Inside North Korea's Shadow Workforce

Bottom Line Up Front

The Democratic People's Republic of Korea (DPRK) has built a state-directed, large-scale remote-work fraud operation deploying thousands of IT workers who use stolen American identities, AI-generated deepfakes, and a network of U.S.-based accomplices — called "laptop farm" operators — to fraudulently gain employment at American companies. The operation generates an estimated $600 million to $800 million annually for Pyongyang's sanctioned weapons programs. The U.S. Department of Justice has pursued multiple waves of indictments since 2022, seizing more than $15 million in cryptocurrency, raiding 29 laptop farms across 16 states, and charging American facilitators ranging from suburban homemakers to an active-duty U.S. Army soldier. CrowdStrike documented a 220% year-over-year surge in confirmed infiltration cases through mid-2025. The threat has expanded beyond software roles into customer service, financial processing, insurance, and AI development — and is now spreading into Europe and Latin America.

Somewhere in a dormitory-style complex in China's Liaoning province — a strip of land hugging the North Korean border — a team of young men sits in rows before glowing laptop screens. They are working simultaneously for multiple American companies, holding down jobs with names like "full-stack developer," "AI engineer," and "DevOps specialist." Their American colleagues know them by Western names: Paul, Jeremy, Joe. Their résumés list degrees from U.S. universities and stints at blue-chip firms. Their LinkedIn headshots are AI-modified stock photographs.

They are North Korean government agents, and they are stealing America blind.

This is not a fringe intelligence concern or a modest espionage footnote. It is, according to multiple federal law enforcement agencies, a sprawling, decade-in-the-making operation that has generated billions of dollars for Kim Jong Un's regime, infiltrated hundreds of American corporations, compromised sensitive defense-related technology, and exploited the very openness of the post-pandemic remote-work economy. And it is accelerating.

The Scale of the Infiltration

The numbers are staggering. CrowdStrike, one of the world's foremost cybersecurity firms, investigated more than 320 confirmed incidents in the twelve-month period ending June 2025 — a 220 percent year-over-year increase — in which North Korean operatives fraudulently gained employment at Western companies as remote IT developers. The company's analysts say they were encountering these operatives "almost daily." The group responsible, which CrowdStrike tracks under the codename "Famous Chollima," has expanded its operations to Europe, Latin America, and beyond.

"There are probably, today, somewhere between 1,000 and 10,000 fake employees working for companies around the world."

Roger Grimes, KnowBe4 Data-Driven Defense Evangelist

Between 2020 and 2022 alone, the U.S. government found that more than 300 American companies — including several Fortune 500 firms — had unknowingly employed these workers, with operatives even attempting to gain access at two federal government agencies. Since then, the scale has only grown. The cybersecurity firm KnowBe4 estimates the total number of fake DPRK employees currently embedded in global companies runs "somewhere between 1,000 and 10,000," according to Roger Grimes, the firm's data-driven defense evangelist.

The financial stakes match the ambition. The United Nations Panel of Experts on North Korea sanctions estimates the scheme generates between $250 million and $600 million annually. A U.S. State Department-led sanctions monitoring assessment placed 2024 earnings as high as $800 million. Congressional testimony from Bruce Klinger, a former CIA deputy division chief for Korea, established that individual North Korean IT workers can earn more than $300,000 per year — with as much as 90 percent of those wages remitted directly back to Pyongyang, where the funds help finance the regime's sanctioned ballistic missile and nuclear weapons programs.

A Decade in the Making: The Educational Pipeline

The scheme did not spring up overnight. North Korea began building its cyber workforce systematically more than a decade ago, according to a comprehensive 2025 analysis by DTEX Systems, a risk-adaptive behavioral intelligence firm that has tracked DPRK cyber units for years. The regime identifies promising students at an early age and steers them into elite computer science and hacking curricula in Pyongyang, ultimately funneling graduates into military and state cyber units. These units operate under a rigorous self-funding mandate: each team is responsible for generating its own operational budget and meeting monthly revenue quotas — with failure inviting severe personal consequences.

DTEX's 2025 organizational assessment identified a newly prioritized internal structure, including an AI-driven research center designated "Research Center 227," decentralized offensive cyber cells, and the talent pipeline feeding them. In 2025, North Korea reportedly doubled monthly earnings quotas for overseas workers based in China — a pressure that, analysts believe, is driving the escalating pace of intrusions and the recent surge in extortion attempts against victimized companies.

