Why DPRK IT Worker Schemes Succeed: They Operate as Organized Teams
North Korea’s IT worker programs are regularly framed as a fraud problem. Someone lying on a resume, faking a video call, or using a VPN. That framing misses the point.
What U.S. government advisories from the Departments of State, Treasury, and the FBI describe is something far more structured: a workforce deployment model that is state backed, systematically organized, and designed to place fraudulent workers inside legitimate companies at scale. These schemes continue to succeed not because companies are careless, but because the model itself was built to defeat the controls companies rely on.
Division of Roles
These schemes are not the work of a lone actor. U.S. government advisories document a pattern where the responsibilities involved are distributed across a team, with each function handled separately and specialized. Identity risk exists before an application is submitted and before any conversation takes place.
Identity and Profile Management is the foundation that makes the candidate believable on paper. One part of the team handles forged documents, fabricated employment histories, stolen identities, and realistic aliases so the application survives scrutiny before anyone asks a question.
Hiring and Communication is what sustains credibility in live interaction. Every interview is ultimately an identity trust decision rather than a simple skills evaluation, and this function is responsible for passing that test while maintaining the assumed identity across ongoing client interactions.
Access and Connectivity Obfuscation ensures that the real operator remains untraceable. VPNs, virtual private servers, third country IP addresses, and laptop farms with dedicated devices per account are managed specifically to keep the worker’s true location and identity invisible to employers and platforms.
Compensation and Account Intermediation prevents payment from reaching a traceable beneficiary. Proxy accounts and third party financial intermediaries are used to maintain separation between the transaction record and the actual recipient.
These responsibilities are intentionally not performed by the same individual, which is precisely what makes verification so difficult. The person a hiring manager speaks with, the person delivering the work, and the person receiving payment may all be different members of the same operation. The deception does not depend on any single participant being exceptional. It depends on the system functioning as designed.
Scaling Through Standardized Operations
These operations are not built around a single successful placement. They are designed to run continuously across dozens of engagements at once.
Fabricated identities rotate across freelance platforms. Infrastructure, payment channels, and account access function as shared resources rather than one to one assets. Playbooks for winning contracts, passing interviews, and managing client relationships are developed once and reused across regions.
Federal guidance has also noted that DPRK IT workers frequently recommend additional DPRK workers to companies that have already hired them. Once access is established, the operation expands. The initial hire is not the end goal. It is the entry point.
Why Traditional Security Controls Fail
Traditional security models rely on familiar threat categories. DPRK IT worker schemes bypass those assumptions by operating outside the expected patterns.
No Behavioral Shift to Detect
Insider threat: assumes a trusted employee who later turns malicious, with detection mechanisms focused on identifying that behavioral change.
DPRK scheme: the deception is present from the first interaction and remains consistent throughout, leaving no shift to observe and no moment of betrayal to trigger alerts.
State Support Removes Constraints
Individual fraudsters: are typically constrained by resources, which limits how long they can sustain a credible false identity.
DPRK operations: State backed operations do not face those same limitations. Funding, infrastructure, and patience can be sustained for years.
Access Was Legitimately Granted
Account takeover: these scenarios involve unauthorized access obtained through exploitation.
DPRK IT workers: by contrast, obtain access that the organization itself approved. The privileges are technically legitimate, even though the underlying identity is not.
| The Security Gap Matrix | |
|---|---|
| Control | Why It Fails |
| Resume screening | Validates forged credentials that appear legitimate |
| Video interviews | Cannot detect external assistance, scripted responses, or proxy participation |
| Background checks | Verify the stolen identity, not the actual person |
| KYC/AML financial checks | Pass when legitimate proxy accounts are used |
| Device monitoring | Misses remote operation from laptop farms |
| One-time identity verification | Does not catch identity swaps or shared accounts |
Continuous Verification
Government advisories have been consistent on a central weakness: hiring practices tend to over rely on document verification at onboarding. Once checked, identity is rarely revisited.
The threat does not end at hiring. The employment relationship itself is where the scheme operates. A worker who passed every check on day one is still operating inside the organization months later, with the same access and the same assumed trust.
Continuous verification shifts identity from a one time credentialing event to an ongoing confirmation process. Instead of assuming that identity remains valid, organizations periodically confirm that the person performing the work is the person who was hired. This closes the gap left by static controls and addresses the structural weakness these schemes exploit.
Immediate Actions for Organizations
Audit remote work policies for over reliance on one time document verification
Introduce identity checkpoints beyond onboarding
Assess whether tooling provides visibility into actual device operators
Review whether existing processes would detect identity swaps
Solutions like Polyguard are designed to operationalize continuous verification across remote workforces without creating friction for legitimate employees.
The operation on the other side of the hiring process is state backed, patient, and structurally organized. A verification posture designed for a different threat model is not a match for that reality. Closing the gap is not simply a security enhancement. It is an overdue adjustment to how remote hiring risk is managed.
Sources: U.S. Department of State / Treasury / FBI Advisory on DPRK IT Workers (May 2022); U.S. Treasury OFAC Sanctions Action on DPRK Cyber and IT Worker Activities (May 2023)
Frequently Asked Questions
-
Unlikely. These schemes are built to pass onboarding. Forged or stolen identities are prepared before the application process begins, allowing interviews and background checks to appear legitimate.
-
Serious. Even unintentional hiring can create significant financial consequences. A single incident can cost a mid sized company tens of millions of dollars. (Read the full breakdown)
-
Background checks verify the identity, not the person. If the identity is stolen and legitimate, it comes back clean. (Read more about why this fails)
-
NFC passport scanning is the gold standard. Where that is not possible, a driver's license paired with device attestation and GPS location raises the bar considerably. (Read more about faceswap attacks)
-
These schemes are designed to appear legitimate under standard controls. The practical response is to introduce continuous verification so identity trust is assessed over time rather than assumed from onboarding.
-
Deepfake detection tools can be used in video interviews, but effectiveness varies and they should not be treated as a primary identity control. Some approaches may require analyzing or recording calls, which organizations should assess against their own privacy and risk policies.
-
That is a red flag. Government guidance notes that DPRK IT workers frequently avoid live video. If identity cannot be verified, access should not be granted.
-
Not a problem. Polyguard supports over 12,000 government-issued IDs including driver's licenses, paired with additional verification layers.
-
No. It is free for candidates to download and use.
