North Korean IT workers are utilizing sophisticated identity theft and organized command structures to secure remote positions at global companies. By employing AI-enhanced communication and recruiting third-party “partners” to lend identities, these state-sponsored workers bypass traditional cybersecurity measures to funnel foreign currency to the North Korean regime.
How are North Korean IT workers bypassing global security?
State-sponsored workers use highly specific operational protocols to mimic legitimate foreign developers. According to a BBC investigation, these individuals follow strict “internal rules” designed to prevent digital footprints from linking back to North Korea.
One such protocol, referred to as the “Upwork 12” rule, explicitly instructs workers never to log into personal Gmail accounts on the same device used for professional tasks. This prevents cross-contamination of identity data that could alert security software to multiple personas operating from a single IP address.
To further evade detection, workers manipulate their digital behavior to match specific geographic regions. For example, instructions have been found directing workers to respond to client messages according to Serbian time zones, regardless of their actual location. They also use AI tools to refine their English, ensuring their resumes and interview responses appear native.
What does the organizational structure of these cyber units look like?
Evidence suggests these operations are not individual efforts but are managed through a rigid, multi-tiered hierarchy. Analysis of internal messenger logs by cybersecurity firm Logpresso revealed a coordinated system involving at least 27 unique IDs and more than 33 computers within a single organization.

According to Anastasia Tikhonova, a research lead at Group-IB, the organization functions in four distinct layers to maximize efficiency and minimize the risk of total exposure:
- Upper Management: Responsible for overall security and internal discipline.
- Middle Management: Oversees the assignment of specific technical tasks.
- Support Staff: Prepares fraudulent resumes and manages stolen or rented accounts.
- IT Workers: The bottom-tier laborers who perform the actual remote development work.
This division of labor allows the regime to scale its operations. If a single worker is caught, the specialized support and management layers remain insulated from discovery.
How is “identity fishing” used to expand their reach?
The recruitment of fake identities has expanded beyond simple hacking to a tactic known as “identity fishing.” North Korean operatives use social platforms like Telegram and Discord to scout for “partners”—individuals willing to lend their names, birthdays, and professional accounts (such as LinkedIn or Upwork) for a fee.
These operatives often approach potential partners via penpal or dating sites, building trust through friendly conversation before offering a commission of 10% to 15% of the worker’s monthly earnings. This method provides the regime with a continuous stream of legitimate-looking credentials that are difficult for automated security systems to flag.
The scale of this operation is significant. Kim Hyun-kyu, a North Korean defector who previously worked in the IT sector, estimates that there are between 6,000 and 7,000 North Korean IT workers, with approximately 3,000 stationed permanently in China, Southeast Asia, and Russia.
What are the future risks for remote-first companies?
As generative AI becomes more integrated into the workforce, the ability of North Korean operatives to deceive employers is expected to increase. The convergence of AI-driven language modeling and organized identity theft creates a high-probability threat for the global remote-work economy.
Future trends suggest three primary areas of concern for cybersecurity professionals:
- Hyper-Realistic Deepfake Interviews: The use of AI to simulate native-level speech and even facial movements during video interviews could render traditional identity verification obsolete.
- Decentralized Identity Brokers: The reliance on third-party “brokers” in neutral countries makes it harder for investigators to trace the financial flow back to Pyongyang.
- Automated Social Engineering: Using large language models to automate the “fishing” process on social media, allowing state actors to target thousands of potential identity partners simultaneously.
Frequently Asked Questions
How do North Korean workers hide their location?
They use specific time-zone synchronization, VPNs, and strict rules regarding which accounts can be accessed from specific hardware to avoid creating a traceable digital trail.

Why is it hard for companies to detect these workers?
Because they use stolen or rented identities of real people and employ AI to perfect their communication, they often appear indistinguishable from legitimate remote contractors.
What is the financial motivation for the North Korean regime?
The regime uses these workers to bypass international sanctions and funnel foreign currency into the state. Workers often face high monthly quotas, sometimes reaching $7,000, of which they keep only a small fraction.
Stay informed on the evolving landscape of cybersecurity and global intelligence.
Do you think remote-work security measures are sufficient to stop state-sponsored identity theft? Let us know your thoughts in the comments below, or subscribe to our newsletter for more deep-dive investigations.
