How One Company Finally Exposed North Korea's Massive Remote Workers Scam (nbcnews.com)
(Sunday March 15, 2026 @06:51PM (EditorDavid)
from the I-C-U dept.)
- Reference: 0180997432
- News link: https://it.slashdot.org/story/26/03/15/1942232/how-one-company-finally-exposed-north-koreas-massive-remote-workers-scam
- Source link: https://www.nbcnews.com/investigations/north-korea-it-worker-scheme-nisos-fbi-rcna245025
NBC News investigates North Korea's " [1]wide-ranging effort to place remote workers at U.S. companies in order to funnel money back to its coffers and, in some cases, steal sensitive information."
And working with the FBI, one corporate security/investigations company decided to knowingly hire one of North Korea's remote workers — then "ship him a laptop and gain as much information as possible" about this "sprawling international employment scheme that is estimated to include hundreds of American companies, thousands of people and hundreds of millions of dollars per year."
> It worked.... Over a roughly three-month investigation, Nisos uncovered an apparent network of at least 20 North Korean operatives including "Jo" who had collectively applied to at least 160,000 roles. During that time, workers in the network — which some evidence showed were based in China — were employed by five U.S.-based companies and allegedly helped by an American citizen operating out of two nondescript suburban homes in Florida...
>
> Nisos estimated that in about a year, "Jo", who was likely a newer member of the team, applied to about 5,000 jobs... "They attended interviews all day every day, and then once they secured a job, they would collect paychecks until they were terminated," [according to Jared Hudson, Nisos' chief technology officer]... With the ability to see which other U.S. companies Jo and his team were working for — all remote technology roles — Nisos' CEO, Ryan LaSalle, began making calls to their security teams to alert them of the fraud. "Most of the companies weren't aware of it, even if they had pretty robust security teams," LaSalle said. "It wasn't really high on the radar."
NBC News describes North Korea's 10-year effort — and its educational pipeline that steers promising students into "computer science and hacking training before being placed into cyberunits under military and state agencies, according to a [2]recent report by DTEX, a risk-adaptive security and behavioral intelligence firm that tracks North Korea's cybercrime."
> In [3]one case , a North Korean worker stole sensitive information related to U.S. military technology, according to the Justice Department. In [4]another, an American accomplice obtained an ID that enabled access to government facilities, networks and systems. [5]At least three organizations have been extorted and suffered hundreds of thousands of dollars in damages after proprietary information was posted online by IT workers... Analysts warn that North Korean IT workers are targeting larger organizations, increasing extortion attempts and seeking out employers that pay salaries in cryptocurrency. More recently, security researchers have uncovered fake job application platforms impersonating major U.S. cryptocurrency and AI firms, including [6]Anthropic , designed to infect legitimate applicants' networks with malware to be utilized once hired. The global cybersecurity company CrowdStrike identified a [7]220% rise in 2025 in instances of North Koreans gaining fraudulent employment at Western companies to work remotely as developers...
>
> The payoff flowing back to Pyongyang from these schemes is enormous. Some North Korean IT workers [8]earn more than $300,000 per year , far more than they'd be able to earn domestically, with as much as 90% of their wages directed back to the regime, according to congressional [9]testimony from Bruce Klinger, a former CIA deputy division chief for Korea. The [10]United Nations estimates the schemes, which proliferated after the pandemic when more companies' workforces went remote, generate as much as $600 million annually, while a U.S. State Department-led sanctions monitoring [11]assessment placed earnings for 2024 as high as $800 million... So far, at least 10 alleged U.S.-based facilitators have been federally charged, including one active-duty member of the U.S. Army, for their alleged roles in hosting laptop farms, laundering payments and moving proceeds through shell companies. At least six other alleged U.S. facilitators have been identified in court documents but not named...
>
> "We believe there are many more hundreds of people out there who are participating in these schemes," said Rozhavsky, the FBI assistant director. "They could never pull this off if they didn't have willing facilitators in the U.S. helping them...." The scheme itself is also becoming more complex. North Korean IT teams are now subcontracting work to developers in Pakistan, Nigeria and India, expanding into fields like customer service, financial processing, insurance and translation services — roles far less scrutinized than software development.
