Michael Barnhart is an investigator at DTEX Systems focused on North Korea.
They showed up on time, crushed deadlines, asked no questions.
It was a bit weird they never turned their camera on, but not a deal breaker.
Then they were gone.
No notice. No forwarding details. Just silence.
Across industries, some of the highest-performing remote workers are vanishing without a trace. For many companies, it’s not a burnout issue—it’s a breach of trust. And in more cases than you’d think, the root cause traces back to the Democratic People’s Republic of Korea (DPRK).
On June 30, the FBI and Department of Justice announced one of the largest crackdowns yet on North Korea’s remote IT worker scheme, designed to covertly fund the regime. Nearly 30 “laptop farms” across 16 U.S. states were raided for their suspected role. The coordinated action included three indictments, one arrest, the seizure of 29 financial accounts, and the takedown of 21 websites, part of a sweeping effort to disrupt covert operations and stop sanctioned workers from infiltrating global companies under false identities.
The bust marks a rare and direct strike against one of the world’s most evasive cyber adversaries.
North Korea’s shadow IT workforce isn’t just a sanctions workaround. It’s a global, for-profit operation embedding operatives inside major companies under false identities funneling money, access, and opportunity back to the regime. And if you think you’d spot it, you probably won’t. These workers are quiet by design, skilled by necessity, and trained to exploit the blind spots in modern remote work.
The scale of this infiltration is greater than many realize—and the indictments are unlikely to be the last. For now, every company should be asking: Could this be us?
Six red flags you hired a North Korean IT worker
Evading detection and blending into the background is DPRK tradecraft 101. But with the right behavioral analytics and cross-functional vigilance, patterns emerge. Here’s what to watch for:
Run known DPRK-linked IOCs against your systems
Start with what’s public. Known Indicators of Compromise (IOCs) tied to DPRK operations are readily available. Cross-reference them with your email logs, ticketing systems, and access records. If you find a hit, you might already be compromised.Odd working hours for alleged U.S.-based staff
A remote dev claiming to be in Austin but pushing commits at 3 a.m. local time? That’s not hustle—that’s a time zone mismatch. DPRK operatives often work from China or Russia and adjust their hours to avoid detection. Look for strange bursts of late-week activity or unnatural work cadences.Use of remote access tools and anonymizers
IP-KVM switches. Mouse automation tools. Anonymizing VPNs and remote desktop protocols. These aren’t just IT oddities—they’re DPRK staples. If you’re seeing remote access patterns that don’t match declared user behavior, or tooling that simulates presence, investigate.Unusually low communication engagement
Camera always off. Silent in Slack. No questions, no friction. In many organizations, that’s seen as a plus. But low engagement, especially from critical roles, is a tell. DPRK operatives play invisible. That silence is often the signal. DPRK operatives are trained to stay invisible. In some cases, that quiet isn’t just disengagement—it’s operational cover. Several fake workers recently vanished not because they quit, but because their devices were seized in international stings. When someone goes dark, it may not be ghosting—law enforcement might be calling next about your company’s compromised systems.Resume or referral patterns that feel too familiar
Look closer at your hiring pipeline. Reused resumes. Recycled phrasing. Overlapping career timelines. These are signs of templated personas. DPRK operatives often enter via fake recruiters or refer other DPRK workers in their group. When candidates start to blur together, it’s time to dig deeper.Discrepancy between interview and on-the-job performance
Crushed the interview. Fell flat on day one. It happens, but when the person in the job doesn’t match the person who interviewed, that’s a problem. Voice changers, stand-ins, and deepfakes have all been used to slip through screenings. Even a quick follow-up can surface inconsistencies.
I hired a DPRK worker. Now what?
Step one: Don’t panic. Step two: Move fast.
When sensitive customer data or intellectual property may have been exposed, your response must be immediate, coordinated, and comprehensive.
Here’s what to do next:
Immediate containment and isolation
Suspend all access immediately—VPNs, cloud platforms, code repos, and email. Quarantine devices and preserve them for forensic analysis; don’t wipe or reset anything. Reset all related credentials to prevent further access. Fast action here matters. Every minute counts in preventing data theft or sabotage.Comprehensive forensic investigation
Bring in experts experienced with insider threats and DPRK tactics. Analyze logs from networks, cloud, endpoints, and code repositories to uncover unusual access or data exfiltration. What did they touch? Where did the data flow? Look for covert data transfers or attempts to hide activity.Assess the scope of exposure
Did they access customer data, IP, source code, or regulated content? Evaluate compliance exposure under GDPR, HIPAA, or CCPA. Risk isn’t limited to theft—think extortion, ransomware, or deeper compromise.Coordinate cross-functional response
Bring in legal, PR, and HR. Legal advises on disclosure; PR preps messaging; HR manages internal fallout. The faster you coordinate, the more control you maintain.Engage external authorities
Loop in law enforcement, including the Internet Crime Complaint Center (IC3) and the Department of Defense Cyber Crime Center (DC3). These aren’t just corporate risks; they’re geopolitical ones. Sharing intelligence strengthens your position and may help prevent future breaches.
Prevention beyond cyber and HR
Running known IOCs is a start—and a clean report is good news. But DPRK ops move fast. Prevention requires behavior-based visibility and tight cross-team alignment.
Pre-hire protective measures:
Conduct live, on-camera interviews with IP/geolocation validation
Independently verify references and past employment
Use unscripted, technical Q&A to gauge real expertise
Involve HR and legal early in security awareness and hiring processes
Post-hire protective measures:
Flag re-applications using recycled data or aliases
Monitor for unusual access times, remote tool use, and VPN spikes
Track engagement levels—silence is a signal
Watch for early signs of extortion, evasion, or data misuse
By fostering close collaboration across internal and external security, HR, risk, and legal teams, organizations can build a resilient insider risk program that detects and mitigates threats before they escalate. Prevention is a team effort, and behavior is the strongest signal.
North Korea—what’s next
The latest and ongoing government actions have pushed the DPRK’s shadow workforce into the spotlight. But exposure isn’t elimination. The playbook will evolve—new names, new tools, new countries.
The modern insider won’t always look suspicious. They’ll look perfect. Until they disappear.
Knowing what to look for is step one. Shutting it down for good is the mission ahead.
The opinions expressed in Fortune.com commentary pieces are solely the views of their authors and do not necessarily reflect the opinions and beliefs of Fortune.
Read more:
North Korean operative reveals the inner workings of the IT scam infiltrating the Fortune 500—‘They had no idea that we were from North Korea’
North Korean operatives and American accomplices accused in massive fraud that infiltrated the Fortune 500 and stole millions
The North Korean IT worker scheme infiltrated an American election campaign website
North Korean hackers have stolen up to $1 billion in virtual assets according to the UN: ‘A record-breaking year’
This story was originally featured on Fortune.com
