North Korean operatives, posing as IT professionals, have managed to direct as much as $1 billion toward Kim Jong Un's nuclear initiatives.

During a cybersecurity conference held in Las Vegas this past August, an analyst known as “SttyK”, identifiable by a black hoodie and dark glasses, delivered some disheartening information to a large assembly of researchers, executives, and government personnel: that particular method is now ineffective. “Do not [ask why] Kim Jong-un is so fat,” SttyK declared emphatically in all-caps on a slide during their presentation. “They all notice what you guys have noticed and improved their opsec [operation security].” 

Though it may seem improbable, akin to a narrative from a Cold War spy thriller, this plan is entirely genuine, as confirmed by the FBI and other agencies, alongside the UN, cybersecurity investigators, and nonprofits. A multitude of North Korean men skilled in information technology are engaged in identity theft, misrepresenting their qualifications on résumés, and fraudulently securing lucrative remote technology positions within the U.S. And other wealthy countries. They employ artificial intelligence to generate work and conceal their appearances and identities. 

The scam, in breach of international sanctions, has generated substantial revenue for Kim's administration, which seizes a significant portion of the IT professionals' earnings. The FBI calculates that this initiative has directed between several hundred million and $1 billion to the dictatorial state over the last five years, financing leader Kim's objective of developing the Democratic People’s Republic of North Korea (DPRK) into a nuclear-armed force. 

Hundreds of Coins2Day 500 companies, aerospace makers, and American financial entities, from large banks to small crypto ventures, are among those affected, according to the FBI. These North Korean laborers also engage in freelance gigs and subcontracting roles, presenting themselves as HVAC experts, engineers, and architects. They've generated blueprints and secured municipal approvals by leveraging AI. 

Firms in Europe, along with Saudi Arabia and Australia, have likewise been affected. Officials and cybersecurity experts from the U.S., Japan, and South Korea met in Tokyo convened in late August to bolster cooperative efforts against these intrusions. 

This scheme stands as one of history's most remarkable international fraud operations, generating escalating risks for any business that becomes entangled. Initially, companies face a corporate security threat from foreign government agents infiltrating their internal systems. 

The legal risk associated with breaching sanctions on North Korea, even if accidental, is significant. The FBI states that U.S. And global sanctions aim to isolate and penalize the aggressive rogue nation, and any violations can endanger national security for the U.S. And its partners. U.S. Attorney for D.C. Jeanine Pirro mentioned this at a press conference in July. “This is a code red,” “Your tech sectors are being infiltrated by North Korea. And when big companies are lax and they’re not doing their due diligence, they are putting America’s security at risk.”

Businesses also face the unsettling prospect that a worker, possibly earning a substantial income, might be working in circumstances that a South Korea-based NGO has characterized as “comparable to modern slavery.”

The North Korean men involved in these deceptions are, in a way, also casualties of the oppressive regime. They're sent to remote IT jobs at offshore locations, cut off from their families, and face severe consequences like physical abuse, jail time, threats against their relatives, and other human rights abuses if they don't meet the financial targets set by The North Korean government. 

Call's From Inside the House

This covert weaponization of the techdependent global economy has ensnared every industry and company size. But it has proved incredibly difficult to find and prosecute members of this shadow workforce among the U.S.’s 6 million tech and IT employees. Those tracking the scheme say that agents hide in plain sight in the IT and tech departments of American companies: writing and testing code, discussing bugs, updating deliverables, and even joining video scrums and chatting via Slack. Over the past 12 months, the scheme has proliferated further, with a 220% worldwide increase in intrusions into companies, according to cybersecurity firm CrowdStrike.

Here’s how the international scam often works: North Korean workers, many living in four- or five-man clusters in China or Russia, use AI to create unique personas based on real, verified identities to evade background checks and other standard security measures. Sometimes they buy these identities from Americans, and other times they steal them outright. They craft detailed LinkedIn profiles, topped with a headshot—usually manipulated—with work histories and technical certifications. 

Paid coconspirators in the U.S. And elsewhere physically hold on to the fraudulent workers’ company laptops and turn them on each morning so that the agents can remotely access them from other locations. The FBI has raided dozens of these sites, known as “laptop farms,” across the U.S., said CrowdStrike’s counter adversary VP Adam Meyers. And now they’re popping up overseas. “We’ve seen the operations all over,” said Meyers, “ranging from Western Europe all across to Romania and Poland.”

