Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo
Dive Brief

New research unpacks North Korea’s stealthy, sophisticated remote IT worker schemes

The report recommends that businesses practice several forms of vigilance to avoid unwittingly hiring Pyongyang’s operatives.

Published March 18, 2026
Eric Geller's headshot
Senior Reporter
A person wearing a hoodie sits at a computer in front of a North Korean flag
vchal/iStock /Getty Images Plus via Getty Images

Dive Brief:

  • North Korea’s remote IT worker schemes rely heavily on Western collaborators, an elaborate hierarchy of roles and the extensive use of an open-source messaging application, IBM and the cybersecurity vendor Flare said in a report published on Wednesday.
  • The new research details the tactics and technologies that North Korean operatives use to trick companies into hiring them and fly under the radar while they funnel their salaries to Pyongyang.
  • Flare and IBM said the report could help businesses improve their ability to root out North Korean operatives posing as legitimate employees.

Dive Insight:

The Flare/IBM report describes a sophisticated operation through which North Korea places operatives inside Western and other businesses, fooling everyone including executives, hiring managers and coworkers at those organizations while siphoning their revenues and potentially compromising sensitive data.

The scheme involves recruiters who approach potential IT workers, facilitators who review recruiters’ recommendations, the workers themselves and the brokers in Western countries who offer services such as financial transfers and operating laptop farms. Notably, some IT workers don’t realize they are serving Pyongyang — “when asked about adopting a ‘more “US American” name,’” the report said, “candidates express confusion rather than acceptance — a reaction inconsistent with knowing they’d be working for the DPRK under false American identities.”

The supervisors of these operations have shown a particular interest in IT workers with experience in WordPress, blockchain technologies and Microsoft’s .NET framework, according to the report, indicating the kinds of roles in which Pyongyang seeks to place its operatives.

North Korea’s remote IT worker schemes generate approximately $500 million annually for the regime, according to a UN report.

Flare and IBM obtained copies of slide decks used to help recruits obtain IT jobs, with advice such as “Address[ing] the letter to the hiring manager or recruiter by name increases your chance for an interview by 26%.”

North Korea expects operatives to keep detailed records of how much time they spend looking for jobs. The report describes documents that urge workers to track their time down to the second. “Analysis of available timesheets indicate that time worked is averaged out, and groups/individuals are labelled with a number rank,” the report said. It added that this kind of ranking “may be part of North Korean life,” referencing “self-criticism sessions” common in the country.

The report describes several of the software programs that North Korean IT workers use to communicate with their handlers, including the Pyongyang-owned VPN NetKey and the open-source messaging tool IP Messenger. The latter program is especially valuable, according to the report, because it does not use central servers, making it easier for North Korea to evade detection by messaging-platform owners such as Google or Discord.

Operatives living in North Korea, China or Russia use commercial VPN services, especially Astrill VPN, to obscure their locations and pretend to be living in Western countries. But Flare and IBM also obtained data from likely North Korean-controlled servers showing searches for free proxy servers.

Flare and IBM offered a range of recommendations for keeping North Korean operatives out of organizations’ workforces, including forming close relationships with applicants.

“With the help of [W]estern collaborators, North Korean operatives have more capability to bypass traditional vetting processes such as identity verification and background checks,” researchers wrote, “but by building a personal relationship with candidates from day one, the warning signs can be detected early, and the level of personal engagement can make an infiltration attempt infeasible for the operative and the collaborator.”

Filed Under: Strategy, Threats

Editors' picks

Company Announcements

View all | Post a press release
Why Edge RF Awareness Is Essential for the M2M Era
From Digital Global Systems
March 16, 2026
Digital Global Systems logo
CyberFOX AutoElevate Named a High Performer in G2’s Spring 2026 Report for Privileged Access M…
From CyberFOX
April 01, 2026
CyberFOX logo
AI Is Fueling Secrets Sprawl. GitGuardian Reports an 81% Surge of AI-Service Leaks as 29M Secr…
From GitGuardian
March 17, 2026
GitGuardian logo
Realm.Security Rolls Out AI-Ready Security Data for the Modern SOC Ahead of RSA Conference
From Realm.Security
March 16, 2026
Realm.Security logo
Editors' picks
Latest in Strategy
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell