North Korean IT workers infiltrate Western remote jobs

Flare and IBM X-Force have published joint research mapping infrastructure and working practices tied to North Korean IT workers who secure remote roles at overseas companies.

The report, Inside the North Korean Infiltrator Threat, describes repeatable processes spanning job searches, hiring, and day-to-day work. It focuses on activity in North America and Western Europe and lists indicators organisations can use during recruitment and after onboarding.

Law enforcement scrutiny has increased over the past year, with multiple indictments highlighting remote employment as a source of income for the North Korean state. The research frames this as part of a broader strategy to place skilled workers abroad and collect salaries through access to foreign firms.

Flare says the findings draw on proprietary threat intelligence and recovered internal operational records. The material includes timesheets, training documents, screening records, and internal systems that appear to show how workers and facilitators manage devices, applications, and ongoing employment.

Internal systems

A central claim concerns two internal platforms identified as "RB Site" and "NetkeyRegister". According to the report, the systems act as dashboards for tracking work, registering devices, and distributing software. Their use suggests a centrally organised operation rather than ad hoc freelancing.

The research also describes a multi-role structure, separating recruiters, facilitators, IT workers, and collaborators or brokers. It outlines responsibilities ranging from sourcing roles and managing identities to maintaining access after employment begins.

Western intermediaries

One key finding is the use of Western collaborators. Operatives reportedly recruit people via services such as LinkedIn or GitHub. These collaborators provide identity details, receive company laptops, and complete hiring paperwork.

Researchers say intermediaries reduce friction during identity checks and can help remote workers stay in role for longer periods.

The report also challenges a common assumption about the labour model, arguing that North Korean IT workers often operate as full-time remote professionals. It describes standard working hours and daily responsibilities, rather than work that is purely transactional or sporadic.

Daily workflow

Internal timesheets and training materials provide insight into daily routines, according to the research. The report describes workers tracking job applications and managing freelance bids, alongside coaching on how to secure remote roles through a structured process that can be repeated across identities.

Communication habits appear as another operational marker. The report notes the use of IP Messenger for internal chat and frequent reliance on Google Translate. It says workers often draft messages in English, then translate them back into Korean to check accuracy.

Financial gain sits at the centre of the activity described. While the research notes that some teams have engaged in data theft or other malicious actions, it argues the primary objective is steady revenue from remote employment. That emphasis can complicate risk assessment, as workers may appear productive and responsive day to day.

The report also argues the activity spans multiple entities connected to the North Korean state, with teams operating across state bodies, party organisations, and front companies. It says this structure makes attribution and disruption more difficult because operations do not rely on a single unit.

Mitigation steps

Alongside threat intelligence, the report lists mitigation measures for employers. It points to identity verification as a first line of defence and recommends scrutinising inconsistencies across CVs, interviews, and work history. It also flags signs of proxy attendance during interviews and potential manipulation using AI tools.

For organisations hiring remote staff, it recommends live interaction and in-person checks where practical. It also calls for ongoing engagement with remote employees after hiring as an operational check that reduces the scope for substitution by intermediaries.

Post-hire controls include monitoring for behavioural anomalies and unusual remote-access patterns. The report highlights suspicious VPN use and remote-access tools, and recommends watching for software linked to North Korean operations while maintaining routine oversight of remote workers.

Flare described the issue as requiring a cross-functional response that includes hiring managers and HR teams. "Defending against North Korean IT worker infiltration isn't just a cybersecurity issue - it requires coordinated action across HR, security, hiring managers, and interview teams," said a threat intelligence researcher at Flare.

IBM X-Force said the risk stems from weaknesses in recruitment and identity processes. "North Korean IT workers are slipping through hiring and identity gaps in ways many organizations still underestimate," said Josh Chung, Strategic Cyber Threat Analyst at IBM X-Force. "This report sheds light on how these operators embed themselves and offers practical direction to help security teams uncover and stop them."