North Korean nationals who conceal their identities to infiltrate businesses as employees or contractors continue to expand their presence beyond technology companies and America’s borders. 

Nearly every industry has been duped into hiring North Koreans in violation of sanctions, as technology companies represent only half of all targeted victims, threat researchers at Okta said in a report this week.

Okta Threat Intelligence found evidence confirming North Korean nationals have targeted and sought roles at any organization recruiting remote talent. The North Korean regime will pursue any opportunity to collect and launder payment if the application, interview process and work can be performed remotely, researchers said. 

North Koreans are no longer limiting themselves to IT and software engineering positions. According to Okta’s research, more North Koreans are now applying for remote finance positions, such as payments processors, and engineering roles.

While technology firms attract the highest volume of applications and job interviews, other verticals including finance and insurance, health care, manufacturing, public administration and professional services appeared often in Okta’s analysis. 

Researchers based the study on more than 130 identities used by facilitators and workers participating in the scheme, and linked those personas to more than 6,500 job interviews spread across about 5,000 companies over a four-year period through mid-2025.

Okta acknowledges this only reflects a small sample of North Korea’s scheme, but said it highlights the extent to which IT worker units are targeting more industries in more countries. 

“It’s possible that increased awareness of this threat — as well as government and private sector collaborative efforts to identify and disrupt their operations — may be an additional driver for them to increasingly target roles outside of the US and IT industries,” Okta threat researchers said in the report.

Indeed, threat intelligence firms and officials have consistently warned about the growing pervasiveness of North Korea’s scheme. In April, Mandiant said hundreds of Fortune 500 organizations have unwittingly hired North Korean IT workers. 

CrowdStrike, in August, said it observed a 220% year-over-year increase in North Korean IT worker activity, amounting to 320 incident response cases in the past year. The Justice and Treasury Departments have seized cryptocurrency, issued indictments and sanctioned people and entities allegedly involved in the yearslong scheme.

Okta analysis revealed a global expansion of the North Korea IT worker operation, with 27% of targeted roles based outside of the United States. Researchers observed North Korean operatives targeting roles in the United Kingdom, Canada and Germany, with each country accounting for about 150 to 250 roles. 

Other top targeted countries include India, Australia, Singapore, Switzerland, Japan, France and Poland.

Okta cautioned that non-U.S.-based companies are likely less skilled and concerned with finding North Korean job applicants because the scheme was largely viewed as a U.S. technology industry problem. This creates an elevated problem in newly targeted countries, researchers said. 

“Years of sustained activity against a broad range of U.S. industries have allowed Democratic People’s Republic of Korea-aligned facilitators and workers to refine their infiltration methods,” Okta said in the report. “Consequently, they are entering new markets with a mature, well-adapted workforce capable of bypassing basic screening controls and exploiting hiring pipelines more effectively.”

The post North Korea IT worker scheme swells beyond US companies appeared first on CyberScoop.

Terminating their employment is the easy part. The rest is complicated.

When enterprises discover they have inadvertently hired North Korean information technology workers, they face a cascade of urgent decisions involving sanctions law, cybersecurity protocols, and law enforcement cooperation that can expose them to significant legal and financial risks.

Incident response experts and cybersecurity lawyers explained how enterprises can navigate these risks Monday at Google’s Cyber Defense Summit in Washington, D.C. The challenges have grown more prominent as cybersecurity firms track what they describe as an organized employment scheme designed to generate revenue for North Korea’s weapons programs. 

“Their primary goal is revenue generation, often from multiple employers at once, to fund their weapons of mass destruction program,” Mike Lombardi, who leads North Korean-focused incident response work at Mandiant, said during a panel discussion on the issue.

While North Korean IT workers ultimately funnel their earnings back to the regime, cybersecurity experts emphasize that the workers themselves are primarily motivated by securing paychecks rather than causing immediate corporate damage. Because of this, experts emphasized Monday how companies need all of their departments — like human resources, security, and legal — to watch for warning signs when hiring and to work together if they discover a suspicious worker on their team.

Detection through HR anomalies

Evan Wolff, who co-chairs Akin’s cybersecurity, privacy and data protection practice, emphasized that initial detection often occurs during routine vetting processes. “A lot of these cases seem more HR than cyber at first,” Wolff said.

Key indicators include email addresses that lack credentials with known data brokers, LinkedIn profiles with recycled resumes, and an applicant’s reluctance to appear on video during interviews. Matthew Welling, a partner in Crowell & Moring’s cyber practice, noted that mismatched personal information often provides the first clues.