[1] https://www.nbcnews.com/investigations/north-korea-it-worker-scheme-nisos-fbi-rcna245025
[2] https://reports.dtexsystems.com/DTEX-Exposing+DPRK+Cyber+Syndicate+and+Hidden+IT+Workforce.pdf?_gl=1*3t9a20*_gcl_au*MTA0OTkyMjY4OS4xNzYwNDU5MjM0LjExMDAyODcxNTYuMTc2MDQ1OTIzNC4xNzYwNDU5MjM0
[3] https://www.justice.gov/opa/pr/justice-department-announces-coordinated-nationwide-actions-combat-north-korean-remote
[4] https://www.justice.gov/opa/pr/maryland-man-sentenced-conspiracy-commit-wire-fraud
[5] https://www.justice.gov/archives/opa/pr/fourteen-north-korean-nationals-indicted-carrying-out-multi-year-fraudulent-information
[6] https://www-cdn.anthropic.com/b2a76c6f6992465c09a6f2fce282f6c0cea8c200.pdf
[7] https://go.crowdstrike.com/rs/281-OBQ-266/images/Threat-Hunt-Report-2025.pdf
[8] https://ofac.treasury.gov/media/923126/download?inline
[9] https://www.congress.gov/event/118th-congress/house-event/116279/text
[10] https://documents.un.org/doc/undoc/gen/n24/032/68/pdf/n2403268.pdf
[11] https://msmt.info/Publications/detail/MSMT%20Report/4221
And working with the FBI, one corporate security/investigations company decided to knowingly hire one of North Korea's remote workers — then "ship him a laptop and gain as much information as possible" about this "sprawling international employment scheme that is estimated to include hundreds of American companies, thousands of people and hundreds of millions of dollars per year."
> It worked.... Over a roughly three-month investigation, Nisos uncovered an apparent network of at least 20 North Korean operatives including "Jo" who had collectively applied to at least 160,000 roles. During that time, workers in the network — which some evidence showed were based in China — were employed by five U.S.-based companies and allegedly helped by an American citizen operating out of two nondescript suburban homes in Florida...
>
> Nisos estimated that in about a year, "Jo", who was likely a newer member of the team, applied to about 5,000 jobs... "They attended interviews all day every day, and then once they secured a job, they would collect paychecks until they were terminated," [according to Jared Hudson, Nisos' chief technology officer]... With the ability to see which other U.S. companies Jo and his team were working for — all remote technology roles — Nisos' CEO, Ryan LaSalle, began making calls to their security teams to alert them of the fraud. "Most of the companies weren't aware of it, even if they had pretty robust security teams," LaSalle said. "It wasn't really high on the radar."
NBC News describes North Korea's 10-year effort — and its educational pipeline that steers promising students into "computer science and hacking training before being placed into cyberunits under military and state agencies, according to a [2]recent report by DTEX, a risk-adaptive security and behavioral intelligence firm that tracks North Korea's cybercrime."
> In [3]one case , a North Korean worker stole sensitive information related to U.S. military technology, according to the Justice Department. In [4]another, an American accomplice obtained an ID that enabled access to government facilities, networks and systems. [5]At least three organizations have been extorted and suffered hundreds of thousands of dollars in damages after proprietary information was posted online by IT workers... Analysts warn that North Korean IT workers are targeting larger organizations, increasing extortion attempts and seeking out employers that pay salaries in cryptocurrency. More recently, security researchers have uncovered fake job application platforms impersonating major U.S. cryptocurrency and AI firms, including [6]Anthropic , designed to infect legitimate applicants' networks with malware to be utilized once hired. The global cybersecurity company CrowdStrike identified a [7]220% rise in 2025 in instances of North Koreans gaining fraudulent employment at Western companies to work remotely as developers...
>
> The payoff flowing back to Pyongyang from these schemes is enormous. Some North Korean IT workers [8]earn more than $300,000 per year , far more than they'd be able to earn domestically, with as much as 90% of their wages directed back to the regime, according to congressional [9]testimony from Bruce Klinger, a former CIA deputy division chief for Korea. The [10]United Nations estimates the schemes, which proliferated after the pandemic when more companies' workforces went remote, generate as much as $600 million annually, while a U.S. State Department-led sanctions monitoring [11]assessment placed earnings for 2024 as high as $800 million... So far, at least 10 alleged U.S.-based facilitators have been federally charged, including one active-duty member of the U.S. Army, for their alleged roles in hosting laptop farms, laundering payments and moving proceeds through shell companies. At least six other alleged U.S. facilitators have been identified in court documents but not named...
>
> "We believe there are many more hundreds of people out there who are participating in these schemes," said Rozhavsky, the FBI assistant director. "They could never pull this off if they didn't have willing facilitators in the U.S. helping them...." The scheme itself is also becoming more complex. North Korean IT teams are now subcontracting work to developers in Pakistan, Nigeria and India, expanding into fields like customer service, financial processing, insurance and translation services — roles far less scrutinized than software development.
