During the past few years, operatives associated with the Democratic People’s Republic of Korea (North Korea or the DPRK) have reportedly infiltrated hundreds of U.S. companies by fraudulently posing as legitimate remote IT workers. The perpetrators, together with accomplices across multiple jurisdictions (including inside the U.S.), funnel wages back to North Korea in violation of economic sanctions, and in many cases steal company data, source code, and trade secrets. In a smaller subset of cases, after being discovered and terminated, perpetrators have released, or threatened to release, sensitive company data and attempted to extort ransom payments.
This advisory summarizes recent trends involving fraudulent remote employees, discusses the legal implications of being infiltrated by DPRK-associated individuals, and describes best practices for companies seeking to avoid the negative impacts of these schemes.
How the Scheme Works
The perpetrators of the scheme, including DPRK operatives as well as would-be copycats from other jurisdictions, seek and obtain jobs from legitimate companies, especially those who allow full-time remote work. The perpetrators build fraudulent professional personas using, among other things, stolen identity documents, AI-generated content, and deepfake technology during video interviews. They create convincing LinkedIn and GitHub profiles, and tailor resumes to match hiring companies’ locations by pairing local addresses with foreign university degrees that can be difficult to verify. This approach works across borders; operatives targeting U.S. companies use U.S. addresses and Social Security numbers while those targeting European or Asia-Pacific companies adapt their credentials accordingly.1
The scheme is facilitated by subjects in the target country (e.g., U.S., UK, Canada, Australia, or EU nations), who assist “job applicants” and then facilitate remote access to employer-issued devices which have been delivered to “local” addresses. These addresses are sometimes aligned with the residential addresses provided on their job applications. However, in many cases, the perpetrators ask that employer-issued devices be delivered to a “new” or “temporary” address. In any case, the employer-issued devices are not delivered to a legitimate address; they are instead delivered to “laptop farms” that can host dozens of devices simultaneously. The operators of these laptop farms may help the perpetrators bypass standard location-based verification processes and network monitoring commonly used by employers worldwide.
These operations run at industrial scale. The perpetrators submit hundreds of applications daily across freelance platforms, full-time job sites, and company career pages. AI tools have dramatically increased application volume while lowering the technical threshold for sophisticated implementations. U.S.-based intelligence reporting indicates operatives use AI to generate tailored resumes and cover letters, translate job descriptions and interview questions in real-time, complete coding challenges and technical assessments beyond their actual capabilities, and automate application submissions across multiple platforms. When a fabricated profile is exposed or terminated, the operative abandons it and uses AI tools to generate a new persona, quickly reentering the labor market; because identities are disposable, losing one does little to impede the operation.2
The perpetrators of the scheme do not always engage in malicious cyber activity, or at least may not do so initially. In some cases, they simply perform their assigned duties and collect the resulting salaries, while remaining embedded in the organization. We are even aware of instances in which the fraudulent “employees” have been productive or exemplary in their roles. However, after getting hired and gaining access, the perpetrators do have the opportunity to move laterally to escalate privileges, obtain developer and repository access, and harvest secrets and tokens that enable persistent footholds. Such perpetrators pose a serious risk to employers and, in many cases, have exfiltrated source code, database snapshots, cloud storage artifacts in bulk, and other highly sensitive company information.
How the Scheme Is Discovered
The “successful” DPRK operative may avoid detection and continue their employment for months before being detected by vigilant coworkers, automated security tools, or even federal law enforcement. The fastest detections are often the product of automated security monitoring, for example, security providers who monitor threat intelligence may identify IP addresses associated with a recently identified laptop farm. However, detection can also be the product of managers, HR, or security professionals who notice that the fraudulent employee fails to appear on video for an extended period of time or appears on video with inconsistencies or glitches. In some cases, the scheme is first detected by federal law enforcement agencies that identify a stolen identity or fraudulent bank account and then affirmatively contact the victim company.
Post-Discovery Extortion
When a DPRK operative’s fraudulent identity is identified, they sometimes pivot from payroll fraud to extortion. Upon discovery, operatives weaponize stolen assets or access by threatening public disclosure, selling stolen code or data on illicit markets, or combining leaks with regulatory or reputational threats to coerce a “severance” payment. There is also the inherent risk that such information could be used for more strategic reasons by the DPRK, raising potential national security concerns.