“A big part of this is spotting pieces of information that don’t fit together — for example, if the address on their ID doesn’t match the address where they want things sent, that’s often a giveaway,” Welling said.

Caroline Brown, a Crowell & Moring partner specializing in international trade and national security, said investigations sometimes reveal more complex patterns. “We saw one IT worker employed at several places at once, looking for their next job, possibly using their employer’s systems to do so,” Brown said.

Immediate sanctions exposure

The legal implications can become apparent quickly once a North Korean is suspected to be employed inside an organization. Brown, who previously worked at the Justice Department’s National Security Division and the Department of Treasury’s Office of Foreign Assets Control (OFAC), explained the strict liability that can come with violating U.S. sanctions.

“North Korea is under a comprehensive embargo — no dealings with U.S. persons or companies, directly or indirectly,” Brown said. “Finding out you’ve made a payment to them could be an additional violation, even strict liability, meaning you don’t need to know you did it; you’re still liable.”

The timing of discovery creates additional complications for things like payroll processing. When asked about scenarios where companies discover a rogue employee mid-week but have payroll scheduled for Friday, Brown responded that the situation becomes “very fact-specific and is about risk tolerance.”

“If you process a payment and it turns out to be for a North Korean, your payment processor — a U.S. financial institution — has violated sanctions, which may also expose you as the cause of that violation,” Brown said.

Strategic response decisions

Unlike typical cybersecurity incidents, these cases sometimes involve staying in communication with the suspected workers to facilitate evidence collection and device recovery. Welling noted that the threat actors’ behavior differs from expectations.

“More often than not, they’re very cooperative, trying to get one more paycheck or severance, even arranging for someone to return the laptop for money,” Welling said. “The key is to keep the interaction alive: tell them you’re having technical issues, keep communication open, and stay in touch.”

Lombardi confirmed this approach to CyberScoop, stating that “most of the time, we just want to get the laptop back.” He explained that maintaining the ruse can be essential for forensic analysis, particularly when evidence is stored locally on devices rather than in centralized systems.

The cooperative nature of these workers when discovered reflects their primary motivation. “By and large, we see that their motivation is to remain employed,” Lombardi said. “Even if things fall apart, the worker will usually comply, to try to stretch out payments or maintain a relationship, not go nuclear.”

Law enforcement and regulatory coordination

One of the biggest decisions companies face is when and how to involve federal authorities. Wolff, who previously worked at the Department of Homeland Security, noted the FBI’s effectiveness in these cases.

“As someone who spent four years at Homeland Security, I don’t always love the FBI, but in this case they’re extremely effective and can work proactively with affected clients to stop this pre-employment,” Wolff said.

There is no legal requirement to notify law enforcement, but Wolff noted that “sharing information with the FBI is helpful, and as the relationship lengthens or the money paid increases, the risk grows.”

Brown also highlighted the benefits of voluntary self-disclosure to OFAC. “More companies are doing so, which preserves mitigation credit — a 50% reduction in penalties — if OFAC were to penalize you,” she said.

The disclosure decision becomes more complex when the FBI initiates contact. “It depends on what the cooperation agreement is with the FBI and whether they’ve already told OFAC about the incident,” Brown said.

Wolff emphasized that whatever the appetite is for getting outside parties involved, an organization should test those plans through tabletop exercises. He explained that even companies that hold cybersecurity-focused tabletops “don’t cover this kind of case” and stressed the importance of including HR personnel in planning a response.

“One challenge is that nobody tells you ‘this person is definitely North Korean’ early on, so you’re piecing together information, often through HR investigations rather than standard cyber incident response,” Wolff said.

The panel members agreed that the threat continues to evolve and expand. Welling characterized it as an enduring challenge: “This isn’t a threat that’s going away. If anything, more groups are picking up the playbook.”

Update – 9/24/25: A previous version of this article attributed a quote to Matthew Welling that was actually said by Evan Wolff.

The post What to do if your company discovers a North Korean worker in its ranks appeared first on CyberScoop.

The Treasury Department on Wednesday expanded efforts to disrupt the pervasive North Korean technical worker scheme by imposing sanctions on people and organizations serving as facilitators and fronts for the country’s years-long conspiracy effort to defraud businesses and earn money despite international sanctions. 

Vitaly Sergeyevich Andreyev, Kim Ung Sun, Shenyang Geumpungri Network Technology and Korea Sinjin Trading Corp. were all sanctioned by the Treasury Department’s Office of Foreign Assets Control for their alleged roles in the scheme orchestrated by the North Korean government. 

