North Korean Spies Posing as Remote Workers Infiltrate Hundreds of Companies, CrowdStrike Reveals

Security researchers at CrowdStrike have identified a significant surge in North Korean operatives infiltrating Western companies by posing as remote IT workers, a scheme aimed at generating funds for the regime.

According to CrowdStrike’s latest threat-hunting report, the cybersecurity firm has documented over 320 incidents in the past 12 months where North Koreans gained fraudulent employment at Western companies, often working remotely as developers. This represents a substantial 220% increase compared to the previous year.

These operations rely on North Koreans adopting false identities, fabricating resumes, and creating misleading work histories to secure legitimate-seeming employment. The dual purpose of these infiltrations is to generate revenue for North Korea’s sanctioned nuclear weapons program, which has reportedly amassed billions of dollars, and to facilitate the theft of sensitive data from the compromised companies, which can then be used for extortion.

While the exact number remains unconfirmed, estimates suggest thousands of North Korean IT workers may currently be employed by unsuspecting U.S. companies.

CrowdStrike identifies these malicious actors under the moniker “Famous Chollima.” The report highlights the increasing reliance of these operatives on advanced tools, including generative AI and other AI-powered technologies, to craft convincing resumes and even alter their appearance through “deepfake” techniques during remote interviews.

Although this fraudulent employment scheme is not new, North Korean actors are reportedly experiencing greater success in securing positions, despite international sanctions that prohibit U.S. companies from hiring North Korean nationals.

To combat this threat, CrowdStrike suggests implementing more robust identity verification processes during the hiring phase. Anecdotal reports indicate some cryptocurrency-focused firms are employing unconventional vetting methods, such as asking candidates to make critical statements about North Korea’s leader, Kim Jong Un, as a way to expose potential spies who would be unable to comply under duress.

The U.S. Department of Justice has actively worked to disrupt these operations over the past year, focusing on the U.S.-based facilitators who manage these schemes for their North Korean superiors. Enforcement actions have targeted individuals orchestrating “laptop farm” operations, which involve extensive setups of open laptops used by North Koreans to perform their remote work, creating the illusion of being physically present in the United States.

Illustrating the scale of these efforts, a June indictment revealed that one particular North Korean operation illicitly used the identities of 80 individuals in the U.S. between 2021 and 2024, successfully obtaining remote work positions at more than 100 U.S. companies.