In the extortion scheme, facilitators receive salary payments or stolen proceeds in local accounts, convert those funds into digital currency, and move them through multiple services to frustrate tracing. A common flow is salary or stolen funds to facilitator accounts, conversion to crypto, routing through mixers and bridges, brief use of intermediary exchanges, and final consolidation at addresses linked to North Korea. The transfers and conversions are designed to obscure the transactions to intentionally make it difficult for financial institutions and compliance teams to detect and/or block the transfers. Recent enforcement actions have targeted some of these services, but gaps remain where facilitators and opaque intermediaries operate.
How to Respond to Suspected Fraudulent Employees
A company that suspects that they have employed a DPRK operative must take prompt action to mitigate the critical operational, reputational, and legal risks of such an incident, including:
Immediately revoke the employee’s access to company devices and systems.
Determine and implement appropriate employment actions based on the available information, including suspension pending an investigation, or termination if warranted.
Promptly investigate the employee’s claimed identity and assess the nature and scope of the employee’s access to company systems and data.
Design the investigation to detect suspicious or malicious activity; uncover any unauthorized access to, or exfiltration of, company data; and address any security vulnerabilities introduced by the employee.
If resources allow, conduct the investigation at the direction of legal counsel and with support from an external forensic firm.
Legal Risks and Considerations
DPRK-affiliated operatives hired under false pretenses roles pose significant employment, privacy and cybersecurity, and sanctions risks to companies in the U.S. and elsewhere.
Privacy and Cybersecurity Considerations
The immediate cybersecurity concerns after the discovery of a DPRK-affiliated (or other fraudulent) employee are to revoke the employee’s access, to ensure that the company’s systems are secure, and to ensure that the company conducts an appropriate investigation to assess the nature and scope of the fraudulent employee’s access activities.
The company must also assess potential regulatory and contractual notification obligations, including whether notifications to insurance carriers as well as data breach notifications to customers, individuals, regulators, and other third parties are necessary. The application of these obligations typically depends on the nature and scope of the fraudulent employee’s access—and on whether such employee has leaked company data or made a ransom demand.
As discussed further below, U.S. sanctions laws would prohibit making ransom payments to any DPRK-affiliated individual.
Employment and Intellectual Property Considerations
The hiring of remote workers operating under false or stolen identities raises a range of risks for U.S. employers. For example, employers who unknowingly hire individuals who are not authorized to work in the U.S. may have exposure under federal employment eligibility verification requirements, including compliance with Form I-9 obligations.
Such infiltration also creates serious businesses risks for U.S. employers, including those associated with the unauthorized access and misappropriation of the company’s sensitive technical data, source code, and other confidential and trade secret information. As such, employers who identify a DPRK-affiliated (or other fraudulent employee) should carefully assess the adequacy of their security measures and system protocols from an intellectual property perspective—especially given that inadequate safeguards could undermine a company’s ability to claim trade secret protection under applicable law if they have failed to take reasonable measures to maintain secrecy of such information.
If an employer’s investigation reveals suspected misrepresentation or unauthorized access by a fraudulent employee or contractor, including but not limited to access by DPRK-affiliated individuals, employers generally have a legitimate non-discriminatory basis to take adverse employment action, including termination. Key considerations include:
At-Will Employment Doctrine: For most U.S. employers, the at-will employment framework permits termination for any lawful, non-discriminatory reason, including concerns about dishonesty, security risks, misappropriation or unauthorized access or use of confidential or trade secret information, and violations of company policy, agreements, or applicable law.
Policy and Agreement Violations: Falsifying identity, location, or work authorization information, or violating company policies or agreements, including proprietary information agreements, regarding system access and acceptable use, are typically considered grounds for termination.
Documentation and Consistency: Employers should carefully document the factual basis for termination, including discrepancies identified and any policy or agreement violations, and ensure consistent application and enforcement regarding such violations across similarly situated employees.
Avoid Discriminatory Inference: Decisions should be grounded in objective evidence (e.g., inconsistent location data, suspicious system activity, and other such information), rather than assumptions tied to nationality or other protected characteristics.
Employers should also be mindful of state and federal law requirements regarding final wages and benefits. Additionally, employers should expect that fraudulent workers may attempt to exploit those laws to seek payments, including any extorted payments. However, any such state and federal law requirements would not preempt the federal sanctions laws discussed below.
Considerations Under U.S. Sanctions Laws
Payments to a DPRK-affiliated individual, even if made unknowingly, are generally prohibited under U.S. economic sanctions regulations. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has the authority to impose civil penalties on U.S. and foreign persons that violate the sanctions regulations on a strict liability basis, regardless of intent. These penalties can include fines, asset freezes, and designation on sanctions lists.