Officials accuse the regime of hatching and maintaining an expansive operation that funnels money to its weapons and missiles programs by placing teams of specialized workers in IT jobs in the United States and elsewhere using fraudulent documents, stolen identities and false personas to hide their North Korean nationality.

“The North Korean regime continues to target American businesses through fraud schemes involving its overseas IT workers, who steal data and demand ransom,” John K. Hurley, under secretary of the Treasury for terrorism and financial intelligence, said in a written statement.

As the sanctions-evading scheme has grown, so too has the U.S. government’s response. Officials continue to target people and organizations involved, and Wednesday’s action follows the Justice Department’s seizure of $7.74 million from North Korean nationals who allegedly attempted to launder cryptocurrency obtained by IT workers who gained illegal employment as part of the scheme. 

Andreyev, a 44-year-old Russian national, allegedly facilitates payments to Chinyong Information Technology Cooperation Co., an outfit associated with North Korea’s Ministry of Defense that was targeted in the cryptocurrency seizure and previously sanctioned, according to the Treasury Department. Chinyong employs teams of IT workers in Russia and Laos, according to officials.

“Since at least December 2024, Andreyev has worked with Kim Ung Sun, a Russia-based Democratic People’s Republic of Korea economic and trade consular official, to facilitate multiple financial transfers worth a total of nearly $600,000, by converting cryptocurrency to cash in U.S. dollars,” the Treasury Department said in the sanctions announcement.

Officials said Shenyang Geumpungri is a Chinese front company for Chingyong, which manages a group of North Korean IT workers that have earned more than $1 million in profits for Chinyong and Sinjin, an affiliate of the regime’s General Political Bureau.

The Treasury Department earlier this summer imposed another set of sanctions on people and organizations allegedly involved in the North Korea IT worker scheme. In late July, the State Department announced a reward up to $15 million for information leading to the arrest of seven North Korean nationals accused of multiple crimes, including cryptocurrency theft, fraudulent remote IT work and tobacco smuggling.

The post Treasury sanctions North Korea IT worker scheme facilitators and front organizations appeared first on CyberScoop.

North Korean operatives seeking and gaining technical jobs with foreign companies kept CrowdStrike busy, accounting for almost one incident response case or investigation per day in the past year, the company said in its annual threat hunting report released Monday.

“We saw a 220% year-over-year increase in the last 12 months of Famous Chollima activity,” Adam Meyers, senior vice president of counter adversary operations, said during a media briefing about the report.

“We see them almost every day now,” he said, referring to the North Korean state-sponsored group of North Korean technical specialists that has crept into the workforce of Fortune 500 companies and small-to-midsized organizations across the globe. 

CrowdStrike’s threat-hunting team investigated more than 320 incidents involving North Korean operatives gaining remote employment as IT workers during the one-year period ending June 30. 

“It’s not just in the United States anymore,” Meyers said. The threat group escalated its operations throughout the past year, landing jobs at companies based in Europe, Latin America and elsewhere to earn salaries that are sent back to Pyongyang. 

CrowdStrike researchers found that Famous Chollima fueled that pace of activity with an assist from generative artificial intelligence tools that helped North Korean operatives maneuver workflows and evade detection during the hiring process.

“They use generative AI across all stages of their operation,” Meyers said. The insider threat group used generative AI to draft resumes, create false identities, build tools for job research, mask their identity during video interviews and answer questions or complete technical coding assignments, the report found.

CrowdStrike said North Korean tech workers also used generative AI on the job to help with daily tasks and manage various communications across multiple jobs — sometimes three to four — they worked simultaneously. 

Threat hunters observed other significant shifts in malicious activity during the past year, including a 27% year-over-year increase in hands-on-keyboard intrusions — 81% of which involved no malware. Cybercrime accounted for 73% of all interactive intrusions during the one-year period. 

CrowdStrike continues to find and add more threat groups and clusters of activity to its matrix of cybercriminals, nation-state attackers and hacktivists. The company identified 14 new threat groups or individuals in the past six months, Meyers said. 

“We’re up to over 265 named adversary groups that we track, and then 150 what we call malicious activity clusters,” otherwise unnamed threat groups or individuals under development, Meyers said. “This problem becomes more protracted and continues to proliferate into other countries that are looking to evolve their intelligence collection and espionage programs by adding offensive cyber operations.”

The post CrowdStrike investigated 320 North Korean IT worker cases in the past year appeared first on CyberScoop.

Social engineering — an expanding variety of methods that attackers use to trick professionals to gain access to their organizations’ core data and systems — is now the top intrusion point globally, attracting an array of financially motivated and nation-state backed threat groups. 

