North Korean IT workers scam likely to be increasingly adopted by organised criminal groups

Event

On 11 February 2025, a co-founder of a US-based cybersecurity firm revealed that they had almost recruited two fraudulent applicants for a remote software development role over a two-month period [LINK]. In both cases, artificial intelligence (AI) was used to produce answers to interview questions and deploy deepfake technology during video interviews.

Assessment

This incident represents a continuation of a known North Korean scam, in which threat actors pose as a remote IT worker to gain employment with Western companies, funnelling revenue to the North Korean regime [LINK]. Other objectives include source code theft, espionage, and ransomware deployment [LINK]. For more detail, see the graphic below.

The modus operandi involves creating multiple profiles using non-Korean names, stolen identities, and AI generated credentials to bypass recruitment screenings [LINK]. The use of deepfake technology to conduct video interviews, once a safeguard against scammers, raises concerns, as inexperienced recruiters may fail to detect this tactic. These operations are conducted mostly by North Koreans operating in third countries such as Russia and China [LINK], and are supported by external facilitators who provide essential services, such as money laundering and ‘laptop farms’ [LINK]. 

Remote IT workers are one aspect of a broader North Korean cyber campaign aimed at accruing revenue and access to technology [LINK, LINK]. The IT worker scam has already generated significant revenue for North Korea [LINK]. 

Western technology, defence, and government bodies have been targeted [LINK] and remain at high risk due to the value of their data and the lucrative salaries they offer. While this threat is currently receiving greater attention, the balance of risk remains with traditional threat vectors such as social engineering and supply chain compromise. 

Outlook

At a tactical level, this scam exploits common vulnerabilities in the hiring practices of many companies. However, it ultimately builds on core characteristics of the globalised digital economy, among them changing practices around remote working and persistent shortages of capability in key areas such as software development.

Rather than being central to its effectiveness, the use of AI and deepfake technology underlines how challenging it is for North Korean threat actors to conduct this scam. The success of operations relying on this technology is likely being observed by organised criminal groups, particularly amid indications of declining ransomware revenues [LINK]. Some of these groups operate in regions where culture and language skills mean that deepfake technology will not be required. As such, we assess that this form of deception will remain prevalent, and is likely to be adopted by a growing range of state and non-state actors.

Attempts to develop deepfake detection technology are likely to be caught up in an ongoing cycle of innovation between attackers and defenders. More important than technological solutions alone will be changes in organisations recruitment processes, with greater coordination early on between HR and security functions (where these exist) to develop vetting procedures, helping to identify risks in candidates before they escalate.