The workers themselves are, in many respects, victims. KnowBe4 has described the participants as caught in a form of state-directed human trafficking. They receive a fraction of what they earn, work under intensive surveillance, and have their family members held in North Korea as effective hostages to ensure compliance. Images obtained by CNN journalists and geolocated to Liaoning province show workers living in dormitory housing, sharing meals, and operating under controlled conditions — though with access to outside restaurants and basic freedoms unavailable to most North Korean citizens.

How the Scheme Works: From Application to Paycheck

The operational mechanics of North Korea's remote IT worker scheme have been extensively documented in court filings, FBI public service announcements, and private-sector research. The scheme functions as an industrial assembly line, with specialized roles for each stage.

Operatives — typically teams of four to five workers — create dozens of synthetic or stolen identities, complete with fabricated résumés listing degrees from American universities and employment histories at recognizable tech companies. Many profiles bear common Western names and use stock photographs altered by AI to create convincing headshots. They mass-apply to remote positions across every major job platform: Indeed, LinkedIn, and company-specific portals. One operative investigated by corporate security firm Nisos, working with the FBI, applied to roughly 5,000 jobs in a single year. Nisos's investigation identified a network of at least 20 North Korean operatives who had collectively applied to at least 160,000 roles.

How Laptop Farms Work

When a North Korean operative is hired, the employer ships a company-issued laptop to what appears to be a U.S. residential address. That address is, in fact, a "laptop farm" — a location managed by an American facilitator who receives the device, connects it to remote access software, and routes it to the actual worker overseas. The worker then logs in during U.S. business hours (often overnight in their local time zone), performs their job functions, collects their paycheck, and routes up to 90% of their earnings back to North Korea through cryptocurrency exchanges and money laundering networks. In the June 2025 federal sweep, the FBI seized approximately 137 laptops and raided 29 known or suspected laptop farm locations across 16 states.

Once hired, the operative directs the employer to ship company equipment to a U.S. address controlled by an American facilitator — the "laptop farm" operator. That person receives the device, installs unauthorized remote-access software, and routes control of the machine to the actual worker abroad, who logs in during American business hours while physically located in China, Russia, Laos, or another jurisdiction friendly to Pyongyang. The operative then holds the job, collects paychecks, and rotates earnings through cryptocurrency wallets and shell companies before remitting the bulk to North Korea. They work multiple jobs simultaneously — in some documented cases, more than half a dozen at once — and continue until detected and terminated, at which point they repeat the process under a new identity.

Artificial Intelligence: The Force Multiplier

If the remote-work economy created the opportunity, artificial intelligence has become the weapon that makes the scheme nearly unstoppable at scale. CrowdStrike's threat-hunting team found that Famous Chollima operatives deploy generative AI "across all stages of their operation" — drafting résumés, constructing false identities, building job-research tools, masking their appearance during video interviews, answering technical coding challenges in real time, and managing the day-to-day communications of multiple simultaneous jobs.

"Using a real-time deepfake plausibly allows a single operator to interview for the same position multiple times using different synthetic personas, enhancing the odds that the operator will get hired," CrowdStrike stated in its 2025 Threat Hunting Report. Investigators observed operatives actively paying for premium subscriptions to deepfake face-swapping services during live operations. Microsoft's Threat Intelligence team documented specific visual artifacts that betray deepfake usage in video calls — temporal consistency failures, occlusion errors when objects pass in front of the face, and audio-visual synchronization delays — but noted that most corporate hiring managers lack the training to recognize these signals.

An August 2025 report by Anthropic disclosed that North Korean operatives had leveraged its Claude AI assistant to prepare for interviews and complete daily work tasks. "The most striking finding is the actors' complete dependency on AI to function in technical roles," the report stated, finding that "these operators do not appear to be able to write code, debug programs, or even communicate professionally without Claude's assistance." North Korea's operatives have also been found using AI chatbots to manage Slack communications, draft emails, and respond to colleagues — maintaining the illusion of a fluent, competent remote employee across multiple employers simultaneously.

American Enablers: The Human Network Inside the United States

No aspect of this scheme has proven more legally significant — or more surprising to the American public — than the role of domestic facilitators. The FBI has stated plainly: "They could never pull this off if they didn't have willing facilitators in the U.S. helping them."