More than one-third (36%) of the incident response cases Palo Alto Networks’ Unit 42 worked on during the past year began with a social engineering tactic, the company said this week in its global incident response report. 

Threat groups of assorted motivations and origins are fueling the rise of social engineering. Cybercrime collectives such as Scattered Spider and nation-state operatives, including North Korean technical specialists that have infiltrated the employee ranks at top global companies, have adopted social engineering as the primary hook into IT infrastructure and sensitive data. 

Scattered Spider, a threat group Unit 42 tracks as Muddled Libra, has infiltrated more than 100 businesses since 2022 — including more than a dozen this year — to extort victims for ransom payments. “We’re constantly engaged with them. It’s just been one after another is what it feels like to us,” Michael Sikorski, chief technology officer and VP of engineering at Unit 42, told CyberScoop.

Attacks and intrusions linked to Scattered Spider and the vast North Korean tech worker scheme composed a high percentage of the incident response cases Unit 42 worked on last year, accounting for roughly an equal number of attacks, Sikorski said.

North Korean nationals have gained employment at hundreds of Fortune 500 companies, earning money to send their salaries back to Pyongyang.

While the North Korean insider threat is linked to a nation state, it is a financially motivated social engineering attack, he said. This forked attribution and objective underscores how boundaries between geopolitical and financial motivations are blurring.

Other nation-state threat groups are using social engineering, too, but a financial payout was the primary driver in 93% of social engineering attacks in the past year, Unit 42 said in the report.

Social engineering attacks are also the most likely to put data at risk. These attacks exposed data in 60% of Unit 42 incident response cases, 16 percentage points higher than other initial access vectors, the report found.

Attackers are focused on accessing the data they want, and oftentimes this makes help desk staff, administrators and employees with system-wide access a key target. “Those people often have the privileges to everything that the attacker wants — the cloud environment, the data, the ability to reset someone’s multifactor so they can reset it and register a new phone,” Sikorski said.

Scattered Spider has consistently engaged in “high-touch social engineering attacks against those specific individuals,” he said.

Unit 42’s annual study includes data from more than 700 attacks that the incident response firm responded to in the one-year period ending in May, spanning small organizations and Fortune 500 companies. Nearly three-quarters of the attacks targeted organizations in North America.

The post Social engineering attacks surged this past year, Palo Alto Networks report finds appeared first on CyberScoop.

The State Department announced Thursday it will pay up to $15 million for information leading to the arrest of seven North Korean nationals accused of operating criminal schemes that generate revenue for Pyongyang’s weapons programs, marking the latest effort to disrupt financing networks that have funneled money around sanctions.

The coordinated action that also involved the Justice and Treasury departments targets what officials describe as an extensive network involving cryptocurrency theft, fraudulent remote IT work, tobacco smuggling and other illicit activities that primarily target U.S. companies and citizens.

The largest reward, $7 million, is offered for Sim Hyon-sop, who prosecutors say led tobacco smuggling operations designed to generate U.S. dollars for North Korea. Six co-conspirators carry bounties ranging from $500,000 to $3 million each.

The announcement comes as U.S. officials increasingly focus on North Korea’s ability to circumvent international sanctions through criminal enterprises that have grown more sophisticated in recent years. Intelligence assessments indicate revenue from these schemes directly funds North Korea’s nuclear weapons and ballistic missile programs, which have expanded significantly under Kim Jong Un’s leadership.

One of the most lucrative schemes involves dispatching thousands of North Korean IT workers abroad, primarily to Russia and China, where they assume false identities to secure remote positions with U.S. companies. These workers often target high-paying technology jobs, with earnings sent back to North Korea to support government programs. 

In a related case, a U.S. citizen, Christina Marie Chapman, was sentenced to more than eight years in prison Thursday for facilitating a scheme that defrauded more than 300 U.S. companies, by helping North Korean IT workers obtain remote positions under false pretenses.

The Treasury Department simultaneously sanctioned Korea Sobaeksu Trading Company, which officials say has deployed IT workers to Vietnam, along with three additional North Korean nationals involved in similar schemes.

Research has indicated these operations generate hundreds of millions of dollars annually, providing North Korea with hard currency needed to purchase materials and technology for weapons development.

The use of criminal revenue to fund state weapons programs represents what analysts describe as a hybrid model where traditional organized crime intersects with state-sponsored activities to achieve strategic objectives.

The post US offers $15 million reward for info on North Korean nationals involved in global criminal network appeared first on CyberScoop.