It all started back in July 2024, when cybersecurity vendor KnowBe4 began to notice some suspicious activity from a new hire. This individual started manipulating potentially harmful files and even tried to run unauthorized software.
The jig was up! He was found to be a North Korean worker who had tricked the firm’s HR team into giving him a remote job. What's wild is that he managed to pass four video conference interviews, as well as a background and pre-hiring check.
This incident just goes to show that no organization is immune from the risk of accidentally hiring a "saboteur". Identity-based threats aren’t just limited to stolen passwords or account takeovers anymore; they extend to the very people joining your workforce. And as AI gets better at faking reality, it’s seriously time to level-up our hiring processes.
How big is this problem?
You might be shocked at just how widespread this threat is. It’s been ongoing since at least April 2017, according to an FBI wanted poster.
ESET Research tracks this activity as "WageMole," which overlaps with groups other researchers call UNC5267 and Jasper Sleet.
According to Microsoft, the US government found that over 300 companies (including some in the Fortune 500) were victimized this way between 2020 and 2022 alone. Microsoft even had to suspend 3,000 Outlook and Hotmail accounts created by these North Korean jobseekers.
And there's more: A US indictment charged two North Koreans and three "facilitators" with making over $860,000 from 10 of the 60+ companies they worked at.
But this isn't just a US problem. ESET researchers warned that the focus has recently shifted to Europe, including France, Poland, and Ukraine. Meanwhile, Google has warned that UK companies are also being targeted.
How do they do it?
It's believed that thousands of North Korean workers may have found jobs this way.
They create or steal identities matching the target company's location, then open email accounts, social media profiles, and fake accounts on platforms like GitHub to look legitimate.
During the interview process, they might use deepfake images and video, or even face-swapping and voice-changing software, to disguise their identity or create a synthetic one.
ESET researchers also found that the WageMole group is linked to another North Korean campaign called "DeceptiveDevelopment". This one focuses on tricking Western developers into applying for jobs that don't exist. The scammers ask the victim to do a coding challenge , but the project they download actually contains trojanized code.
WageMole then steals these developer identities to use in its fake worker schemes.
The key to this whole scam lies with foreign "facilitators." These people help by:
- Creating accounts on freelance job websites
- Creating bank accounts, or lending the North Korean worker their own
- Buying mobile numbers or SIM cards
- Helping to validate the worker’s fraudulent identity during employment verification
Once the fake worker is "hired," these facilitators take delivery of the corporate laptop and set it up in a "laptop farm" located in the hiring company’s country. The real North Korean IT worker then uses VPNs, proxy services, remote monitoring and management (RMM) software, or virtual private servers (VPS) to hide their true location.
The impact on duped organizations could be massive. Not only are they unwittingly paying workers from a heavily sanctioned country , but these same "employees" often get privileged access to critical systems.
It’s basically an open invitation to steal sensitive data or even hold the company to ransom.
How to Spot – and Stop – Them
Unknowingly funding a pariah state’s nuclear ambitions is about as bad as it gets for reputational damage, not to mention the financial exposure to a breach.
So how can your organization avoid becoming the next victim?
1. Identify fake workers during the hiring process
- Check their digital profile: Look at social media and other accounts for similarities with other people whose identity they might have stolen. (They also might set up multiple fake profiles to apply under different names ).
- Look for mismatches: A "senior developer" with generic code repositories or recently created accounts should raise a red flag.
- Verify their identity: Ensure they have a legitimate, unique phone number and check their resume for inconsistencies41. Verify that listed companies actually exist. Contact references directly (by phone or video), and pay special attention to any employees of staffing companies.
- Insist on video interviews: Since many applicants may use deepfake audio, video, and images, insist on video interviews and do them multiple times.
- Spot the deepfake: During the interviews, consider any claim of a "malfunctioning camera" to be a major warning sign. Ask the candidate to turn off background filters to get a better shot at identifying a deepfake. (Look for giveaways like visual glitches, stiff facial expressions, or lip movements that don’t sync with the audio).
- Ask location-based questions: Ask them about the culture where they "live" or "work," concerning things like local foods or sports.
2. Monitor employees for potentially suspicious activity
- Watch for red flags: Be alert to things like Chinese phone numbers, the immediate download of RMM software onto a new laptop, or work being done outside of normal office hours.
- Check IPs: If the laptop authenticates from Chinese or Russian IP addresses, that should also be investigated.
- Track behavior: Keep tabs on employee behavior and system access patterns, like unusual logins, large file transfers, or changes in working hours.
- Focus on "intent": Look for context, not just alerts. The difference between a mistake and malicious activity could be the intent.
- Use the right tools: Use insider threat tools to monitor for anomalous activity.
3. Contain the threat
- Don't tip them off: If you think you've identified a North Korean worker, tread carefully at first to avoid tipping them off.
- Quietly limit access: Limit their access to sensitive resources and review their network activity. Keep this project to a small, trusted group from IT security, HR, and legal.
- Preserve evidence: Preserve evidence and report the incident to law enforcement, while also seeking legal advice.
When the dust has settled, it’s also a good idea to update your cybersecurity awareness training programs. And make sure that all employees, especially IT hiring managers and HR staff, understand the red flags to watch out for.
Threat actor tactics are evolving all the time, so this advice will also need to change periodically. The best approaches combine human know-how and technical controls. Make sure you cover all your bases.