"She knew that she was working for individuals abroad. She knew that they were using false identities. She knew that she was forging documents." Acting Asst. Attorney General Matthew Galeotti, on convicted facilitator Christina Marie Chapman

The most prominent domestic enabler prosecuted to date is Christina Marie Chapman, an Arizona woman who — despite having no background in technology — was recruited through LinkedIn by North Korean operatives around October 2020. Chapman hosted a laptop farm in her Litchfield Park home that, at its peak, managed as many as 90 laptops simultaneously for DPRK IT workers. She submitted false documentation to the U.S. Department of Labor on their behalf, provided residential addresses for equipment shipments, and shipped laptops to Liaoning province. Among the companies targeted: Nike, which unknowingly paid more than $75,000 to a North Korean employee. Chapman pleaded guilty in February 2025 to wire fraud conspiracy, aggravated identity theft, and money laundering conspiracy.

Chapman was far from alone. In the January 2025 indictment of five defendants announced by the DOJ, American nationals Erick Ntekereze Prince and Emanuel Ashtor were charged with running a laptop farm in North Carolina, hosting company devices and installing remote-access software so North Korean workers could appear to be operating from American soil. Prince subsequently pleaded guilty to wire fraud conspiracy, admitting that through his company Taggcar Inc. he had knowingly placed North Korean workers with U.S. companies from 2020 through 2024 and earned more than $89,000 for his participation. Oleksandr Didenko, a Ukrainian national, ran laptop farms and provided forged identities enabling North Korean operatives to gain employment at 40 U.S. businesses. The DOJ's November 2025 enforcement sweep identified 136 U.S. victim companies in a single case cluster, with facilitators in both the United States and Ukraine.

Most shocking among the charged facilitators: an active-duty member of the United States Army was federally charged for his alleged role in the scheme. In total, at least 10 alleged U.S.-based facilitators have been federally charged, and at least six more have been identified in court documents but not publicly named.

Stolen Secrets and Escalating Extortion

What began as a sanctions-evasion paycheck scheme has evolved into something far more dangerous. Federal prosecutors have documented multiple cases in which DPRK IT workers did not merely collect wages — they stole sensitive proprietary data and weaponized it.

In one case prosecuted by the DOJ, a North Korean worker stole sensitive information related to U.S. military technology controlled under International Traffic in Arms Regulations (ITAR). In the June 2025 federal sweep, it was established that a co-conspirator remotely accessed a California-based defense contractor's systems — an AI-powered military equipment developer — and exfiltrated ITAR-controlled technical data. In a separate case, a North Korean operative used an American accomplice's identification to gain access to government facilities, networks, and systems.

At least three organizations have been extorted, suffering hundreds of thousands of dollars in damages after DPRK operatives posted proprietary information online following termination. The FBI's January 2025 public service announcement specifically warned that North Korean IT workers are now actively targeting larger enterprises and escalating extortion attempts — a shift analysts tie directly to the increased monthly revenue quotas imposed by Pyongyang. In the Atlanta case unsealed as part of the June 2025 sweep, DPRK workers stole virtual currency worth approximately $900,000 from a blockchain research and development firm.

North Korean hacking units — operating in parallel to the IT worker scheme — have also achieved devastating results in cryptocurrency theft. The DPRK-affiliated group APT38's subunit TraderTraitor stole $1.4 billion from cryptocurrency exchange Bybit in February 2025, following a $625 million theft from Axie Infinity in 2022 and $308 million from Japan-based Bitcoin.DMM.com in May 2024. The DOJ's November 2025 enforcement actions included civil forfeiture complaints seeking to recover more than $15 million in USDT seized from APT38 actors.

Federal Response: Raids, Indictments, and a Sprawling Initiative

The U.S. government's response has grown substantially in scale and coordination. The DOJ launched its DPRK RevGen: Domestic Enabler Initiative in March 2024, a joint effort between the National Security Division and the FBI's Cyber and Counterintelligence Divisions that explicitly prioritizes the prosecution of U.S.-based facilitators alongside North Korean operatives themselves.

The initiative has produced successive waves of enforcement. In October 2024, federal agents executed searches at eight locations across three states, recovering more than 70 laptops and remote-access devices. In June 2025, the FBI conducted its most sweeping action yet: searches of 21 premises across 14 states, seizure of approximately 137 laptops, raids on 29 known or suspected laptop farms across 16 states, and the seizure of 29 financial accounts and 21 fraudulent websites. By November 2025, the DOJ announced four additional guilty pleas and more than $15 million in civil forfeitures.

The Treasury Department's Office of Foreign Assets Control (OFAC) moved concurrently, imposing sanctions in July, July, and August 2025 on individuals and entities facilitating the scheme — including citizens of Russia, China, India, and Burma, and companies in Russia, China, and Hong Kong, underscoring the scheme's global infrastructure. The State Department has offered up to $15 million for information on North Korean nationals involved in these networks.

