The North Korean IT worker scheme is a state-sponsored fraud operation that places fake remote employees inside Western companies using stolen identities, U.S.-based "laptop farm" facilitators, and AI-assisted interviews. The fake-worker piece alone reliably generates an estimated **$250 million to $600 million a year** in fraudulent salaries for the DPRK, and it is being prosecuted in U.S. federal court right now. To stop it, you verify identity at intake, run camera-on interviews with live deepfake challenges, ship equipment only to the verified address, and grant no system access until a background check clears. The defense lives in your hiring funnel, not your firewall. This is uncomfortable for a reason most security advice isn't: the attacker doesn't break in. They apply. They interview well. They accept your offer, sign your paperwork, and pass your onboarding. The hiring pipeline is the attack surface, and for remote-first teams without a security org standing behind recruiting, it's wide open. ## What the North Korean IT worker scheme actually is The scheme uses real American identities to get North Korean operatives hired into legitimate remote engineering jobs, with a paid U.S. accomplice making the employee look domestic. The worker is physically in China, Russia, or elsewhere; a "laptop farm" operator in the States receives the company laptop, installs remote-access software, and lets the overseas worker log in. The employer believes they hired a local engineer. They didn't. The U.S. Justice Department says North Korea has "deployed thousands of highly skilled IT workers around the world," and the facilitator network spans multiple countries (source: [DOJ, June 2025 nationwide action](https://www.justice.gov/opa/pr/justice-department-announces-coordinated-nationwide-actions-combat-north-korean-remote)). This is not a handful of opportunists. It's an industrialized revenue pipeline with division of labor, tooling, and a sanctions-evasion purpose behind it. ### The numbers, decoded: $2.8B crypto vs. $250M-$600M in salaries Two figures get conflated constantly, and getting them right is the fastest way to tell who actually understands this topic. The Multilateral Sanctions Monitoring Team (MSMT) values *all* DPRK cyber and IT-worker revenue at roughly **$2.8 billion from January 2024 to September 2025**, but the majority of that is **cryptocurrency theft**, not salaries (source: [U.S. State Department MSMT report](https://www.state.gov/releases/office-of-the-spokesperson/2026/01/multilateral-sanctions-monitoring-team-report-on-dprk-violations-and-evasions-of-un-sanctions-through-cyber-and-information-technology-worker-activities), summarized by [Chainalysis](https://www.chainalysis.com/blog/msmt-report-north-korea-dprk-cyber-threats/)). The **fake-IT-worker scheme specifically** is a separate, smaller stream the UN estimates at **$250 million to $600 million per year** in fraudulent salaries (source: [Fortune](https://fortune.com/2026/04/25/north-korean-it-worker-scheme-american-faciliators/), citing UN reporting). Individual workers reportedly earn $3,500 to $10,000 a month. So when you read "$2.8 billion from fake IT workers," it's wrong. The salary scheme is one pillar of a bigger machine, and it's the pillar that runs straight through your applicant tracking system. ### The pipeline: stolen identity to U.S. facilitator to laptop farm to laundering The mechanics are consistent across every prosecuted case: 1. **Stolen or borrowed identity.** The operative uses a real American's name, SSN, and address, often purchased or obtained through earlier breaches. 2. **A U.S.-based facilitator.** A paid accomplice (the "laptop farm" operator) gives the scheme a domestic footprint, receiving the company laptop at a U.S. address. 3. **Remote access.** The facilitator installs remote-control software so the overseas worker can operate as if they were sitting at that U.S. desk. 4. **Salary laundering.** Wages flow to the facilitator, then get routed overseas to the DPRK, sometimes through crypto. Facilitators range from knowing money-makers to people recruited through "work from home" ads who don't fully understand what they signed up for. Either way, the company on the other end sees a clean payroll record and a working engineer. ## This isn't hype, it's federally prosecuted If you've filed this under "threat-vendor marketing," update that. The Justice Department has won multi-year prison sentences against the U.S. facilitators who make the scheme work, and the case files read like an operations manual for the fraud. ### The Arizona laptop farm: 309 companies, $17M, 102 months The canonical case is Christina Chapman, who ran a laptop farm