, who has been leading the charge on the IT worker scam front. This seems an especially ironic choice for employment scammers, because Socure provides identity verification services to other companies.
For a senior engineering role, Socure used to receive between 150 and 200 applications over three or four months. That number has recently jumped to more than 1,999 purported job seekers in a two-month period. At least some of those extra applicants have weirdly suspicious profiles.
"We were in our executive meeting one Monday morning, and our chief people officer said, 'We're getting these super-strange resumes. They don't seem to be connected to people who are valid. This feels like a fake identity,'" Little said. "There were just too many disconnects."
Chief among these disconnects were "shallow" LinkedIn profiles paired with "beefy resumes," she explained, citing job-seeker claims of working at Meta, attending Ivy League schools, developing major tech companies' flagship products … but then only having 25 LinkedIn connections.
Once the recruitment team began meeting via video conferences with some of the applicants, they noted extremely Western-sounding names, like James Anderson, paired with East Asian appearances and accented English, in much higher numbers than they expected.
He was affable, a nice guy. He was making jokes. There was nothing about him that would make me not want to work with him
"You can't profile people, so with the first few we were like, that's interesting. But then when it was 10, 20, 30 — this is implausible at that rate and number, demographically," Little said. "We decided to follow through on a couple of candidates to really suss out what is going on here, and also to allow us to capture consent, because you can't really dig into someone's identity background unless you have consent to do so."
In all of these cases, Little's team noted a number of oddities: new-ish email addresses, phone numbers that didn't match claimed geographic locations, routing everything through a VPN, and educational backgrounds that didn't check out.
Little said she fed a handful of job applicant questions into ChatGPT and saved the chatbot's responses for reference during the interview.
"If his answers are anywhere close to these, then we'll also know there's a problem, and that's exactly what happened," she said. "It was insane."
The fraudster's answers weren't word-for-word ChatGPT, Little noted. "These people are smart, they're not unskilled, they're sophisticated," she said. "But what he said versus what came from ChatGPT was clearly related."
Making it even more confusing, Little genuinely liked the candidate. "He was affable, a nice guy," she said. "He was making jokes. There was nothing about him that would make me not want to work with him."
Spotting the patterns
Little has an interesting background in that she previously led an anti-fraud program at a bank, and also the human resources department at Socure. But, as she notes, few HR or hiring managers are also trained in cybersecurity and identity management — their job is to assess talent, not identify potential security risks.
"It's not uncommon that an HR leader wouldn't be exposed to a CTO or a CISO or a head of fraud, and so they may be experiencing this pattern and not necessarily knowing what to do with it," Little said. "We're a pretty small company, and so every single function in our world is together all the time. But if you're at Pepsi, is that happening? Probably not."
Therein lies another part of the problem, according to Netskope CISO James Robinson, who told The Register his cloud security firm has also received fraudulent worker applications. "I think every CISO is struggling with: Is it a CISO problem? Or is it an organizational and, really, earlier on, an HR problem? And how to do that partnership with HR?"
"Security people are very aware of how to do investigations," Robinson continued. "But we're not necessarily aware of what you can and can't ask during an interview."
[11]I'm a security expert, and I almost fell for a North Korea-style deepfake job applicant …Twice
[12]US sanctions alleged North Korean IT sweatshop leader
[13]North Korean dev who renamed himself 'Bane' accused of IT worker fraud caper
[14]North Korea's fake IT worker scam hauled in at least $88M over six years
Once Netskope began receiving resumes that seemed to use stolen or fake identities with an extra-AI polish boost, Robinson set up a briefing with the local FBI and included not only security but also HR and legal in the meeting. "And we started working on a plan that we can use during the screening phase," he said.
The team also shared this plan with outside recruitment agencies to help them verify that an applicant was who they purported to be.
"The recruiters started to identify profiles that were being created off of someone else's profile — the company is different, but the name is similar to someone else's name, the job experience is the same," Robinson said.
As a company that provides services for remote workers, Netskope also wants to support its own remote workforce, which presents its own set of struggles when trying to verify employees.
