Infiltrations no longer always start with phishing or exposed vulnerabilities. In some cases, they start with a job interview. Networks linked to North Korea have been posing as developers and remote professionals for years to secure employment in Western firms and use that access for economic and operational purposes.
According to data collected by outlets such as Xataka and CNN, this model would have affected hundreds of companies —especially in the United States— between 2020 and 2024, generating millions of dollars. The scheme is based on false professional identities, credible LinkedIn profiles, and resumes specifically designed to bypass automated filters and increasingly standardized selection processes. Artificial intelligence tools have raised the bar: they allow refining communication, adapting profiles, and reducing signals that used to betray such operations.
During interviews, some operatives go further and use video filters, avatars, or even real intermediaries to simulate local presence. This allows them to pass basic verifications and complete hiring processes without raising suspicion. Once inside, the risk is no longer theoretical: it's not just about salary fraud but actual access to corporate systems.
In some cases, these schemes include intercepting company laptops, creating persistent accesses to internal infrastructure, stealing sensitive information, and even the possibility of deploying malware from within the organization. It’s legitimate access turned into an attack vector.
The underlying problem is not only technical but organizational. Many companies still treat remote hiring as solely a human resources process when it has already become part of the attack surface. Validating skills without rigorously validating identity, location, or technical environment of the candidate opens a direct door to hostile actors.
This type of campaign reflects a profound change in tactics: instead of forcing an entry, attackers manage to invite themselves inside. And once in, they operate with the legitimacy of another employee.
North Korea Uses Fake Remote Workers to Infiltrate U.S. Companies
Summary: The scheme, documented in more than 300 U.S. firms between 2020 and 2024, combines false identities, manipulated LinkedIn profiles, remote interviews, and access to company laptops to infiltrate North Korean operations into U.S. companies.
Key facts
- The scheme would have affected more than 300 U.S. firms between 2020 and 2024
- According to cited data from Xataka, the operation generated at least $6.8 million
- The tactic combines false profiles, remote interviews, and access to company equipment
Why it matters
Remote hiring has become a real intrusion vector. A company can unwittingly incorporate a hostile actor who has legitimate access to data, systems, and internal processes.