Law enforcement agencies have found the extensive and dispersed program, with work camps mostly situated in nations lacking significant international cooperation, to be an exasperating Whac-a-Mole scenario, leading to the apprehension of only minor participants. “Both the Chinese and Russian governments are aware these IT workers are actively defrauding and victimizing Americans,” an FBI representative informed Coins2Day. “The Chinese and Russian governments are not enforcing sanctions against these individuals operating in their country.”

Reputational risk from the intrusions has kept targeted companies largely silent so far, although federal agencies including the Department of Justice, FBI, and State Department have jointly issued dozens of public warnings to executives without naming the specific companies that have been impacted. One exception is the sneaker and apparel giant Nike, which identified itself as a victim of the scheme after discovering it had hired a North Korean operative who worked for the company in 2021 and 2022. Nike did not respond to multiple requests for comment. 

“There are probably, today, somewhere between 1,000 and 10,000 fake employees working for companies around the world,” said Roger Grimes, an expert in the North Korean IT worker scheme with cybersecurity firm KnowBe4. “Most of the companies don’t talk about it when it happens—but they reach out secretly.” Grimes estimates he has spoken with executives from 50 to 75 companies that have unknowingly hired North Koreans. Even his own company is not immune: KnowBe4 last year disclosed that it unwittingly hired a North Korean worker who doctored a photo with AI and used a stolen identity.

A panel of experts convened by the UN to assess compliance with sanctions against North Korea estimates that the IT worker scheme generates between $250 million and $600 million in revenue annually from workers who transfer their earnings to the regime. The panel reported last year that IT workers in the scheme are expected to earn at least $100,000 annually. The highest earners make between $15,000 and $60,000 a month and are allowed to keep 30% of their salaries. The lowest can only keep 10%.

Businesses that hire these workers—even unintentionally—are violating regulatory and financial sanctions, which creates legal liability if U.S. Law enforcement ever opted to charge companies. “The call is coming from inside the house,” said Pirro at the July press conference. “If this happened to these big banks, to these Coins2Day 500, brand-name, quintessential American companies, it can or is happening at your company. Corporations failing to verify virtual employees pose a security risk for all.”

She addressed American businesses directly, stating: “You are the first line of defense against the North Korean threat.”

The Motivation and the Impact

Concerns regarding the North Korean IT worker scheme have escalated lately, though its origins predate decades. Following a DPRK nuclear test in 2006, the UN Security Council imposed imposing sweeping sanctions that year, subsequently intensifying them in 2017 to forbid trade and bar firms from Hiring North Korean personnel.

President Donald Trump signed into law further U.S.Sanctions on North Korea during his first term. The law, “Countering America’s Adversaries Through Sanctions Act,” assumes that any goods made anywhere in the world by North Korean workers should be considered the products of “forced labor” and are forbidden from entering the U.S.

Facing a cash shortage due to global sanctions, the government dispatched operatives abroad to generate funds through sectors like construction, fishing, and tobacco smuggling. Their activities later expanded into the profitable tech sector. The IT operation gained significant momentum when companies adopted remote work during the pandemic, according to Michael “Barni” Barnhart, lead investigator at cybersecurity firm DTEX Systems. 

North Korea's IT operations are distinct from its army of malicious hackers, whose primary targets are ransomware and crypto heists. However, cybersecurity professionals suspect these two groups are closely linked, enabling them to exchange information and collaborate. 

Grimes stated he's frequently taken aback by the boldness of IT scams. He recounted an instance to Coins2Day where a firm believed it had recruited three individuals, only to discover it was a single North Korean man operating under three distinct identities. This individual had cleverly employed the identical photograph for numerous job applications, subtly modifying it for each—altering hair length and using three separate names. Grimes mentioned this. “Once you see it, it’s so obvious what they’ve done,” stated Grimes. “It takes a lot of…I’m trying to think of a better term than ‘balls,’ but it takes a lot of balls to use the same picture.”

Grimes stated that recruiters sometimes initially attribute inconsistencies, such as candidates claiming Texas origins while speaking with Korean accents and displaying ignorance about their home state, to cultural differences. However, once companies are made aware of the conspiracy, identifying the fraudulent hires becomes straightforward.

In recent years, as the scheme gained wider public awareness, the FBI has observed, according to Coins2Day, a growing sense of desperation among employees, prompting a change in their methods. Consequently, there's been an increase in efforts to pilfer intellectual property and data by workers who are subsequently found out and terminated. 

