Skip to content
Tech News
← Back to articles

North Korean's 100k fake IT workers net $500M a year for Kim

2026-03-18 | original
read original more articles
Why This Matters

North Korea's extensive scheme of fake IT workers operating across multiple countries generates over $500 million annually, funding the regime and posing significant cybersecurity threats to global companies. This revelation highlights the sophistication and scale of North Korean cyber-infiltration efforts, emphasizing the need for enhanced detection and mitigation strategies. Recognizing these operations is crucial for organizations to protect sensitive data and maintain cybersecurity integrity.

Key Takeaways

Researchers at IBM X‑Force and Flare Research have uncovered data that sheds light on how North Korea's fake IT worker schemes operate and infiltrate companies in order to funnel money back to the regime and steal sensitive information.

In a published report, "Inside the North Korean infiltrator threat," the pair detail evidence of the top-level infrastructure used to manage the operations, how workers apply for and secure IT roles, and mitigation strategies businesses can use to avoid falling victim.

The threat of North Korean nationals operating as remote IT contractors or full-time technology staff inside unsuspecting companies has come to light over the past several years, yet the report says security experts are only starting to realize the scale and sophistication of the operation.

It cites information from the US Government that these IT workers can earn more than $300,000 a year, and upwards of 100,000 North Koreans are spread across 40 countries generating approximately $500 million a year for Pyongyang.

The researchers found documents and spreadsheets revealing the roles within the fake IT worker ecosystem, comprising recruiters, facilitators, IT Workers and collaborators/brokers.

Recruiters are, like bona fide recruitment staff, responsible for screening potential IT staff and recording interviews. These are sent to facilitators who decide whether to accept or deny them for employment, much like a hiring manager.

However, it is unclear whether many candidates realize they are being recruited to work for the Norks. Recruiters may tell them the company they are applying to is an "early-stage stealth startup" with no published corporate information, often using the name "C Digital LLC."

Candidates are mentored in applying for employment at western-based companies and given a US-based identity to use.

Facilitators and IT workers are the most important roles within the system. These are expected to have experience in full stack web app development, .NET and Wordpress. Collaborators are Westerners that provide their identities for use in the IT worker fraud scheme, and may assist in other ways.

Timesheets found by the researchers detail hours worked on "Bids" and "Msg" by the fake workers, where "Bids" is how many bids in a day they made on freelancing sites such as Upwork, and Msg likely refers to how many messages or connections a worker made on UpWork, LinkedIn, or Freelancer.

... continue reading

Explore topics: north korea ibm x-force fake it workers pyongyang cybersecurity
Related:
Hundreds of Millions of iPhones Can Be Hacked With a New Tool Found in the Wild
Federal Cyber Experts Called Microsoft's Cloud "A Pile of Shit", yet Approved It
Hundreds of Millions of iPhones Can Be Hacked With a New Tool Found in the Wild
Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish
Nvidia's agentic AI stack is the first major platform to ship with security at launch, but governance gaps remain

© 2026 GoKawiil

About | Editorial Policy | Contact