Last month, the U.S. Department of the Treasury sanctioned six individuals and two entities for their roles in running North Korean IT worker fraud networks targeting U.S. businesses, networks that generated nearly $800 million in 2024 alone. Six days later, threat intelligence firm Flare and IBM X-Force published a detailed operational account of those networks.
The Flare/IBM X-Force report, Inside the North Korean Infiltrator Threat, documents what daily life looks like for North Korean IT worker operatives. It describes the timesheets they keep, the slide decks they study, the fake LinkedIn profiles they build and the western collaborators they recruit to help them pass background checks.
The Treasury action names the facilitators who convert their salaries into cryptocurrency and move the money back to Pyongyang. Together, the two documents describe a mature, well-funded operation that moves through corporate hiring pipelines that HR leaders are now explicitly positioned to disrupt.
A 4-role operation built to pass screening
The fraud includes recruiters, facilitators, IT workers and western collaborators or brokers. Each role has a function in getting operatives hired and keeping them employed.
Facilitators drive the job hunt at scale. Internal documentation reviewed by Flare researchers shows assistants submitting 400 applications per day across LinkedIn, Indeed and Dice. Resumes are tailored to match the fake identity’s geography. For example, a French name gets a French developer’s resume, complete with fabricated references from real-sounding former employers. The report found evidence of workers researching how companies format employee email addresses specifically to write convincing fake reference letters.
The western collaborator is the piece that most directly undermines traditional HR screening. When one is involved, the operative uses that person’s real name, real contact information and real identity documents. The collaborator receives the company laptop, fills out I-9 paperwork, passes the background check and handles payroll. In some cases, they take employment drug tests.
North Korean IT workers “are considered elite members of North Korean society and have become an indispensable part of the overall North Korean government’s strategic objectives,” according to report authors. Treasury‘s sanctions action confirms the big bucks involved. One designated individual converted approximately $2.5 million in IT worker earnings into cryptocurrency over two years, operating out of Vietnam.
What the interview process misses
Workers are trained to clear hiring hurdles. Internal slide decks coach operatives on resume writing, job platform tactics and how to use Google search operators to find openings in targeted regions. During interviews, a Google Voice number matching the persona’s nationality is used in place of a real phone.
Candidates recruited into the operation sometimes don’t know they are working for the Democratic People’s Republic of Korea (DPRK). When this happens, recruiters present the scheme as an “early-stage stealth start-up,” offer a U.S.-based identity to use and ask if the candidate is comfortable working U.S. hours.
Some people in a hiring pipeline may themselves believe they are doing something only mildly questionable. This makes behavioral red flags harder to read and calls into question how much weight a candidate’s apparent comfort can carry in screening.
What happens after the hire
“All parties involved in the hiring and onboarding process can threat-hunt for DPRK-affiliated operators,” according to the report.
Once employed, operatives manage responsibilities like any remote employee. The primary goal is steady revenue. Secretary of the Treasury Scott Bessent said the regime “weaponizes sensitive data and extorts businesses for substantial payments.”
An operative placed at an agency gains access not just to that employer’s systems, but to plenty of connected data in client workspaces, Slack, Jira, Shopify and CRM platforms. One placement can mean a dozen downstream exposures.
The employment cycle typically ends with a performance issue such as communication problems or a performance improvement plan from HR. At that point, the operative coordinates with the collaborator to return the laptop, collects a final paycheck and begins again under a new identity.
The compliance dimension CHROs cannot ignore
According to the Treasury, a company that unknowingly processes payroll for a sanctioned individual, or whose systems are accessed by one, may face civil penalties regardless of intent.
The Flare/IBM X-Force report advises that before hiring, HR leaders should require in-person elements for remote tech roles where possible, since collaborators may be unwilling to appear in person. Treat discrepancies between a candidate’s resume and their interview responses as serious flags and watch for AI-edited profile photos and profiles with empty or generic information.
After onboarding, HR teams should schedule regular live video engagement with remote employees. The report states that operatives will avoid and eventually quit roles where consistent face-to-face interaction is expected, which makes engagement a low-cost deterrent.
“Unlike traditional threat actors, defending an organization from North Korean IT worker infiltration is not solely the domain of security teams,” according to the report authors. Instead, this is a “joint effort between human resources, security operations, hiring managers and interviewers.”
The post How North Korean operatives get hired, and how HR can stop them appeared first on HR Executive.
This article was originally published on HR Executive. Click below to read the complete article.