This means that a company which makes payments to a suspected DPRK or other fraudulent remote employee would likely incur significant legal risks under sanctions laws, especially for payments after discovery of the scheme. This would include additional or final paychecks or severance, as well as explicit ransom payments.
In addition to DPRK nationals, OFAC has recently designated individuals and entities that are acting as facilitators, as well as multiple cryptocurrency addresses tied to DPRK fraudulent employee schemes.3 The facilitators were engaged in a variety of activities, such as currency conversion, the opening of bank accounts, and coordinating financial transactions, underscoring that routine payroll or contractor payments may fall within the scope of prohibited transactions.
Companies that have possession or control over payroll deposits, vendor payments, or other assets linked to DPRK nationals or designated DPRK operatives must freeze or block those assets and follow OFAC reporting procedures. Payments routed through U.S. financial institutions or involving U.S. persons may implicate the Bank Secrecy Act and anti-money laundering (AML) obligations. Financial institutions and other regulated entities may be required to file suspicious activity reports where payroll routing, currency conversion, or on-chain flows exhibit red flags consistent with sanctions evasion. Reporting by financial institutions can implicate the employer and result in outreach from OFAC or other law enforcement officials.
U.S. sanctions operate alongside other country-specific regimes restricting trade, finance, and labor arrangements with the DPRK. Companies with operations in jurisdictions outside the U.S. may face similar exposure under non-U.S. sanctions frameworks.
Beyond regulatory penalties, engaging with DPRK-affiliated workers (or workers from other sanctioned jurisdictions) may trigger insurance exclusions and contractual risks. For example, companies that employ DPRK-affiliated workers may be in breach of sanctions and export control provisions in their customer agreements. Companies should review existing contractual obligations for termination, indemnification, and notification clauses related to sanctions exposure.
Finally, after discovering a suspected DPRK-affiliated or other fraudulent employee, companies should consider whether to voluntarily disclose the issue to OFAC or engage with U.S. law enforcement. U.S. law does not require reporting, but voluntary engagement may mitigate the reputational and potential enforcement risks associated with the scheme, and companies should carefully consider whether the benefits of voluntary engagement would outweigh any risks associated with disclosure of past payments to the former employee.
Before the Breach: How Can Companies Mitigate Risk?
We recommend that companies consider the following measures to reduce the likelihood of an impactful incident involving a DPRK-affiliated or fraudulent employee.
HR and Recruiting
Require live, on-camera video interviews with visual identity verification against government-issued photo ID, where possible and consistent with local employment laws.
Ask detailed “soft” questions about claimed location, education, and work history that would be difficult to answer from a script (e.g., local landmarks, campus specifics, current weather, or former colleagues).
Contact previous employers and educational institutions directly rather than using applicant-provided contact details.
Audit third-party staffing firms for identity verification practices and require documentation of their screening procedures.
Use E-Verify and ensure Form I-9 compliance for all remote hires.
Implement ongoing security awareness training, including specifically for HR employees, that addresses evolving threat tactics and techniques.
Ensure there are clear policies and agreements, including proprietary information agreements, regarding the use, access, and handling of the company’s sensitive business information, including confidential, proprietary, and trade secret information, and that they are consistently enforced.
Establish clear, accessible protocols for reporting suspicious activity to HR and information security teams, which teams should coordinate on any related investigation and response.
If sending work-related equipment such as a laptop, only send to the address listed on the new hire’s identification documents and obtain additional documentation if the new hire requests items be sent to an unfamiliar address.
Take steps to confirm the legitimacy of any address where the company ships equipment to an employee.
Cybersecurity Measures
Consider moving from one-time pre-employment checks to continuous workforce authentication and cross-functional oversight.
Ensure that hiring and contractor vetting, as well as performance and compliance monitoring of employees, is coordinated across HR, security, and compliance teams.
Implement targeted geolocation‑based access controls to deny or challenge connections from IP addresses associated with North Korea and other prohibited jurisdictions such as Iran and Cuba. Risk averse companies may also want to block other high-risk jurisdictions (e.g., Russia, China).
Enforce the principle of least privilege.4
Consider disabling local administrator accounts and restricting permissions to install unauthorized software.
Monitor your network and computers for any remote management software and set up immediate alerts if unapproved tools (for example, commercial remote desktop software) are installed or used, if there are suspicious or large downloads of information, or attempts to transfer information to outside accounts or devices.