[1] https://www.nbcnews.com/investigations/north-korea-it-worker-scheme-nisos-fbi-rcna245025
[2] https://reports.dtexsystems.com/DTEX-Exposing+DPRK+Cyber+Syndicate+and+Hidden+IT+Workforce.pdf?_gl=1*3t9a20*_gcl_au*MTA0OTkyMjY4OS4xNzYwNDU5MjM0LjExMDAyODcxNTYuMTc2MDQ1OTIzNC4xNzYwNDU5MjM0
[3] https://www.justice.gov/opa/pr/justice-department-announces-coordinated-nationwide-actions-combat-north-korean-remote
[4] https://www.justice.gov/opa/pr/maryland-man-sentenced-conspiracy-commit-wire-fraud
[5] https://www.justice.gov/archives/opa/pr/fourteen-north-korean-nationals-indicted-carrying-out-multi-year-fraudulent-information
[6] https://www-cdn.anthropic.com/b2a76c6f6992465c09a6f2fce282f6c0cea8c200.pdf
[7] https://go.crowdstrike.com/rs/281-OBQ-266/images/Threat-Hunt-Report-2025.pdf
[8] https://ofac.treasury.gov/media/923126/download?inline
[9] https://www.congress.gov/event/118th-congress/house-event/116279/text
[10] https://documents.un.org/doc/undoc/gen/n24/032/68/pdf/n2403268.pdf
[11] https://msmt.info/Publications/detail/MSMT%20Report/4221
How often did you buy "made in USA" stuff... (Score:2)
by ffkom ( 3519199 )
... only to learn later that the thing you paid for was largely made in Asia, with only some packaging or branding happening in the US? It seems kind of ironic and well-deserved that the same kind of deceit now also happens to companies that want to buy "made in USA" labor.
I have a remote worker (Score:2)
by TheMiddleRoad ( 1153113 )
She's a lady in Mississippi who is on Zoom a lot. I have another remote worker. He's a former student. Also on Zoom a lot. I have another remote worker. He's a longtime friend who used to be in person. On Zoom a lot. I have another former remote worker. She is a friend of the lady in Mississippi. Was on Zoom a lot. Figuring out who a remote employee is does not require much effort. It just requires actually running a company and giving a fuck.
Nice racket! (Score:3)
by sixsixtysix ( 1110135 )
> once they secured a job, they would collect paychecks until they were terminated
Sounds like a nice little racket.
How? (Score:4, Interesting)
Just require 1 in person interview before hiring and the first day you have to come to the office and personally take the computer home. A computer with GPS software on it to track it's location and ensure the actual work is done on it. At some random time i the next month have a video conferences and compare it to a picture taken on the job interview. Look for AI.
Moreover, what the hell Human resources??? Are you really that freakin incompetent? No wonder we unemployment is so high if 1) HR is bad they can't detect this and b) your standards are so 'off' that you want to hire these people instead of Americans.
The example here had an address in Florida and a bank account in Missouri. Those states don't touch. Just NO. And they matched the workers emails to an ISP not in Florida. Just ask some questions for god's sake.
Yes, I get it that one American is did a Remailing for the laptop. Why doesn't it have geolocation software in the business software
How is that not enough to stop this?
I think we need to not just punish them, but the HR people who let this crap happen. They should all be fired if they hire a SINGLE identity theft guy.
Re: (Score:3)
"GPS software" you say? Does that work indoors unlike the GPS hardware laptops usually don't have?
Re: How? (Score:2)
what the hell Human resources??? Are you really that freakin incompetent? Yeah.....that's why the whole "just use merit" thing doesn't work. We aren't very good at assessing it.
Re: (Score:1)
> The example here had an address in Florida and a bank account in Missouri.
Not unusual.
> And they matched the workers emails to an ISP not in Florida.
VPN user or was traveling.
> Just ask some questions for god's sake.
The trick is to ask the right questions without coming across as so nosey that you make well-qualified legit candidates not only say "pass" but tell their friends to do the same.
Re: (Score:3)
Those things you consider not unusual are what other people call:
RED FLAGS
which normal people check up on.
VPN/traveling = check in every day for the next month. If it moves around, that's traveling. If it does not move, maybe a VPN but you got something suspicious. Do a video chat and find out. Maybe ask them advice on getting a VPN because the one you are using sucks.
You sound like a security guard explaining why he let someone wearing a ski mask and carrying a violin case into the bank when it turned
Re: (Score:2)
Just require 1 in person interview before hiring and the first day you have to come to the office and personally take the computer home.
I said the same thing in one of the stories posted on here about this issue, but apparently that's too difficult. People don't even want to work in the office. Why expect someone to come in for an interview?