North Korea IT fraud cell flooded US firms with 167,000 bids

Nisos has published research on a North Korean IT worker fraud cell operating in the United States. The operation was responsible for 167,000 job applications and at least 76 job offers, according to the company.

The findings describe a coordinated employment fraud scheme aimed largely at remote IT roles at US companies. The cell submitted at least 166,893 applications, took part in more than 21,645 interviews and secured 76 offers between late 2024 and 2025.

The investigation began after a suspected North Korean operative applied for a remote AI architect role at Nisos. The company then worked with law enforcement and expanded the inquiry to map a broader network.

Nisos estimated the cell involved up to 22 operatives. On that basis, each operative was linked on average to 7,586 applications, 984 interviews and 3.5 job offers.

The group used appropriated identities, false documents, AI-assisted interview techniques and US-based facilitators to pass recruitment checks, the research found. It also maintained a formal hierarchy that included administrators, managers, team leads, operatives and external facilitators.

Target sectors

Technology companies accounted for 42.6% of organisations that extended offers to the operation, according to the report. Consulting, healthcare and financial services businesses followed.

The operatives mainly pursued software engineering, development and data-related jobs, which made up more than 70% of the roles observed in the inquiry. Salaries for those positions ranged from about USD $55,000 to USD $230,000 per role.

The report also describes the use of AI tools to support the deception. Researchers said operatives relied on AI-generated CVs, interview coaching tools, real-time response generation and voice-training applications to improve their chances during screening and interviews.

Other methods included remote access tools and laptop farms, which can help disguise a worker's true location. Members of the cell also used three-letter initials to conceal identities, split communications across Discord, Telegram and WhatsApp, and communicated only in English to avoid detection through native-language cues.

US facilitators

A notable feature of the operation was its dependence on people based in the US. These facilitators, referred to in the research as "natives", attended interviews, completed onboarding tasks, managed employer-issued devices, helped with drug tests and supported ongoing work activity.

The facilitators were often paid in ERC20 cryptocurrency, according to Nisos. The network also included identity brokers and performance-tracking systems used to monitor how many applications, interviews and offers each persona generated.

The model appeared to go beyond isolated fraudulent applicants and resembled an organised production line. Operatives managed several employment personas at the same time while sharing supporting infrastructure.

"DPRK employment fraud has evolved into a highly organized and scalable operation that blends human deception, technical tradecraft, and AI-enabled tactics," said Ryan LaSalle, Chief Executive Officer, Nisos.

"What makes this threat particularly concerning is that these actors are no longer relying solely on traditional cybercrime. They are embedding themselves within organizations, collecting salaries, gaining access to systems and data, and generating revenue for the regime through seemingly legitimate employment," LaSalle said.

Nisos framed the issue as broader than a recruitment problem, saying the risks extend to company systems, sensitive information and internal access once a fraudulent applicant is hired into a remote role.

The company said its latest findings build on an earlier inquiry that identified a suspicious applicant and uncovered a US-based laptop farm linked to fraudulent remote workers. That earlier work also pointed to the use of AI-generated CVs, appropriated identities, VPN services and remote access methods.

The new research adds scale and structure to that picture. It describes a communications environment based on Discord, the use of dashboards to track results and a workflow in which different participants handled separate parts of the hiring and employment process.

For employers, the findings are likely to sharpen concerns about the security implications of remote hiring, especially in technical roles where access to code, data or internal systems may be granted soon after onboarding. The report suggests technology companies have been the most frequent targets, but consulting, healthcare and finance groups have also faced similar approaches.

"Many organizations still view employment fraud primarily as an HR challenge, but it has become a significant human risk and security issue," LaSalle said.

"Security, HR, legal, and executive leadership teams must all work together to identify suspicious indicators earlier in the hiring process. With coordinated efforts they can reduce the likelihood that fraudulent actors gain access to company systems, intellectual property, and sensitive data, or takeaway job opportunities from legitimate candidates," LaSalle said.