In 2025, a woman in Arizona pleaded guilty to helping the North Korean government run one of the largest remote worker fraud operations uncovered to date. Three hundred organizations were infiltrated. Seventeen million dollars was generated and funneled to a foreign government. More than 68 stolen US identities were used to make it happen.
This was not a sophisticated technical breach. It was a hiring problem.
How the operation worked
North Korean operatives applied for remote positions at US companies. They used stolen American identities to pass background checks and appear legitimate throughout the hiring process. Once placed, they collected paychecks that were routed back to fund the North Korean government.
The woman in Arizona played a specific operational role. She ran a laptop farm. Every morning she powered up a room full of laptops, staggered across Eastern, Central, and Pacific time zones to match normal US business hours. From there, North Korean operators would remote in and begin their workday, appearing for all practical purposes to be a distributed American workforce.
This went on across hundreds of organizations before it was identified and stopped.
The scale of the underlying problem
This operation did not emerge in isolation. When this topic was discussed publicly by a former FBI agent four years after leaving the bureau, North Korea was already generating roughly 40 percent of its gross national product through internet-based fraud. Business email compromise, financial scams, and other schemes had become a meaningful revenue source for the regime.
The shift toward placing operatives inside US companies as remote employees accelerated that further. It moved beyond opportunistic fraud into something more deliberate and harder to detect. A paycheck from a legitimate employer, processed through normal channels, is a cleaner and more reliable revenue stream than a one-time scam.
Why this is harder to catch than it looks
Remote hiring removed a layer of friction that used to make this kind of fraud more difficult. In-person interviews, physical office presence, and direct observation are natural checkpoints that simply do not exist in a fully remote environment.
AI has made it easier to clear the checkpoints that remain. Generated profile photos, polished resumes, language refinement tools, and deepfake video have all been used to support fraudulent applications. What might have looked suspicious a few years ago now clears initial screening without raising flags.
The result is that organizations are making hiring decisions based on a presentation that may have been assembled entirely to deceive them.
What this means for how organizations hire
The threat is real and documented, but it is also something organizations can prepare for. The detection and defense side of this problem is developing alongside the threat itself. There are behavioral indicators, technical signals, and process controls that can help identify when something does not add up.
On the hiring side, that means thinking carefully about identity verification, especially for fully remote roles with access to sensitive systems or financial processes. It means being deliberate about what access new employees receive and when. And it means recognizing that a clean resume and a convincing interview are not the same thing as a verified identity.
The organizations caught up in this operation were not careless. They followed normal hiring practices. The problem is that normal hiring practices were not built with this threat in mind.
Talk with our team
If you want to talk through how your hiring process and access controls hold up against this kind of risk, we are glad to have that conversation.