out of her Arizona home. On July 24, 2025, she was sentenced to **102 months in prison**. Her scheme generated **more than $17 million**, defrauded **309 U.S. companies** (including a top-five TV network, a Silicon Valley tech company, and Fortune 500 firms), and relied on **68 stolen U.S. identities** (source: [DOJ](https://www.justice.gov/opa/pr/arizona-woman-sentenced-17m-information-technology-worker-fraud-scheme-generated-revenue)). A 2023 search of her home seized **more than 90 laptops** in an organized staging setup, and she had shipped **49 devices overseas**, including multiple shipments to a Chinese city on the North Korea border (sources: DOJ; [The Record](https://therecord.media/arizona-woman-sentenced-north-korean-laptop-farm)). Picture that: a suburban house with 90 corporate laptops humming on shelves, each one a remote engineer at a different company. U.S. Attorney Jeanine Pirro put the lesson in one line: > The call is coming from inside the house ... Corporations failing to verify virtual employees pose a security risk for all. You are the first line of defense against the North Korean threat. ### The 2025 nationwide sweep: 16 states, 29 laptop farms Chapman wasn't an outlier. In June 2025, a coordinated DOJ action spanned **16 states** with searches of **29 known or suspected laptop farms** and the seizure of **about 200 computers, 29 financial accounts, and 21 fraudulent websites**. The workers had obtained jobs at **more than 100 U.S. companies**. In one scheme they stole **export-controlled U.S. military technology**; in another, DPRK workers at an Atlanta blockchain firm stole roughly **$900,000 in virtual currency** (source: [DOJ](https://www.justice.gov/opa/pr/justice-department-announces-coordinated-nationwide-actions-combat-north-korean-remote)). In April 2026, two more facilitators, Kejia Wang and Zhenxing Wang, were sentenced to 108 and 92 months for placing DPRK workers at **more than 100 U.S. companies** using **at least 80 stolen identities**, generating **more than $5 million** for the regime. The Assistant Attorney General's framing was blunt: the ruse "placed North Korean IT workers on the payrolls of unwitting U.S. companies and in U.S. computer systems, thereby harming our national security" (source: [DOJ](https://www.justice.gov/opa/pr/two-us-nationals-sentenced-facilitating-fraudulent-remote-information-technology-worker)). The pattern is settled law now. Hundreds of companies, eight- and nine-figure sums, and prison sentences measured in years. ## How AI raised the stakes, and how it gives them away AI didn't create this scheme. It's an accelerant bolted onto the core fraud of stolen identity plus facilitator. But it's a real accelerant, and the same tools that let an operative fake an interview also leave fingerprints you can check for. ### A real-time deepfake in 70 minutes Palo Alto Networks' Unit 42 ran the experiment that should worry every hiring manager: **a single researcher with no image-manipulation experience, limited deepfake knowledge, and a five-year-old computer built a synthetic identity for job interviews in 70 minutes**, using a 2020-era consumer GPU and free tools (source: [Unit 42](https://unit42.paloaltonetworks.com/north-korean-synthetic-identity-creation/)). That's the bar now. Not a nation-state lab, not specialized hardware. Seventy minutes on an old gaming PC. Operatives pair real-time face-swap video with **real-time voice tools to mask accents**, so the candidate on your call can look and sound like the American whose identity they stole (sources: Unit 42; [Dark Reading](https://www.darkreading.com/remote-workforce/north-korean-operatives-deepfakes-it-job-interviews)). The good news: real-time deepfakes are computationally fragile. They break under conditions the model wasn't trained for. Ask the candidate to: - Pass a hand slowly across their face - Turn fully to profile and hold it - Make a rapid head movement - Introduce a sudden lighting change Each of these tends to produce warping, lag, or artifacts the face-swap can't keep up with. None of it is rude to ask, and all of it is cheap to do. ### Voice masking, synthetic identities, and "too clean" profiles Beyond the live call, the paper trail tells a story if you read it. Watch for an identity with no organic digital history: a brand-new GitHub against a resume claiming ten years of experience, a LinkedIn that's suspiciously sparse or suspiciously polished, references that can't be reached, and VoIP or Google Voice numbers instead of a real carrier line (sources: [SpyCloud](https://spycloud.com/blog/how-we-identified-fake-north-korean-it-workers/); Unit 42). A profile that's "too clean" is as much a flag as one that's