"We require people to come to the office to pick up their computer," Robinson said as an example. The firm's hiring team also reached out to their peers to discuss best practices to avoid becoming a North Korean IT worker scam victim. This included requiring in-person onboarding, double- and even triple-checking addresses before shipping work computers, and only shipping them to registered home addresses.
"Also, funny enough, it's not just catching something that is happening late-stage, but also catching something that is causing the applicant to just pass on the job," he added. "The fraudulent applicants will usually say, 'I can't do that.' They just pass."
This was Socure's experience, too. After stringing one suspected scammer along throughout the interview process, Little told the fake IT worker, "'We're going to do a document verification with you. So the next time we meet, please be ready, it's very simple, we'll send you a bar code, and you can do it from your device.' He never showed up."
And, yes, AI can help — not only the bad guys, but also the organizations doing the hiring, according to Jones.
"The Snowflake security team partners with peer organizations, security threat intelligence vendors, and government agencies to curate an aggregated IOC data set that is integrated into the resourcing tools used by our recruiting tools," he said.
These IOCs, or indicators of compromise, include email addresses, physical addresses, and phone numbers that have been flagged as associated with non-legitimate candidates.
It's also important to train what Jones calls the "human firewall," the people reviewing and interviewing candidates, to look for warning signs, too.
"Initially, this could include a resume that looks too good to be true, like having experience in every technology or hot product on the market," Jones explained. "During screening, there are other indicators, such as large delays when answering questions — such as someone or something doing translation and research — confusing products or technologies, as well as environmental signs such as being in a call center."
The final step is always an in-person interview. "Any excuses for why they would not be able to facilitate this is another red flag," he said. "Given our collaboration with peers, third-parties, and government agencies, we believe no nefarious candidates have progressed beyond our first interaction with our human firewall."
However, criminals are a wily, adaptive bunch. Once one gang notices a certain technique or tactic is successfully raking in money for a rival gang (think: ransomware), they are likely to adopt a similar illicit business strategy.
"Yes, it's connected to North Korea, but is it going to stay that way? Definitely not," Little said. "It will come from all kinds of bad actors. Any organized crime ring will figure out that this is a way in, and will start to hit it." ®
Get our [15]Tech Resources
[1] https://www.theregister.com/2025/05/04/rsac_wrap_ai_china/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aHPYGdU_gGdMXaiPCwujBwAAAFU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aHPYGdU_gGdMXaiPCwujBwAAAFU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aHPYGdU_gGdMXaiPCwujBwAAAFU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2024/12/13/doj_dpkr_fake_tech_worker_indictment/
[6] https://www.theregister.com/2024/10/18/ransom_fake_it_worker_scam/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aHPYGdU_gGdMXaiPCwujBwAAAFU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/04/02/north_korean_fake_techies_target_europe/
[9] https://www.theregister.com/2025/02/11/it_worker_scam/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aHPYGdU_gGdMXaiPCwujBwAAAFU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[11] https://www.theregister.com/2025/02/11/it_worker_scam/
[12] https://www.theregister.com/2025/07/09/us_sanctions_north_korean_it/
[13] https://www.theregister.com/2025/01/24/north_korean_devs_and_their/
[14] https://www.theregister.com/2024/12/13/doj_dpkr_fake_tech_worker_indictment/
[15] https://whitepapers.theregister.com/
Re: How fat is Kim Jong Un essay question.
The “Kim Jong Un is fat” essay - because nothing filters out state-sponsored operatives like a Year 7 edgelord writing prompt.
Let’s be serious: anyone trusted by a regime to infiltrate foreign companies is not some random North Korean off the street. They’ll have full access to banned content, VPNs, fabricated identities, and a working knowledge of what Western hiring managers want to hear. If you asked them to write an essay about how they personally defiled Kim Jong Un’s corpse with a USB stick, they'd do it - in flawless English - if it got them the job. And they’d get it.
north korea knows you are a coward
Once again one of these stories. Is North Korea just a metaphor? Why would every other nationality applying for a job not be doing similar things? Just because they are not spiriting away your generic data its still wrong.
