Researchers at IBM X-Force and Flare have published a report titled "Inside the North Korean infiltrator threat" detailing evidence of the top-level infrastructure used to manage the operations, how workers apply for and secure IT roles, and mitigation strategies businesses can use to avoid falling victim.
The scale reveals a state-sponsored employment fraud operation that has moved well beyond ad hoc cybercrime. The threat of North Korean nationals operating as remote IT contractors or full-time technology staff inside unsuspecting companies has come to light over the past several years, yet security experts are only starting to realise the scale and sophistication of the operation. These IT workers can earn more than $300,000 a year, and upwards of 100,000 North Koreans are spread across 40 countries generating approximately $500 million a year for Pyongyang.
What emerges from the researchers' findings is a hierarchical ecosystem with clear divisions of labour. The researchers found documents and spreadsheets revealing the roles within the fake IT worker ecosystem, comprising recruiters, facilitators, IT workers and collaborators/brokers. Recruiters screen candidates and conduct initial interviews, often deceiving them about their true employer by claiming the hiring company is a so-called "early-stage stealth startup" operating under a fake name: "C Digital LLC". Candidates are then coached in applying to real Western firms and assigned false identities.
The facilitators function as hiring managers, deciding which candidates to deploy. Once hired, North Korean IT workers often operate with multiple team members helping to produce their work, hoping to secure promotions and gain deeper access to company systems. North Korean IT workers are experimenting with AI in various ways, including generating fake profile photos, using deepfakes during video interviews, and using AI writing tools to get around language barriers.
Westerners play a crucial role too. U.S.-based facilitators have enabled U.S. company connections through U.S. company laptops received on their behalf, set up U.S.-based infrastructure including remote desktop connections through remote desktop connection software, and reshipped U.S. company laptops to North Korean IT workers overseas.
For Australian companies and government agencies, the operational security implications run deep. IT workers have been linked to North Korean cyber espionage operations. This means that organisations who hire IT workers increase their risk of espionage activity. The primary aim of ghost workers is to funnel their salaries back to the North Korean government; however, they may also introduce malicious code or create backdoors for persistent access, steal proprietary company information, such as source code or sensitive customer data, and may encrypt data and demand ransom payments for decryption.
The researchers identified specific technical footprints that organisations can monitor. One tool is known as OConnect and/or NetKey, a known North Korean VPN likely used to connect to internal networks in Pyongyang. Also common is IP Messenger, or IPMsg, an open-source messaging application that does not require a central server, meaning it doesn't rely on centralised platforms operated by US companies such as Discord or Google.
Interview-stage detection remains one of the most practical defences. Mitigation strategies include warning signs like fake backgrounds, AI face changers, or AI voice changers during online interviews. Employers should also watch for discrepancies between the candidate's resume and what they say in interviews, such as what languages they claim to speak and where they claim to reside.
The operation reflects a calculated adaptation by Pyongyang to circumvent international sanctions. Rather than pursuing dramatic cyber attacks, North Korea has industrialised legitimate employment as a revenue stream and intelligence-gathering mechanism. For hiring managers and security teams, the challenge is acute: legitimate remote work practices have been weaponised. The workers are often technically competent. They operate within real job structures, not as obvious intruders. Yet the organisational infrastructure behind them, as the researchers reveal, is far more systematic than most Western firms realise.