full of holes. For the broader honesty problem AI creates in interviews, see our piece on [deepfake candidates and AI hiring fraud](/blog/deepfake-candidates-ai-hiring-fraud); this article is about a specific, sanctioned adversary running a full fraud pipeline. ## Hiring is now an attack surface The reason a security team should care about your recruiting funnel is that the funnel is the entry vector. There's no perimeter to breach when the adversary walks in with a valid offer letter. Once hired, these workers don't just collect a paycheck. In prosecuted cases they've stolen export-controlled military technology and virtual currency from their employers (source: [DOJ](https://www.justice.gov/opa/pr/justice-department-announces-coordinated-nationwide-actions-combat-north-korean-remote)). And the damage doesn't stop at termination: after being discovered or let go, some DPRK IT workers have **extorted former employers**, threatening to leak stolen source code and proprietary data, prompting specific FBI warnings (source: [Bitdefender/FBI](https://www.bitdefender.com/en-us/blog/hotforsecurity/north-korea-it-workers-us-extortion-employer-fbi)). So the failure mode here isn't "we made a bad hire who underperformed." It's sanctions exposure, IP theft, and an extortion threat with your private repos as leverage. That reframes identity verification from an HR nicety into a security control, which is the same shift we wrote about in the context of [SOC 2 hiring blind spots](/blog/soc2-hiring-compliance-risk). ## The control set: intake, interview, onboarding The defense is a layered control set that FBI/IC3, OFAC, and Unit 42 all converge on. No single check is decisive; together they make your pipeline expensive enough that operatives move to a softer target. Here's the playbook by stage. ### Verify identity at intake (document forensics + liveness) Start before the first interview. Capture a government ID and scan it for tampering, expiration, and country-specific security features; reject low-quality images outright. Pair the ID with **liveness detection** to rule out a static photo or deepfake, and run a **facial comparison** of the live capture against the ID photo (sources: [FBI IC3 PSA](https://www.ic3.gov/PSA/2025/PSA250723-4); [ID Dataweb](https://www.iddataweb.com/shadow-workers/)). The goal of intake is simple: verify the human, not just the resume. This is where a verified candidate channel matters. Kit's candidate portal uses [passwordless magic-link access](/blog/why-we-killed-passwords-for-candidates) instead of a free-text application form, which gives you a single, verified communication channel as step one, and the natural place to layer document and liveness verification on top. ### Interview-integrity signals that catch proxies and deepfakes Make camera-on mandatory and record interviews with consent. Then make the interview impossible to script in advance: - Ask **spontaneous, un-Googleable questions**: local landmarks near the address on file, same-day news, today's weather where they claim to be. - **Rotate question sets** so answers can't be memorized from Glassdoor. - Note **long pauses on common-knowledge questions**, the tell of someone relaying answers from a teammate off-camera. - Run the **physical liveness challenges** above to break any real-time face-swap. (Sources: [Help Net Security](https://www.helpnetsecurity.com/2026/04/20/north-korean-job-interview-infiltration-video/); [WeLiveSecurity](https://www.welivesecurity.com/en/business-security/recruitment-spot-spy-job-seeker/).) ### Confirm the evaluatee is the hire The scheme's sharpest weapon is the proxy: a strong engineer aces the interview, then a different person does the job. Your job is to prove the person you evaluated is the person you're paying. A **structured code assignment plus a live follow-up** is the cleanest test there is. Have the candidate do real work, then in a recorded live session ask them to walk through their own code, extend it, and explain decisions they should remember if they actually wrote it. This is exactly how Kit's [code assignments](/blog/how-to-structure-code-assignments) are built to be used. The assignment ships a real task from a GitHub template repo, and a live interview stage lets you verify that the person who submitted the work is the person in the room. Continuity across stages, the same verified candidate from application to assignment to live round, is the audit trail that defeats the proxy.

Worried a proxy could slip through? Kit ties every stage to one verified candidate identity, from magic-link application to code assignment to live interview, so you can prove the person you evaluated is the person you hired.

