Why DPRK IT Worker Schemes Succeed: They Operate as Organized Teams

Claudia Regalado · · 7 min read
Share

North Korea’s IT worker programs are regularly framed as a fraud problem. Someone lying on a resume, faking a video call, or using a VPN. That framing misses the point.

What U.S. government advisories from the Departments of State, Treasury, and the FBI describe is something far more structured: a workforce deployment model that is state backed, systematically organized, and designed to place fraudulent workers inside legitimate companies at scale. These schemes continue to succeed not because companies are careless, but because the model itself was built to defeat the controls companies rely on.

Division of Roles

These schemes are not the work of a lone actor. U.S. government advisories document a pattern where the responsibilities involved are distributed across a team, with each function handled separately and specialized. Identity risk exists before an application is submitted and before any conversation takes place.

  • Identity and Profile Management is the foundation that makes the candidate believable on paper. One part of the team handles forged documents, fabricated employment histories, stolen identities, and realistic aliases so the application survives scrutiny before anyone asks a question.

  • Hiring and Communication is what sustains credibility in live interaction. Every interview is ultimately an identity trust decision rather than a simple skills evaluation, and this function is responsible for passing that test while maintaining the assumed identity across ongoing client interactions.

  • Access and Connectivity Obfuscation ensures that the real operator remains untraceable. VPNs, virtual private servers, third country IP addresses, and laptop farms with dedicated devices per account are managed specifically to keep the worker’s true location and identity invisible to employers and platforms.

  • Compensation and Account Intermediation prevents payment from reaching a traceable beneficiary. Proxy accounts and third party financial intermediaries are used to maintain separation between the transaction record and the actual recipient.

These responsibilities are intentionally not performed by the same individual, which is precisely what makes verification so difficult. The person a hiring manager speaks with, the person delivering the work, and the person receiving payment may all be different members of the same operation. The deception does not depend on any single participant being exceptional. It depends on the system functioning as designed.

Scaling Through Standardized Operations

These operations are not built around a single successful placement. They are designed to run continuously across dozens of engagements at once.

Fabricated identities rotate across freelance platforms. Infrastructure, payment channels, and account access function as shared resources rather than one to one assets. Playbooks for winning contracts, passing interviews, and managing client relationships are developed once and reused across regions.

Federal guidance has also noted that DPRK IT workers frequently recommend additional DPRK workers to companies that have already hired them. Once access is established, the operation expands. The initial hire is not the end goal. It is the entry point.

Why Traditional Security Controls Fail

Traditional security models rely on familiar threat categories. DPRK IT worker schemes bypass those assumptions by operating outside the expected patterns.

No Behavioral Shift to Detect

  • Insider threat : assumes a trusted employee who later turns malicious, with detection mechanisms focused on identifying that behavioral change.

  • DPRK scheme : the deception is present from the first interaction and remains consistent throughout, leaving no shift to observe and no moment of betrayal to trigger alerts.

**State Support Removes Constraints  **

  • Individual fraudsters : are typically constrained by resources, which limits how long they can sustain a credible false identity.

  • DPRK operations : State backed operations do not face those same limitations. Funding, infrastructure, and patience can be sustained for years.

Access Was Legitimately Granted

  • Account takeover: these scenarios involve unauthorized access obtained through exploitation.

  • DPRK IT workers: by contrast, obtain access that the organization itself approved. The privileges are technically legitimate, even though the underlying identity is not.

Continuous Verification

Government advisories have been consistent on a central weakness: hiring practices tend to over rely on document verification at onboarding. Once checked, identity is rarely revisited.

The threat does not end at hiring. The employment relationship itself is where the scheme operates. A worker who passed every check on day one is still operating inside the organization months later, with the same access and the same assumed trust.

Continuous verification shifts identity from a one time credentialing event to an ongoing confirmation process. Instead of assuming that identity remains valid, organizations periodically confirm that the person performing the work is the person who was hired. This closes the gap left by static controls and addresses the structural weakness these schemes exploit.

Immediate Actions for Organizations

  • Audit remote work policies for over reliance on one time document verification

  • Introduce identity checkpoints beyond onboarding

  • Assess whether tooling provides visibility into actual device operators

  • Review whether existing processes would detect identity swaps

Solutions like Polyguard are designed to operationalize continuous verification across remote workforces without creating friction for legitimate employees.

The operation on the other side of the hiring process is state backed, patient, and structurally organized. A verification posture designed for a different threat model is not a match for that reality. Closing the gap is not simply a security enhancement. It is an overdue adjustment to how remote hiring risk is managed.

Sources: U.S. Department of State / Treasury / FBI Advisory on DPRK IT Workers (May 2022); U.S. Treasury OFAC Sanctions Action on DPRK Cyber and IT Worker Activities (May 2023)

Frequently Asked Questions

  • Won’t we catch this all during onboarding?

Unlikely. These schemes are built to pass onboarding. Forged or stolen identities are prepared before the application process begins, allowing interviews and background checks to appear legitimate.

  • How serious is it to hire a North Korean?

Serious. Even unintentional hiring can create significant financial consequences. A single incident can cost a mid sized company tens of millions of dollars. (Read the full breakdown)

  • We do background checks for all our employees. Doesn’t that keep us safe?

Background checks verify the identity, not the person. If the identity is stolen and legitimate, it comes back clean. (Read more about why this fails)

  • If face-swaps can get through ID verification, how can we verify who someone really is?

NFC passport scanning is the gold standard. Where that is not possible, a driver's license paired with device attestation and GPS location raises the bar considerably. (Read more about faceswap attacks)

  • I think we might have a North Korean on our team already. What should we do?

These schemes are designed to appear legitimate under standard controls. The practical response is to introduce continuous verification so identity trust is assessed over time rather than assumed from onboarding.

  • What about deepfake detection - can we use that in our video interviews?

Deepfake detection tools can be used in video interviews, but effectiveness varies and they should not be treated as a primary identity control. Some approaches may require analyzing or recording calls, which organizations should assess against their own privacy and risk policies.

  • What if the candidate says their video doesn’t work?

That is a red flag. Government guidance notes that DPRK IT workers frequently avoid live video. If identity cannot be verified, access should not be granted.

  • What if the candidate says they don’t have a passport?

Not a problem. Polyguard supports over 12,000 government-issued IDs including driver's licenses, paired with additional verification layers.

  • Do the candidates have to buy your app?

No. It is free for candidates to download and use.

Want to see Polyguard in action?

Experience real-time identity verification for your communication security.

Try Polyguard
← Back to Blog

Related Posts

The AI Era Demands a New Identity Vendor

Securing modern hiring workflows now requires a new kind of identity vendor. Legacy identity verification and access platforms were built to check documents or manage employees after hire, not to stop AI-driven impersonation in hiring. This post explains why those systems cannot close the gap and what capabilities a modern identity vendor must provide.

Claudia Regalado ·

The Binding Problem in Remote Hiring

Most hiring pipelines rely on separate systems like an ATS, background check vendor, interview platform, and HR system. Each step verifies its own piece for compliance, but none confirms that the same person remains present throughout, leaving a compliant audit trail tied to an unconfirmed subject and a structural gap remote hiring fraud now exploits.

Claudia Regalado ·

Every Company Is a Target: Remote Hiring as an Attack Surface

Every company with remote roles, a payroll system, and VPN access is a viable target. DPRK IT worker operations don't target industries — they target hiring...

Claudia Regalado ·