A “mini army” of North Korean IT operatives is increasingly using AI to pose as workers, secure jobs and earn wages at some of Europe’s biggest companies.
Cyber experts say the “fake worker” phenomenon stems almost exclusively from Kim Jong Un’s regime, which has become a global expert in full-scale deception to earn US dollars.
North Korean operatives posing as remote workers infiltrated more than 300 US companies between 2020 and 2024, generating at least $6.8 million (€5.9 million) for Pyongyang, according to Department of Justice figures.
Hackers pose as IDF to sneak spyware onto Israelis’ phones
Jamie Collier, lead adviser in Europe at Google Threat Intelligence Group, told the FT there were now indications that the phenomenon was spreading to Europe, with North Korean agents setting up “laptop farms” in the UK.
“Recruitment has not naturally been seen as a security issue, so it’s an area of weakness in companies’ systems and these operatives are targeting that vulnerability,” he said.
Collier added: “When we had to tell a client that one of their workers was actually a fake North Korean operative, the feedback was ‘are you 100% sure, because he’s one of our best employees’.”
The scam typically involves stealing an identity, sometimes by hijacking dormant LinkedIn accounts or even paying the account holders for access. After forging CVs and identity documents and relying on other operatives to provide LinkedIn endorsements, the fake workers then use AI to create digital masks or avatars and deepfake video filters to appear in remote job interviews.
AI-powered fraud is key challenge for Luxembourg’s banks
Alex Laurie, chief technology officer at cyber security firm Ping Identity, said the use of AI had radically enhanced false applicants’ credibility.
“By using large language models, operatives can generate culturally appropriate names and matching email address formats, ensuring that their communications do not trigger linguistic or cultural ‘red flags’ that previously spotted such scams,” he said.
“The future of UK national security will be determined by the ability of its corporate sector to authenticate its workforce in the face of persistent, AI-enhanced adversarial impact.”
After many companies tightened their online recruitment processes amid concerns that applicants were using AI prompts and answers, North Korean operatives started paying real people, or “facilitators”, to be interviewed online instead, experts say.
Staff warn junior jobs disappearing as finance firms send work offshore
The second stage of the scam typically involves intercepting laptops sent to new starters by companies, then logging in remotely and using LLMs and chatbot commands to undertake tasks — sometimes working multiple jobs.
Rafe Pilling, director of threat intelligence at Sophos’ counter-threat unit, called it a state-backed enterprise: “A mini army of North Koreans have been targeting high-salary, fully remote tech jobs. Framing themselves as talent with around seven to 10 years’ experience, getting jobs, drawing a salary — rinse and repeat.”
How criminal organisations target young people in Luxembourg
In a January LinkedIn post, Amazon’s security chief Stephen Schmidt said Amazon had stopped more than 1,800 suspected North Korean operatives from getting jobs since April 2024.
These were increasingly targeting AI and machine learning roles, he said: “This isn’t Amazon specific — this is likely happening at scale across the industry.”
Cyber security firm KnowBe4 was one of the first US companies to admit that it had fallen victim to such a scam. In this case the fake worker was motivated by a desire to gain access to the firm’s security systems and had attempted to load malware before being identified.