Establish security protocols and protections for company equipment, including limiting or prohibiting the use of connecting external devices such as thumb drives, external hard drives, or other storage devices.
Deploy endpoint detection and response (EDR) agents on devices.
Maintain logs and establish alerts on anomalous access patterns, multiple logins from geographically impossible locations, unusual working hours, or rapid IP address changes.
Implement restrictions on bring your own device (BYOD) access for roles involving sensitive systems or code. If BYOD is necessary, implement and enforce mobile device management (MDM) and endpoint monitoring.
Maintain the capability to immediately isolate suspect accounts and devices to reduce dwell time and limit the scope of insider enabled breaches.
Consider establishing a relationship with local federal law enforcement resources to facilitate formal reporting and informal information sharing.
Create plans and procedures addressing insider threat or access incidents and rehearse response functions and activities.
Sanctions Compliance
Implement sanctions screening for all vendors, contractors, and freelancers before engagement using a sanctions screening service or publicly available OFAC, UK, and EU sanctions lists. Checks against these lists can identify obvious name matches and create a documented compliance effort.
Establish a checklist of red flags such as mismatched locations between stated residence and IP addresses, requests for payment to third parties or unrelated jurisdictions, use of virtual private networks to obscure location, or reluctance to participate in video calls. Escalate engagements exhibiting multiple red flags for additional review.
Provide sanctions awareness training to procurement, finance, and HR teams who engage contractors, covering DPRK-specific risks, red flags, and escalation procedures. Training does not need to be extensive but should ensure that front-line employees understand when to escalate concerns.
Require all remote workers and contractors to use specific geographically-based bank accounts. Some jurisdictions have stricter identity verification and AML/KYC protocols, making them harder for DPRK actors to exploit.
Prohibit salary or contract payments in virtual currency.
Regularly compare payment account details across the entire workforce. Flag and investigate any instances where multiple employees share the same banking information or use identical documentation to establish accounts.
Monitor for frequent changes in an employee’s bank account information, which may indicate their previous accounts were closed by financial institutions due to compliance concerns.
Require manual review and enhanced due diligence before sending payroll or contractor payments to accounts or intermediaries flagged as high-risk or located in jurisdictions commonly used by facilitators.
Consult outside legal counsel on disclosure obligations if an incident is detected.
If a terminated employee sends extortionate communications; immediately engage incident response counsel. Do not pay ransoms (even under the guise of “severance” or “final paychecks”) without legal guidance.
Given the complicated nature of these schemes and the need to take steps that are consistent with applicable law, employers are encouraged to work with outside counsel to ensure that they have proactive measures in place, as well as to address the possibility of being a target of such scheme.
Please reach out to Demian Ahn, Jason Storck, Jahna Hartwig or any member of Wilson Sonsini’s Employment Litigation, National Security and Trade, or Data, Privacy, and Cybersecurity practices with any questions regarding suspected DPRK or other fraudulent remote employee schemes.
[1] This alert incorporates information from multiple sources including the U.S. Department of Justice’s 2024 DPRK IT‑worker disruption announcement; the U.S. Department of State’s 2026 fact sheet on DPRK sanctions evasion and cyber/IT‑worker activity; the Multilateral Sanctions Monitoring Team’s 2025 report on DPRK cyber and sanctions‑evasion networks; and the FBI IC3’s 2024 and 2025 public advisories on DPRK IT‑worker fraud schemes.
[2] The description of the scheme, as well as the associated tactics, techniques, and procedures, is informed by multiple U.S. commercial and open‑source intelligence products. These sources encompass Flare.io’s assessment of DPRK infiltrator tradecraft; the UK OFSI advisory on North Korean IT‑worker activity; the 2026 Annual Threat Assessment of the U.S. Intelligence Community; reporting from Google Cloud Threat Intelligence on DPRK IT‑worker methodologies; and research by Unit 42 examining North Korean IT‑worker networks and related cyber‑enabled operations.
[3] See U.S. Department of the Treasury, Press Release: Treasury Sanctions Facilitators of DPRK IT Worker Fraud Targeting U.S. Businesses (Mar. 12, 2026) (https://home.treasury.gov/news/press-releases/sb0416).
[4] The principle of least privilege refers to the security practice of granting users, systems, and processes only the minimum access rights necessary to perform their authorized functions, thereby reducing the risk of misuse, compromise, or unauthorized activity.