Companies employ less people than they ever did but cant seem to just get a candidate to come in and be evaluated without a load of tech in tow.
Globalization seems to mean employ people you are scared of and dont want to ever meet.
Re: north korea knows you are a coward
Nailed it. North Korea isn’t a threat - it’s a metaphor. A convenient bogeyman conjured up to scare workers into doing what landlords and investment funds desperately need: get back into office buildings no one wants, just to keep commercial property values from collapsing.
None of the earlier guilt-trips landed. “Watercooler cross-pollination” was a joke. “Human connection” sounded creepy. So now we’re down to: you need to come into the office so we know you’re not a North Korean imposter. Because apparently the risk of a skilled remote developer is now national security - but only if they’re working from home.
The reality? If you're commuting in, you're not doing it for team spirit. You're doing unpaid labour for asset managers clinging to empty towers. Your presence is a human placeholder - a warm body justifying square footage on someone else's balance sheet. You’re not working in an office, you are the justification for the office.
And let’s not pretend they care about fraud. No one panics when some LinkedIn-certified chancer talks their way into a six-figure job with ChatGPT answers and buzzword bingo. But heaven forbid someone with an unfamiliar accent and a generic email address dares to know what they’re doing.
This was never about cybersecurity. It's about economics. You're being forced back into the office not because it’s better for work - but because it’s better for landlords.
Re: north korea knows you are a coward
' ... it’s better for landlords.'
You just want us all working at the pub!
Re: north korea knows you are a coward
"Why would every other nationality applying for a job not be doing similar things?"
Fraudsters or criminals can come from any nationality. North Koreans have one unique quality though: the other option of getting a legitimate job and not committing a crime is denied to them because the schemes where they get these jobs are orchestrated by the North Korean government and the people carrying them out are not permitted to leave, and their family members are held as collateral in case they find a way. They are intended to get cash, and if that means that holding a company to ransom is worth more than working normally, that's what they have to do. And it means that, to get the best salaries, they will lie about their experience.
Employers can do more to prevent this from working, although there will always be some level of arms race between people faking identities and those checking them. A lot of companies have decided that hiring people in other countries is just fine, and since the employees are working remotely, they should be able to interview that way too. Meeting in person should make it much harder for scams like this to succeed, but it will also cause some problems for hiring. For example, it's much easier for a candidate to take half a day for a few remote interviews than for them to take two for a long flight, those interviews in person, and a flight back, so requiring in-person interviews will cost some candidates.
Easier solution
1. Hire local.
2. In person interviews.
3. Stop looking for the unicorn candidate - they don't exist.
And step 0 - fire hr and have the interviews done by the people they're going to work with - they're the ones with the actual expertise on what the job requires.
There's a reason why the average hr droid only lasts 3 years - it takes that long to expose how useless they are.k
Re: Easier solution
If they are local then in-person is trivial (even if disability access issues mean you have go the them).
If they are not local then presumably you have to have a good reason for choosing them. If $REASON is not significantly more value to the company than the cost to get the selected candidate over for an in-person introduction, etc, then you deserve what you get!
Re: Easier solution
If the only suitable candidate was in a distant location or even abroad, I'm sure there are registered solicitors or other suitable registered professionals they could take their ID documents along to for a visual check on the person, and maybe even a supervised Zoom interview could be done with the candidate while at those premises. Granted you'd have to pay the third party something for those services, but much cheaper than employing a Nork.
Re: Easier solution
#0 & #2 are critical. There's no excuse except incompetence for not spending what is, compared to the salary, a trivial sum bringing the person in for an in-person interview, even if that means flying them half way around the planet. If I had a nickel for how many times I've heard "we don't have the budget for that" when hiring for a 6-figure position, I'd be rich. Such an attitude is stupid in the extreme. If I were a business insurance company, I'd write it in the contract that any damage caused by an employee who was not in-person interviewed as part of the hiring process isn't covered.*
*In-person interviews don't need to be at HQ, but they do need to be between the candidate and the hiring manager face-to-face in the same room with the candidate producing appropriate government-issued ID & if needed, visa's, work permits, etc. Who does what travel is irrelevant.
