DPRK has co-opted "Hiring the Hacker"

19 Dec, 2025

In this wonderfully detailed LinkedIn post, Stephen Schmidt (CSO @ Amazon) describes the trend where North Korean (DPRK) nationals land jobs in other countries. From there, the rogue employee collect wages, steals data, and extorts the victimized employer.

I have been working in security incident response roles for nearly twenty years. I've only heard of this trend post-pandemic, but immediately felt this trend would stick. It's just too smart of an attack to ignore.

Steve's post describes this problem for one of the world's biggest employers. My 2 cents, I see this firsthand with the companies I support. At very low hiring volumes. Small companies seem better at catching rogue candidates because they're so intentional with hiring. Regardless, rogue candidates keep showing up.

I believe malicious candidates are now an evergreen threat scenario. We will deal with variations of this attack forever. Attacks on the recruiting pipeline are simply too attractive to be solely pursued by DPRK.

First, pipelines are high velocity. Incentivized like a sales pipeline. Recruiters are excited to hire a candidate and push them through without a critical eye for warning signs.

Second, attackers easily impersonate any attractive candidate through social media. As Steve's post mentions, you can either compromise an existing person's social media or duplicate and impersonate. AI has made it dead simple to fully impersonate them over voice, video, and even deliverable work product.

Third, recruiting software is unprepared for serious candidate verification and investigation. I expect the major platforms will catch up since they're being slammed with this problem. In the meantime, both recruiting and security teams are struggling to reason about this threat.

Lastly, a company will literally onboard the threat. It's hard to even call these attacks an intrusion when you're congratulating the threat and scheduling their intrusion with a "first day" onboarding. This approach will always work.

Many of us are figuring out the best ways to reduce the risk of hiring the hacker. In-office verification is the gold-standard mitigation for this problem in the meantime, but this simply isn't good enough.

Further Reading

• FBI / IC3 — North Korean IT Worker Threats to U.S. Businesses (PSA) (Jul 23, 2025)
• U.S. Treasury (OFAC) — Guidance: DPRK Information Technology Workers (Advisory PDF) (May 16, 2022)
• U.S. Treasury (OFAC) — Guidance: DPRK Information Technology Workers (PDF) (May 16, 2022)
• U.S. Treasury (OFAC) — DPRK IT Worker Advisory page (May 16, 2022)
• U.S. Department of State — Updated Guidance on DPRK IT Workers (Oct 18, 2023)
• U.S. DOJ — Coordinated nationwide actions to combat North Korean remote IT worker schemes (Jun 30, 2025)
• U.S. Treasury — Sanctions imposed on DPRK IT workers generating revenue for the Kim regime (Jul 8, 2025)
• U.S. State Department — Sanctioning Malicious North Korean Cyber Actors (Jul 2025)
• NYDFS — Industry Letter / Cybersecurity Advisory: Remote Workers & North Korea (Nov 1, 2024)
• MSMT — The DPRK’s Violation and Evasion of UN Sanctions through Cyber and IT Worker Activities (Report PDF) (Oct 22, 2025)
• Microsoft Threat Intelligence — Jasper Sleet: North Korean remote IT workers’ evolving tactics (Jun 30, 2025)
• Google Cloud / Mandiant — Staying a Step Ahead: Mitigating the DPRK IT Worker Threat (Sep 23, 2024)
• Google Threat Intelligence Group: DPRK IT Workers Expanding in Scope and Scale
• Palo Alto Networks Unit 42 — Global Companies Are Unknowingly Paying North Koreans (Nov 13, 2024)
• Okta — North Korea’s IT Workers expand beyond US big tech (Sep 30, 2025)
• Okta — How AI services power the DPRK’s IT contracting scams (Apr 24, 2025)
• Reuters — DOJ announces arrest, indictments in North Korean IT worker scheme (Jun 30, 2025)
• The Wall Street Journal — North Korean Spies Are Infiltrating U.S. Companies Through IT Jobs (Sep 5, 2024)
• The Washington Post — Arizona woman sentenced over $17 million North Korea worker fraud scheme (Jul 25, 2025)
• Financial Times — I’m human. Are you? The battle for our online identity (Jul 3, 2025)
• Bloomberg — Amazon Caught North Korean IT Worker by Tracing Keystroke Data (Dec 17, 2025)