In an era where remote work has become the norm, companies are facing a new and insidious threat: “fake workers” from North Korea using advanced AI tools to secure high-paying jobs and funnel millions back to the regime.
This sophisticated scam, highlighted in a recent Financial Times report, involves operatives posing as legitimate IT professionals, often juggling multiple roles through chatbots and deepfake technology. But this isn’t an isolated incident – similar schemes have been uncovered across numerous sources, targeting major corporations and generating substantial revenue for Pyongyang’s weapons programs.
Understanding the “Fake Worker” Phenomenon
The core of this operation stems from North Korea’s need to bypass international sanctions and generate foreign currency. Operatives steal identities – sometimes by hacking dormant LinkedIn accounts or even by compensating account holders for access – and then forge resumes and documents. AI plays a pivotal role here, creating digital masks, avatars, and deepfake video filters for remote interviews. Once hired, they intercept company-issued laptops, log in remotely, and use large language models (LLMs), such as chatbots, to perform tasks efficiently, sometimes across several jobs simultaneously.
According to the US Department of Justice, North Korean operatives infiltrated over 300 US companies between 2020 and 2024, generating at least $6.8 million for the regime. This money supports Pyongyang’s economic and security priorities, including weapons development. Cyber experts note that the scam is now expanding into Europe, with “laptop farms” appearing in the UK, exploiting vulnerabilities in recruitment processes that have traditionally not been viewed as security risks.
Real-World Examples from Across the Globe
This isn’t just theoretical; multiple investigations and reports detail specific infiltrations and tactics:
- KnowBe4’s Close Call: The cybersecurity firm KnowBe4 was one of the first to publicly admit hiring a fake North Korean worker. The operative, motivated to access internal systems, attempted to deploy malware before being detected. This case underscores how these “employees” aren’t just siphoning salaries—they’re also positioning for cyber espionage.
- Amazon’s Massive Block: In a LinkedIn post, Amazon’s security chief revealed that the company halted over 1,800 suspected North Korean operatives from securing jobs since April 2024. These applicants increasingly targeted AI and machine learning roles, highlighting a shift toward high-value tech positions.
- CrowdStrike’s Alarming Surge: Cybersecurity firm CrowdStrike reported a 220% increase in North Korean IT worker infiltrations over the past year, affecting over 320 companies. They use generative AI for everything from forging synthetic identities and altering photos to real-time deepfakes in interviews, allowing a single operator to apply multiple times under different personas.
- Microsoft’s Warnings: Microsoft has observed North Korean groups leveraging AI to create fake names, modify stolen IDs, and use voice-changing tools during interviews. This enhances the credibility of applicants, who then funnel wages back to the state. The scam often involves “facilitators” in target countries who handle logistics, such as the interception of laptops.
- Fake Job Portals Targeting AI Firms: Researchers at Validin uncovered a twist where North Korean operatives created a phony job-application platform aimed at US AI and crypto companies. Instead of impersonating employees, they hijack the hiring process to gain access to applicants’ computers, stealing money and know-how for the regime.
- DOJ Charges and Seizures: Federal prosecutors charged four North Korean nationals for using fake IDs to get hired at a US company and steal nearly $1 million in cryptocurrency. Separately, the DOJ moved to seize $7.7 million in crypto and NFTs earned by similar operatives.
- Anthropic’s Discovery: AI company Anthropic found North Korean operatives using their Claude tool to fraudulently secure positions at Fortune 500 tech firms, masking skill gaps and accelerating schemes.
These examples illustrate a state-backed enterprise that’s evolved rapidly. As one expert put it, it’s a “mini army” of operatives who frame themselves as experienced talent, draw salaries, and repeat the process. The UN estimates such schemes have generated up to $600 million annually since 2018.
The Role of AI in Amplifying the Threat
AI has been a game-changer, acting as a “force multiplier.” Operatives use tools such as large language models to generate culturally appropriate communications, avoid red flags, and even cheat on coding tests. Deepfakes enable real-time masking of appearance and voice, while AI helps manage daily tasks post-hire, ensuring operatives can handle multiple roles without detection. This isn’t limited to North Korea; reports suggest Iranian actors are adopting similar tactics.
How Businesses Can Fight Back with Vali.now
At vali.now, we’re dedicated to combating scams and deepfakes through our suite of image integrity products. Our Live Video Deepfake Detection tool can verify identities during remote interviews, spotting AI-generated masks and alterations in real time. For deeper investigations, Ariane offers forensic analysis tailored for law enforcement and businesses, while Veritas ensures image integrity for scientific and professional verification.
If you’ve received suspicious applications or suspect a “fake worker” in your ranks, forward the details to vali.now for a rapid verdict: Safe, Suspicious, or Confirmed Scam. Don’t let these operatives exploit your company – strengthen your recruitment with AI-powered defenses today.
Stay vigilant and subscribe to our newsletter for more insights on emerging threats. We don’t spam – read more in our privacy policy.