Re: Easier solution
The grand solution: fly the candidate in - because nothing says 'rigorous hiring' like making someone burn time and money on ID theatre for a job that’ll vanish the moment shareholders demand a higher dividend.
Why is it always the worker who must travel, beg, and prove? If in-person is so vital, send the manager. They’re the ones with the salary, the title, and the decision-making power. Or is this really just about making the candidate perform submission rituals to earn a spot on the corporate balance sheet?
Let’s not pretend this is about due diligence. It’s about theatre. Companies posture like they’re fortresses of excellence, yet can’t offer stability, fair pay, or even human contact after round four of interviews. The “six-figure salary” is a relic - barely enough to rent near the office you’re now being forced to commute to “for culture.”
The truth? Workers are disposable. A commodity, rotated in and out depending on how the quarterly forecast lands. Today’s ‘key hire’ is tomorrow’s redundancy line. And yet somehow, it’s the candidate who must grovel for legitimacy.
If hiring is so high-stakes, prove you're worth working for. Until then, spare us the pomp - you’re not offering a life-changing opportunity. You’re offering a job and most likely, crap.
Bogeyman
Let’s get one thing straight: this article isn’t about North Korea. It’s about corporate hypocrisy, tech industry grift, and the billion-dollar pastime of punching down.
We're told that the “North Korean fake IT worker” is the latest bogeyman haunting the plush, over-air-conditioned boardrooms of Silicon Valley. The horror! Someone might pretend to be a software engineer to… do software engineering? And yet somehow the outrage isn’t about the decades of fake job postings, unpaid interview projects, and exploitative hiring pipelines run by the same companies now clutching their pearls.
Let’s talk stakes. According to the Department of Justice, this supposedly existential threat has cost $88 million over six years. That’s the kind of change Google misplaces in the cushions of a single quarterly report. Meanwhile, legitimate candidates across the world lose billions in unpaid labour, invisible time sinks, and “trial projects” that are never compensated - all in the name of “hiring diligence.”
Here’s an idea: if you're so terrified of hiring someone who's too competent, maybe stop making interviews indistinguishable from actual work. If your “engineering task” has candidates fixing production bugs or implementing real features, congratulations - you're not hiring, you're freeloading. Pay up.
And if you're so worried about identity fraud, maybe show your cards first. Share your salary range. Share your financials. Disclose whether you're in the middle of another stealth layoff round or gearing up to ship employee laptops to landfill again. Candidates are supposed to provide ID, do live coding, submit to AI analysis, and now apparently prove they're not a rogue agent from Pyongyang - yet companies don’t even have to commit to a call back.
Also rich: companies who literally sell identity verification tech, moaning that their own systems can't spot fake applicants. If you’re shocked that ChatGPT can answer your questions better than a human, the problem isn’t the candidate - it’s your recruitment process, your lazy filters, and your blind trust in LinkedIn connections as a measure of competence.
Let’s be real - this entire panic stems from the fact that “James Anderson” with an accent dares to be skilled. The subtext isn’t subtle. When a Western-sounding name doesn't come with a white face and a Harvard pedigree, the sirens go off. This is bias masquerading as national security, and the fact that it’s being sold with a straight face is embarrassing.
Instead of demanding biometric scans, document barcodes, and in-person gear pickup as if you're hiring for MI6, try this: pay candidates for their time. Respect their labour. And stop pretending your own hiring practices aren’t already a deeply broken, exploitative mess.
Because let’s be honest: the most common scam in tech hiring isn’t coming from North Korea. It’s coming from inside the building.
How fat is Kim Jong Un essay question.
Just extend Adam Meyers (CrowdStrike) suggestion to requiring a one-page essay with each application requiring a discussion of just how fat Kim Jong Un is. I'd add a followup and require another one-page essay on how Kim Jong Un had his half-brother, Kim Jong-nam, assassinated at the Kuala Lumpur International Airport in Malaysia on February 13, 2017.
No doubt the lazy HR folks can have an AI generate other "weed 'em out" essay questions to require all candidates to answer that will weed out North Koreans. Non North Korean workers might be a bit harder.