CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 20, 2026

North Korean IT Workers Try, Try, Try Again

Data Breach Today Archived Jun 20, 2026 ✓ Full text saved

Nisos Links 166K Applications, 21K Interviews and 76 Job Offers to North Korea North Korean IT worker scammers flooded hundreds of thousands of U.S. companies with applications in 2024 and 2025, appropriating identities and using AI to infiltrate technology sector. Nisos began looking into the scam after a suspected North Korean applied for a lead remote AI architect role.

Full text archived locally
✦ AI Summary · Claude Sonnet


    Fraud Management & Cybercrime , Governance & Risk Management , Remote Workforce North Korean IT Workers Try, Try, Try Again Nisos Links 166K Applications, 21K Interviews and 76 Job Offers to North Korea Greg Sirico • June 19, 2026     Credit Eligible Get Permission Image: Shutterstock North Korean IT worker scammers flooded hundreds of thousands of U.S. companies with applications in 2024 and 2025, appropriating identities and using artificial intelligence tools to infiltrate technology sector. See Also: A Matrix on Behavioral Biometrics and Device Fingerprinting Between December 2024 and September 2025, researchers at "human risk management" firm Nisos discovered 22 North Korean operatives submitted 166,893 job applications, obtaining more than 21,000 interviews since April 2025. Nisos said North Koreans reaped 76 employment offers. According to the report, from application to offer, the overall success rate of the operation sits below 1%. In typical Pyongyang fashion, operatives relied on stolen or fabricated identities, fraudulent employment histories, social engineering tactics and AI-backed interviewing tools to mislead U.S. employers (see: How to Spot a North Korean Job Candidate). Nisos began looking into the scam in June 2025 after a suspected North Korean applied for a lead remote AI architect role at the company. Instead of ending the hiring process, researchers conducted a "pre-employment diligence investigation," posing intentionally targeted questions to determine applicant authenticity. The applicant used an AI-generated resume to masquerade as a Florida-based AI architect and senior-level stack developer. According to researchers, the scam operates through a hierarchical chain of command, starting with administrators, followed by managers, team leads and operatives who each manage up to four personas. Members coordinated malicious activity and communications through private Discord servers as well as a custom Vercel dashboard, tracking any scam-related metrics such as applications submitted, interviews and other key data points in real time. Nisos said the group also relied on Google Meet, Zoom and Microsoft Teams for further communications and testing, which suggests "a dispersed operational structure rather than full co-location." Tech companies as the primary target, accounting for 42.6% of extended offers, with consulting firms at 13.1% and healthcare and financial organizations at 8.2% each. Developer and engineering roles, from "entry-level positions at $55,000 to senior roles up to $230,000," made up nearly 72% of targeted jobs." Operators purchased identity packages off Telegram, referencing a broker known as @accountproviderforyou, who offered "a real U.S. ID card, SSN and selfie for $120." Fraudulent ID cards and bank statements ranged from $50 to $70. Threat actors purchase such packages to increase their chances of employment. Additionally, group chatter referenced operatives purchasing LinkedIn and other "unspecified profiles," but did not mention the source of the sale. The investigation picked up on extensive patterns of AI usage throughout the hiring process, with operatives using ChatGPT to "rehearse answers" before interviews, create resumes tailored to job descriptions and generate "conversational and consistent" responses in line with their adopted persona. In some instances, facilitators - American operatives recruited as the face of the operation - also referred to as "natives" by researchers, would attend interviews as the candidate in question, while a different operative supplied responses via PiKVM-supported laptop farms. The KVM-over-IP device is open source and allows users to remotely manage devices from anywhere through web browsers. Additionally, researchers observed operatives using tools including AnyDesk, Astrill VPN, shell services, Tailscale and virtual machines to remotely access devices, maintain operational security and increase overall believability. Once hired, North Korean workers completed on-the-job tasks themselves, passed off tasks to facilitators or outsourced work to third-party "bidders" located in India, Kenya or Nigeria, according to communications Nisos reviewed.
    💬 Team Notes
    Article Info
    Source
    Data Breach Today
    Category
    ◇ Industry News & Leadership
    Published
    Jun 20, 2026
    Archived
    Jun 20, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