In December 2024, the DOJ indicted 14 North Korean nationals for allegedly generating $88 million over six years. The January 2025 indictment of Jin Sung-Il and Pak Jin-Song, along with their three facilitators, alleged that the scheme obtained work from at least 64 U.S. companies over six years, earning at least $866,255 — most of it laundered through a Chinese bank account. Despite this pressure, FBI Assistant Director Roman Rozhavsky stated: "We believe there are many more hundreds of people out there who are participating in these schemes."

The KnowBe4 Wake-Up Call — and What Followed

No single incident better encapsulated the threat's reach than the July 2024 disclosure by KnowBe4, itself a cybersecurity training company, that it had unwittingly hired a North Korean operative as a remote software engineer. The individual passed multiple video interviews, background checks, and reference verifications. The deception was detected only when KnowBe4's Security Operations Center flagged suspicious activity — the new hire was installing malware on a company-issued MacBook within days of receiving it. The returned laptop arrived in its original packaging with a Post-it note reading "KnowBe4" — indicating it had passed through a laptop farm that labeled devices by client.

Within weeks of KnowBe4's public disclosure, more than a dozen other organizations quietly reached out to confirm they had experienced similar incidents. Companies ranging from Fortune 500 firms to businesses with as few as 12 employees had been victimized. KnowBe4 now estimates it receives at least 100 applications from suspected North Korean IT workers per year — and acknowledges that for companies hiring remote-only programmers, North Korean operatives sometimes constitute the majority of applicants received.

New Frontiers: Fake Job Portals, AI Exploitation, and European Expansion

Security researchers have recently uncovered a new dimension of the threat: North Korean operatives are now creating fake job application portals that impersonate major American AI and cryptocurrency companies — including Anthropic — designed not to place North Koreans in jobs, but to infect legitimate job applicants' systems with malware. CNN reported in November 2025 that one such platform mimicked the interface of Lever, a widely-used recruiting platform, and advertised fictitious positions including a "product manager" role associated with Anthropic's Claude AI system.

CrowdStrike has also documented the scheme's geographic expansion, identifying new laptop farms in Poland and Romania — with North Korean operatives posing as Polish or Romanian developers to gain European employment. The typical deception mirrors what has worked in the United States: after being hired, the operative requests that a company laptop be shipped to an alternate address, citing a family or medical emergency.

The scheme is also diversifying beyond software development. According to investigators, North Korean IT teams are now subcontracting work to developers in Pakistan, Nigeria, and India, and expanding into customer service, financial processing, insurance, and translation services — roles that draw far less scrutiny than software engineering but provide equally valuable network access.

What Companies Can Do

Legal and cybersecurity experts are increasingly clear that traditional hiring processes are insufficient against a nation-state adversary with effectively unlimited personnel and a decade of operational refinement. Recommendations from the FBI, DTEX, Microsoft, KnowBe4, and CrowdStrike converge on several core measures.

Companies should require government-issued identification to be displayed during live video calls, and should explicitly prohibit background blur, AI filters, or virtual backgrounds during interviews. Hiring managers should ask candidates to perform specific physical actions — moving objects, walking to a window — to verify they are not presenting a deepfake. Interviewers experienced with the scheme recommend asking candidates about local restaurants, hobbies, and personal details: North Korean workers, whose lives are heavily regulated by the state, typically "fall apart" when asked to speak naturally about personal experiences.

Technical safeguards should include geolocation tracking of issued devices, device binding to prevent unauthorized use, multi-factor authentication, and monitoring for anomalous login activity — particularly simultaneous logins from multiple devices or geographically implausible access patterns. DTEX recommends monitoring for employees who consistently work extraordinarily long hours compared to peers, which often indicates a worker managing multiple simultaneous fraudulent jobs. Any request to redirect a company laptop shipment to a new address should trigger immediate escalation.

Companies should also perform sanctions screenings on new hires. OFAC penalties for employing North Korean workers are strict-liability: a company can face civil penalties even if it was unaware of the worker's origin. The DOJ has signaled that companies that discover suspected DPRK workers and fail to report or investigate the matter may face heightened regulatory scrutiny.

This investigation synthesizes reporting from the U.S. Department of Justice, Federal Bureau of Investigation, CrowdStrike, DTEX Systems, Microsoft Threat Intelligence, KnowBe4, NBC News, CNN, Nisos, and court records filed in federal jurisdictions including the District of Massachusetts, Southern District of Florida, and District of Columbia. Verified sources with formal citations appear below.

Search This Blog

State of The Nation