North Korea's fraudulent IT worker schemes have expanded to target nearly every industry that hires remote employees, according to researchers at Okta.
Widespread Threat Beyond Tech and US
While public reporting has primarily focused on DPRK nationals targeting software development roles at major US technology companies, our analysis shows that this threat is not limited to the tech sector, nor the US. North Korean IT Workers (ITW) now pose a real threat to a wide range of industries. Impacted industries include finance, healthcare, public administration, and professional services across a growing number of countries. This widespread scheme aims to gain illicit employment and — in some cases — steal sensitive data.
Scale of the Operation
Okta has observed North Korean operators attempting to obtain remote employment at thousands of companies. Half of these companies were in non-tech industries, such as finance, healthcare, public administration, and professional services. Using a combination of internal and external data sources, Okta Threat Intelligence tracked over 130 identities operated by facilitators and workers participating in the DPRK ITW scheme. We linked these actors to over 6,500 initial job interviews across more than 5,000 distinct companies up until mid-2025.
Success and Expansion
The report notes that Pyongyang's expansion of these activities indicates that the operations have been successful and lucrative enough to warrant additional effort. Okta Threat Intelligence observed examples of DPRK-linked actors progressing through multiple interviews for the same roles. While we are not privy to every organization's hiring and onboarding processes, evidence of post-onboarding corporate activities was observed in multiple organizations across different verticals, supporting the theory that a broad, 'scatter-gun' approach to job application and interviewing has been successful enough to make it a worthwhile endeavour for the DPRK regime to continue and expand.
Essential Awareness and Actions
The researchers conclude, "It's essential that organizations in all industry sectors and countries are made aware that DPRK-linked actors have applied or are likely to apply for advertised remote technical roles and to implement the crucial extra steps required to make their organization a harder target."
Comments
Join Our Community
Sign up to share your thoughts, engage with others, and become part of our growing community.
No comments yet
Be the first to share your thoughts and start the conversation!