Start your free trial

### Logistics and access discipline This is the highest-signal operational control and the cheapest to enforce. Per FBI and OFAC guidance: **ship equipment only to the ID-verified address**, and require extra verification for any address change. Train HR and hiring managers to **flag mid-onboarding address or payment-platform changes**, the moment a laptop farm reroutes the hardware. And grant **no system access until the background check clears** (sources: [FBI IC3 PSA](https://www.ic3.gov/PSA/2025/PSA250723-4); [OFAC/Treasury advisory](https://ofac.treasury.gov/media/923126/download?inline=)). A sudden "actually, ship it to this other address" right after the offer is one of the loudest signals in the entire scheme. When a stage throws a flag, deepfake artifacts on the call, a VoIP number, a mid-onboarding address change, it shouldn't vanish into a Slack thread. It should route into a structured fraud workflow with an owner, the same way a security team handles an incoming vulnerability report. That CSIRT-style handling of an identity signal is the bridge between hiring and security most companies are missing. ## How to run fraud-resistant hiring in Kit Kit is an [AI-native ATS](/blog/what-is-ai-native-ats) that spans the intersection most tools ignore: hiring as a workflow and security as a discipline. The controls above only work if they're defaults in your pipeline, not reminders you hope someone follows under deadline pressure. Here's how each maps to a concrete capability. | Control (intake to onboarding) | How Kit supports it | |---|---| | Verify the human at intake | Magic-link candidate portal gives one verified channel per candidate, the place to layer document/liveness checks | | Confirm evaluatee = hire | Structured code assignment from a GitHub template repo + a live interview stage to verify the same person did the work | | Audit trail of who was evaluated | Stage-based pipeline with reviewer assignments and recorded reviews: who interviewed, when, on what | | Route fraud flags, don't shrug | CSIRT-style structured handling so a deepfake or address-change flag gets an owner and an SLA, not a lost message | | Logistics discipline | Onboarding fields and notes to encode ship-to-ID and no-access-pre-clearance rules | To be precise about scope: Kit can't run a document-forensics scan or a liveness check for you, and no ATS would have "prevented" the Chapman case on its own. What Kit does is make the workflow controls, the ones that actually catch the scheme, the default path instead of the exception. Verified identity at the door, structured-and-live-verified assignments, and a defensible record of exactly who was evaluated at each stage. The same Csirt module behind Kit's [vulnerability disclosure program](/blog/how-to-set-up-vulnerability-disclosure-program) gives you the structured fraud-handling pattern to route a hiring flag like a security event. ## Frequently asked questions **Is the North Korean IT worker threat real, or vendor hype?** Real and federally prosecuted. The DOJ has won prison sentences of 102, 108, and 92 months against U.S. facilitators, searched 29 laptop farms across 16 states in a single 2025 action, and documented hundreds of victimized companies. This is enforcement reality, not marketing. **How big is the scheme?** The fake-IT-worker piece alone generates an estimated $250 million to $600 million a year in fraudulent salaries for the DPRK. That sits inside a broader DPRK cyber revenue machine the UN values at about $2.8 billion over two years, most of which is crypto theft, not salaries. **What are the red flags?** A "too clean" or brand-new digital profile against a long resume; VoIP or Google Voice numbers; reluctance to turn the camera on; long pauses on basic questions; deepfake artifacts during head turns or hand-across-face challenges; and, the loudest one, a request to change the shipping address or payment platform right after the offer. **Can a background check alone stop it?** No. The scheme is built to pass a background check, because it uses a real American's verified identity. The check has to be paired with liveness-verified identity at intake, interview-integrity signals, proof that the evaluatee is the hire, and ship-to-ID logistics discipline. Defense in depth, not a single gate. ## Don't let the front door be the attack surface The North Korean IT worker scheme is the clearest proof yet that hiring is a security perimeter. The adversary doesn't exploit a CVE; they pass your interview, sign your offer, and remote in from a laptop farm in someone's spare bedroom. The fix isn't a background-check vendor bolted on after the offer. It's fraud-resistant controls built into the hiring workflow from the first application: verified identity at intake, interview-integrity signals that catch proxies and deepfakes, an audit trail of exactly who was evaluated, and structured handling when something smells wrong. Every one of those controls is a decision you make before the laptop ships. If you're building a remote engineering team, treat your pipeline like the attack surface it is. When you're ready to make these controls the default, you can [start a free trial](/users/sign_up) and have a verified, audit-ready hiring workflow running the same day.