DPRK Remote Worker Schemes Generate Illicit Revenue and Access

What happened

DPRK remote worker schemes generate illicit revenue and unauthorized access by using fake identities, false employment profiles, and remote work placements to infiltrate legitimate organizations. North Korean IT operations, often linked to threat groups aligned with the DPRK Ministry of National Defense and supporting infrastructure, embed covert developers into global companies using misrepresented resumes and fabricated professional personas. These workers secure contracts, gain access to employer‑provided systems and remote tools, and in some cases escalate privileges within internal environments. According to Silent Push analysts and researchers, the DPRK typically employs two distinct operational variants to carry out these intrusions. Collectively, these activities have reportedly generated hundreds of millions of dollars annually while providing access to sensitive corporate networks.  

Who is affected

Organizations globally that hire remote developers are at risk of indirect exposure through fraudulent identity misuse and remote access credentials; particularly sectors with outsourced or contract work are vulnerable.

Why CISOs should care

Fraudulent remote worker schemes can erode trust in hiring pipelines and create hidden persistent access vectors, exposing sensitive data, intellectual property, and internal networks to foreign adversaries with financial and espionage motives.

3 practical actions

• Vet remote workers comprehensively: Validate identities using multi‑factor checks, professional background verification, and secure onboarding processes.
• Control remote access tools: Limit administrative rights and monitor remote session activity for anomalies.
• Review contract workforce risk: Incorporate security assessments into vendor and contractor risk management programs.