The U.S. Department of the Treasury, acting through the Office of Foreign Assets Control (OFAC), has imposed sanctions on six individuals and two entities involved in a global network of North Korean IT workers. According to U.S. authorities, this network uses fraudulent remote employment to siphon revenue from companies in the United States and abroad, channeling the proceeds into North Korea’s weapons of mass destruction (WMD) and ballistic missile programs.
How the North Korean Remote IT Worker Scam Operates
The sanctioned actors are linked to a multi‑layered cyber and financial scheme often tracked by security vendors under names such as Coral Sleet / Jasper Sleet, PurpleDelta, and Wagemole. The core tactic is to place North Korean IT specialists into legitimate organizations under fabricated or stolen identities, frequently leveraging real profiles of Western professionals as cover.
These operators apply for roles such as remote software developers, data analysts, system administrators, or Salesforce specialists. Once hired, they gain legitimate access to corporate infrastructure, code repositories, and sensitive business data. A substantial portion of their earnings is then covertly remitted to North Korea, circumventing UN and U.S. sanctions and directly supporting the DPRK’s sanctioned nuclear and missile programs, as highlighted in U.S. Treasury and UN Panel of Experts reporting.
In many cases, the operation does not end with salary diversion. Security researchers and government advisories have documented instances where these embedded workers deploy malware, backdoors, and credential stealers. Stolen intellectual property, personal data, and confidential business information are then used for extortion and cyber‑enabled espionage. This pattern aligns with broader North Korean cyber tactics, including high‑value cryptocurrency thefts attributed to groups like Lazarus Group, which Chainalysis and other firms estimate to have generated hundreds of millions of dollars for the regime.
Use of China, VPNs, and Infrastructure Obfuscation
Operating from China to Mask North Korean Cyber Activity
Research from LevelBlue and other threat intelligence teams indicates that many North Korean IT workers operate from Chinese territory rather than directly from the DPRK. China offers more reliable internet connectivity and access to commercial VPN services, enabling operators to hide their true location and appear to be based in the United States or other Western countries.
Investigators have singled out the use of Astrill VPN, a service known for bypassing China’s “Great Firewall” and routing traffic through U.S.-based exit nodes. This enables North Korean operators and subgroups of Lazarus, including units associated with Contagious Interview, to manage command‑and‑control (C2) servers, maintain persistent access to victim networks, and evade geolocation‑based defenses.
In one documented case cited by LevelBlue, a North Korean operator successfully obtained a remote Salesforce data specialist role. Within just 10 days, however, the organization revoked access after log analysis revealed repeated connections originating from China inconsistent with the worker’s claimed U.S. location. This incident underscores the importance of continuous monitoring of login geolocation and anomaly detection in remote‑first environments.
Artificial Intelligence as a Force Multiplier for North Korean Cyber Operations
AI‑Generated Identities and Forged Documentation
Microsoft and other vendors report that the Jasper Sleet and related clusters are increasingly leveraging artificial intelligence (AI) across the entire attack lifecycle. AI tools are used to generate convincing digital personas, CVs, and cover letters tailored to specific job markets and technical stacks, significantly raising the success rate of fraudulent job applications.
To strengthen these personas, operators rely on applications such as Faceswap and similar tools. These are used to blend North Korean faces into stolen identity documents, create professional‑looking profile photos, and populate LinkedIn, GitHub, and other social media accounts with synthetic but realistic imagery. For HR and security teams, these AI‑enhanced identities are increasingly difficult to distinguish from legitimate candidates without deeper verification.
Automated Malware Development and AI Jailbreaking
According to Microsoft, Flare, and IBM X-Force, North Korean threat actors also employ so‑called “agentic” AI systems—automated workflows that can iteratively generate, test, and refine content and code. These agents help them rapidly create and update malicious payloads, fabricate job postings, spin up fake company websites, and even script realistic customer support or recruiter interactions.
Investigations have documented attempts to “jailbreak” large language models, coercing them into producing or improving malicious code despite built‑in safeguards. Within these groups, responsibilities are clearly divided: recruiters identify vacancies and potential targets, facilitators manage access to compromised accounts and payment channels, IT workers carry out technical tasks and data operations, and Western collaborators—sometimes unwitting—provide their identities, infrastructure, or accounts to enhance the illusion of legitimacy.
Coordination relies on simple but effective tooling: shared spreadsheets to track job applications and tasks, IP Messenger (IPMsg) for decentralized internal chat, and Google Translate plus mainstream AI assistants for translating job descriptions, drafting communications, and handling technical questions across multiple languages.
Defensive Measures: Treating North Korean IT Workers as an Insider Threat
Because these actors seek long‑term, trusted access rather than quick, noisy intrusions, their activity increasingly resembles insider threat scenarios. U.S. CISA, FBI, and the Department of State have issued joint advisories urging organizations to focus on detecting abuse of legitimate accounts, unusual access patterns, and anomalous geolocations over time rather than only traditional perimeter breaches.
Effective defenses include rigorous identity verification during hiring, particularly for remote technical roles; enforced multi‑factor authentication (MFA); strict least‑privilege access controls; continuous monitoring of VPN and remote access sessions; and periodic re‑validation of contractors and third‑party staff. Security teams should flag “impossible travel” events, frequent IP changes via consumer VPNs, and persistent access from regions inconsistent with declared residence.
For HR and procurement, practical safeguards involve using verified background checks where legally permissible, requiring live video interviews, validating tax and payment information, and being cautious of candidates requesting to be paid through intermediaries or third‑party accounts. Training recruiters to recognize signs of synthetic identities and to coordinate closely with security teams is critical.
As North Korean cyber operations increasingly blend remote employment fraud, advanced VPN obfuscation, and AI‑generated identities, organizations must adapt by combining zero‑trust principles, robust identity proofing, and continuous behavioral monitoring. Investing in security awareness for HR, finance, and IT staff, and staying aligned with official advisories from OFAC, CISA, and international partners, will significantly reduce the risk of inadvertently hiring sanctioned North Korean IT workers and help disrupt the financial lifelines to the DPRK’s WMD programs.
