Researchers at security firm CrowdStrike report a significant rise in cases where North Koreans posing as remote IT workers have infiltrated companies to generate funds for the regime. Over the past 12 months, CrowdStrike identified more than 320 incidents, marking a 220% increase from the previous year. These workers use false identities, resumes, and work histories to secure remote developer roles at Western companies.
The scheme serves two purposes: earning money for North Korea’s sanctioned nuclear weapons program and providing access to steal sensitive company data for future extortion. Estimates suggest thousands of North Korean IT workers may currently be employed by unsuspecting U.S. companies.
CrowdStrike refers to these operatives as “Famous Chollima” in its threat reports. The group leverages generative AI and deepfake technology to craft convincing resumes and alter their appearance during remote interviews. While this tactic is not new, its success rate has grown despite U.S. sanctions prohibiting the hiring of North Korean workers.
To combat this threat, CrowdStrike recommends stricter identity verification during hiring. Some cryptocurrency companies have reportedly asked job candidates to criticize North Korean leader Kim Jong Un as a screening method. Since North Korean workers are closely monitored, such requests expose fraudulent applicants.
The U.S. Department of Justice has taken action against these operations by targeting U.S.-based facilitators who assist the scheme. Authorities have also dismantled “laptop farms,” where rows of computers allow North Korean workers to appear as if they are operating within the U.S. A recent indictment revealed that one operation stole identities of 80 Americans between 2021 and 2024, enabling remote work at over 100 U.S. companies.