A recent discovery by investigators revealed a new operational setup that further obscures North Korean IT personnel. According to investigator Evan Gordenker from incident response company Palo Alto Networks, they are increasingly outsourcing the actual work to developers located in India and Pakistan. This arrangement, as described by Gordenker, results in a “Matryoshka doll” effect, establishing a proxy between the North Koreans and their clients, adding another layer of deception that complicates the identification of those responsible.

“What they’ve found is that it’s actually fairly cheap to find someone of a similar-ish skill set in Pakistan and India,” said Gordenker. It’s an alarming sign of the criminal enterprise’s success, he added: The North Korean fraudsters are so overwhelmed with work that they need to pass some of it off.

U.S. Accomplices Sought

One ex-North Korean IT worker who communicated via email with Coins2Day escaped after years inside the scheme. He lives under the alias Kim Ji-min to prevent retaliation against his family still in North Korea.

He described his approach as utilizing Facebook, LinkedIn, and Upwork to present himself as an employer seeking assistance for a software endeavor. This was detailed in an email exchange facilitated and translated by PSCORE, a non-governmental organization based in South Korea that has assisted numerous North Korean defectors. Upon receiving responses from engineers and developers to his advertisements, Kim proceeded to pilfer their identities and employ them for applications to technology positions. He stated that he was employed for e-commerce sites and in software creation for a healthcare application, though he refused to disclose the names of the businesses he worked with: “They had no idea we were from North Korea.”

Gordenker mentioned that IT professionals frequent Discord and Reddit to connect with freelancers and individuals seeking supplemental income, especially within the “r/overemployed” subreddit. He noted that the proposal is usually straightforward yet successful, stating: “It’s usually like, ‘I’m a Japanese developer. I’m looking to get established in the United States, and I’m looking for someone to serve as the face of my company in that country. Would you be willing to, for 200 bucks a week?’” Following this, the IT workers request the individual to submit images of their identification. This process can occasionally be completed in just five minutes. “Some people are sort of like, ‘Oh, $200 bucks a week? Yeah. Sign me up, absolutely,’” Gordenker commented. “It’s stunningly easy.” 

In April, a Maryland resident named Minh Phuong Ngoc Vong pleaded guilty faced charges for allegedly enabling North Korean workers to utilize his identity for employment in 13 distinct positions. According to court documents, he provided his driver's license and personal information after being contacted through a video game.

The recruitment tactics can be predatory: The scheme often targets people who are down on their luck, promising them easy money for picking up a laptop or submitting to a urinalysis to pass a drug test. “They will recruit people from recovering gambling addict forums and things like that where people have debt,” Gordenker said. “They need the money badly, and that creates leverage.”

Security investigator Aidan Raney, who posed as a willing American accomplice to the scheme, learned other operational details. The agents who recruited Raney spiced up his résumé with fabricated roles at companies, and turned his headshot into a black-and-white photo so it would look different from his real LinkedIn headshot. Raney corresponded with three or four workers who all called themselves “Ben,” and the Bens submitted his details to recruiters to land him the job interviews.

“They handle essentially all the work,” said Raney, founder and CEO of security firm Farnsworth Intelligence. “What they were trying to do was use my real identity to bypass background checks and things like that, and they wanted it to be extremely close to my real-life identity.”

The American accomplice's work can be more extensive: A suburban Phoenix operation, aided by a woman named Christina Chapman, enabled North Koreans to fraudulently secure employment at 311 businesses, resulting in the workers receiving $17.1 million in wages and incentives, as detailed in the Department of Justice's 2024 indictment concerning Chapman. This operation represented the largest laptop farm uncovered to date based on its earnings. North Koreans exploited 68 stolen identities to gain employment, with Chapman assisting them in connecting remotely for interviews and communications. Prosecutors stated Chapman's share amounted to approximately $177,000, but following pleading guilty, she has received a sentence of 8.5 years imprisonment for her involvement and has been ordered to surrender illicit gains and pay penalties exceeding her total earnings from the scheme. 

Nike was one of the companies that hired an IT worker in Chapman’s network, according to a victim impact statement the company filed before her sentencing. Nike paid about $75,000 to the unnamed worker over the course of five months, the letter states. “The defendant’s decision to obtain employment through Nike, via identity theft, and subsequently launder earnings to foreign state actors, was not only a violation of law—it was a betrayal of trust,” Chris Gharst, Nike’s director of global investigations, wrote to the judge. “The incident required us to expend valuable time and resources on internal investigations.”

AI has breathed even more life into the operation. An August 2025 report from Anthropic revealed that North Korean agents had leveraged its Claude AI assistant to prep for interviews and get jobs in development and programming. “The most striking finding is the actors’ complete dependency on AI to function in technical roles,” the report states. “These operators do not appear to be able to write code, debug programs, or even communicate professionally without Claude’s assistance.”

