U.S. cybersecurity officials are raising alarms about an expanding scheme in which North Korean operatives have posed as remote IT workers to infiltrate American tech companies. The goal: redirect lucrative salaries into North Korea’s weapons program. As remote work became more normalized after the COVID-19 pandemic, the scarcity of cybersecurity talent created fertile ground for deception.
According to industry experts, including Google Cloud’s Chief Technology Officer Charles Carmakal, this scheme has touched nearly every major tech firm, including Fortune 500 companies. Operatives use false identities, often built on stolen Social Security and passport data, to apply for roles. They create convincing LinkedIn profiles and use AI-generated deepfakes to navigate video interviews. Once hired, these individuals route their work devices to U.S.-based “laptop farms,” where accomplices keep devices online and functional. This method enables operatives to perform tasks, sometimes for multiple employers simultaneously, undetected.
SentinelOne, a cybersecurity firm, recently disclosed that it had received around 1,000 job applications from suspected North Korean actors. Other firms, such as CrowdStrike and Google Cloud, have confirmed ongoing detection efforts. Experts say this operation is “on a scale we haven’t seen before,” with tens of millions—possibly hundreds of millions—of dollars funneled to Pyongyang.
Covert Operations and the Role of Accomplices
Once inside, North Korean operatives can create severe security risks. Aside from earning substantial salaries—up to $300,000 annually, according to the FBI—some operatives embed malware in systems, allowing continued access even after being fired. These backdoors have enabled extortion schemes and unauthorized data access, increasing the pressure on affected firms.
The network behind the operation includes American collaborators. In one major case, Christina Chapman, a U.S. citizen, pleaded guilty to working with North Korean operatives for three years, helping steal identities and run a laptop farm that supported over 300 fake workers. That single scheme reportedly generated $17 million. Another federal indictment unsealed in January implicated two Americans in helping North Korean agents infiltrate 60 companies, earning $800,000.
The Justice Department and federal agencies such as the FBI and Treasury are intensifying enforcement. However, the scam’s decentralized nature, aided by AI and global reach, complicates eradication. Experts warn that dismantling laptop farms—where dozens of devices run simultaneously—is essential. Each takedown disrupts a carefully built network and costs scammers valuable digital infrastructure.
Global Spread and Corporate Silence
The threat is no longer limited to the United States. Similar tactics are emerging in the U.K., Poland, Romania, and South Asian nations. Still, many U.S. companies hesitate to go public due to potential legal consequences of inadvertently funding sanctioned entities. Hiring North Korean operatives, even unknowingly, exposes firms to compliance violations and financial risk. These workers often gain access to proprietary software and sensitive data, exacerbating the espionage threat.
Despite the risks, disclosure remains rare due to fear of reputational damage. SentinelOne’s cybersecurity VP, Brandon Wales, emphasized the need for transparency, encouraging firms to speak out to combat the scale of the problem. “We don’t want there to be a stigma,” he said. “Being open is the first step to stopping this.”
