North Korea’s IT Worker Campaigns Keep Working

The DPRK IT worker threat is far from abating. That was the clear message from government and business leaders at a United Nations event held recently to discuss North Korea’s activities to generate revenue while circumventing sanctions and UN security resolutions.

In October 2025, the UN Multilateral Sanctions Monitoring Team published a report, “The DPRK’s Violation and Evasion of UN Sanctions through Cyber and Information Technology Worker Activities,” detailing tactics, techniques, and procedures employed by North Korean nationals to infiltrate companies in more than 40 countries through their hiring processes, as well as to steal cryptocurrency.

None of this is new. These activities have occurred for years, and awareness is spreading. But the tone of the discussion made it clear that the problem persists because it continues to work.

Why Don’t Background Checks Solve the DPRK Remote IT Worker Problem?

Synthetic IDs, combining fabricated and stolen identity information, can bypass many background checks. In addition, DPRK actors have long relied on facilitators to evade identity verification controls, establish remote work setups, and move funds. In one extreme example, a company hired an individual who showed up to work each day, while a DPRK IT worker remotely accessed enterprise systems overnight to perform the actual work.

North Korean actors are also increasingly using GenAI and deepfake generation tools to conceal their true identities. In one case discussed at the event, an individual used a voice manipulation tool to mask their accent with a Texan one.

The panel of private sector cybersecurity experts also recommended several countermeasures not included in the October report:

• Implement deepfake detection in interviews
• Verify that the same person interviewed is the one who shows up on day one
• Develop “corporate intelligence” systems, similar to know your customer and anti-money laundering controls, to better understand and verify your employees

However, panelists were clear that no single countermeasure can sufficiently stop the hiring of DPRK operatives on its own. These campaigns are not opportunistic but highly organized operations designed to exploit how organizations currently hire and onboard employees. Thousands of North Korean nationals are trained on specific aspects of the hiring pipeline, including resume writing, interviewing, technical screening, and completing tasks post-hire. The general tenor of the discussion was that something fundamental has to change in current approaches to hiring.

Optimizing Hiring for Speed and Trust

Most organizations optimize hiring for efficiency and candidate experience. Remote interviewing, outsourced recruiters, faster background checks, and remote onboarding make it easier than ever to hire. The benefits are real: faster hiring and access to a wider talent pool.

What the UN discussion made clear is that while awareness of the threat is growing, there is limited understanding outside of security circles of how to address it. Traditional cybersecurity controls focus on devices, credentials, networks, and applications. Hiring, however, and increasingly contingent workforce operations and the like, still operate on an implicit trust in the identities on the other side of remote interactions. We call this the human layer: anywhere a human identity is represented in digital images, audio or video files, or live audio and video calls.

Awareness alone doesn’t stop the threat, especially as GenAI tools continue to improve the quality of face and voice replication – whether for impersonation scams or to obscure true identities. Background checks can be subverted through facilitators. Identity verification systems can be defeated using “full identity packs” for sale on the dark web, consisting of high-resolution ID photos, corresponding selfies, and other identity information.

It’s hard to imagine businesses giving up the benefits of remote hiring in favor of strictly in-person interviews and onboarding. Fortunately, there are ways to secure the human capital supply chain without adding friction or sacrificing the benefits of broader access to talent and faster hiring.

What is the Human Capital Supply Chain Threat?

The North Korean remote worker scheme is just one example of human capital supply chain risk. 

Organizations already recognize software and vendor supply chains as critical attack surfaces. Increasingly, the flow of employees, contractors, partners, job candidates, and remote workers into an organization must be treated the same way.

This is the fundamental shift required in current hiring processes. We can no longer afford to assume that the person on the other end of digital communications occurring during hiring is exactly who, or even what in the case of AI agents, they claim to be.

As the concept of zero trust – never trust, always verify – has been applied to users, devices, and networks; it’s time to apply the same principles to hiring processes in particular and the human capital supply chain more broadly.

The shift includes controls such as deepfake detection and continuous identity verification across live audio and video calls and digital image, audio, and video files. There needs to be a way to ensure identity consistency throughout the hiring process, including flagging deepfake usage and verifying the continuity of a candidate’s face and voice across interactions up to day one and beyond, even if day one includes showing up in person at the office.

What Can Companies Actually Do to Stop the North Korea Remote Worker Threat? 

To make remote hiring more resilient against the DPRK threat, companies need to flag the use of deepfake tools during digital interactions, continuously verify candidate identity throughout the process, automate response to violations, and learn from attempted abuses through threat intelligence to prevent repeat and future attacks. These capabilities, however, must be applied in ways that do not add friction or inconvenience legitimate job candidates to the point they abandon the process.

The ultimate lesson from the UN event is that awareness is improving, but the fundamental changes needed to truly disrupt the threat have yet to materialize. The good news is that technological controls exist today to deliver on each of the capabilities mentioned above.

In an upcoming whitepaper, we outline a framework for addressing risk in the human capital supply chain. It focuses on applying zero-trust principles to mission critical workflows such as hiring, business process outsourcing, and account recovery processes, without inconveniencing legitimate humans through an over-rotation on security friction.