The scam is concerning for the businesses affected, but the North Korean workers are in a far more dire situation, stated Bada Nam, secretary-general of PSCORE. Not reaching their monthly income targets can lead to mistreatment, physical assault, or even repatriation to North Korea, where the laborers and their relatives confront imprisonment, labor camps, and ill-treatment. While the regular availability of sustenance outside of famine-stricken North Korea might be preferable to domestic job assignments, the fierce rivalry and shame workers endure if they don't perform well have pushed some to end their lives, Nam reported. “Because of this system, [we] view these workers not simply as perpetrators of fraud or deception, but also as victims of forced labor and human rights violations,” stated Nam. “Their situation is comparable to modern slavery. Just as global consumers have become more attentive to supply chains in order to avoid supporting child labor, we believe a similar awareness is needed regarding North Korean IT workers.”

Among those investigating and attempting to reveal the extent and consequences of this fraudulent scheme is SttyK, a speaker at a Las Vegas conference. This individual, in his twenties and residing in Japan, belongs to a clandestine group of researchers focused on tracking North Korean operatives. Their findings are utilized by major cybersecurity companies. The investigative community has benefited significantly from documents and guides inadvertently posted without password protection on GitHub, an open cloud-based technology platform, which detail methods for fraudulently obtaining remote tech positions. SttyK and his collaborators have also received assistance from at least one confidential source embedded within the operation. 

According to the GitHub trove, SttyK informed Coins2Day that several cultural indicators exist: North Koreans favor British English over American English in translations; their emails frequently feature numerous exclamation marks and heart emojis; and they have a strong affinity for the animated comedy series Minions, frequently employing images from its movies as their profile pictures. Communication among the IT professionals occurs via Slack, and SttyK presented a message from a North Korean supervisor urging teams to work a minimum of 14 hours daily. They log in six days weekly, and on their day off, employees engage in volleyball, meticulously documenting victors and vanquished in spreadsheets, as indicated by The GitHub documents. 

Grimes stated that the system lacks strict guidelines, and the caliber of output differs greatly. Certain North Koreans excel, utilizing this to suggest acquaintances or even themselves under a different persona for fresh positions. Others simply aim to collect initial wages before facing dismissal due to subpar performance or absenteeism. “There isn’t one way of doing things,” Grimes commented. “Different teams farm out the work in different ways.”

Perpetrators turn victims

Perhaps ironically, the system's severity might actually make these agents desirable recruits for American businesses. These are tech professionals who refrain from complaining, taking personal leave, or requesting mental health days. In fact, a disquieting reality underlies this extensive arrangement: The contemporary economy values efficiency, output, and achievements. North Korean IT professionals are embracing these principles.

According to Grimes, North Koreans in job interviews project an image of enjoying their work and being content with 12-hour shifts. Companies that have been targeted have occasionally reported that their North Korean hires were their most productive staff members. This persistent dedication to work aligns with existing stereotypes of Asian immigrants' diligence, frequently overshadowing warning signs that ought to prompt suspicion. “People tell themselves all sorts of stories” to reconcile discrepancies, Grimes stated. “It’s interesting human behavior.”

Mick Baccio, president of the cybersecurity nonprofit Thrunt, went a step further, suggesting that the North Koreans infiltrating American organizations may exploit employers’ inability to distinguish between different Asian ethnic groups. “Many companies have a very Western, U.S.-centric view on the problem,” he said. “I’m half Thai and it’s hard for some people to distinguish that…It’s not malicious.”

Hyun-Seung Lee, a defector who departed North Korea a decade ago and was acquainted with some IT personnel involved in a prior version of the operation, stated that the enduring effectiveness of the plan on the North Korean end hinges on absolute loyalty to the leadership, which the government instills in its populace from early childhood. Lee suggested that prompting applicants to disparage Kim might indeed still serve to identify certain operatives. He noted that even presently, after such an extensive period, he experiences an emotional response when hearing such remarks, implying that IT workers could experience comparable reactions. 

“They believe that it is their fate, their responsibility, to be loyal to the regime,” said Lee. “And they’re trying to survive.”

A hub for fraud in Arizona

Christina Chapman admitted guilt to charges concerning her involvement in operating a “laptop farm” for The North Korean operation in Phoenix's outskirts. The Department of Justice indictment details its appearance.

This article appears in the October/November 2025 issue of Coins2Day with the headline “Espionage enters the chat.”