Stolen IDs and laptop farms: How North Korean IT workers infiltrate Western companies
Published: 29 Jul. 2025, 20:44
Updated: 07 Nov. 2025, 14:10
-
- MICHAEL LEE
- [email protected]
Audio report: written by reporters, read by AI
![[GETTY IMAGES]](https://koreaseafood.online/data/photo/2025/11/07/2c295272-229a-459b-9b80-5e5f28156dab.jpg)
[GETTY IMAGES]
When Korean American entrepreneur Robin Kim posted an opening at his company for a senior user interface engineer, he expected candidates with a preference for working remotely.
What he didn’t anticipate, however, was that some of the applicants might be North Korean operatives working at Pyongyang’s behest to infiltrate Western companies.
Kim’s unnerving brush two years ago with three individuals he now believes were North Koreans posing as software engineers based in other countries reflects a growing concern among global cybersecurity officials.
U.S. authorities say North Korea is deploying cyber operatives to secure remote tech jobs abroad. These agents not only earn wages that bankroll Pyongyang’s missile and nuclear weapons programs, but also sometimes introduce malware into company networks to steal cryptocurrencies or extract sensitive and proprietary data.
The scheme has become so pervasive that nearly every Fortune 500 company has unknowingly hired at least one North Korean worker, according to Charles Carmakal, chief technology officer at Google Cloud’s Mandiant, during a media briefing in April.
In response, the U.S. Department of Justice is cracking down by arresting Pyongyang’s U.S.-based accomplices, seizing financial assets and raiding locations connected to the scheme.
To understand how these operatives infiltrate Western companies, the Korea JoongAng Daily spoke with representatives of three tech firms that interviewed or even employed applicants who were later flagged as suspected North Korean agents.
Mismatched names and faces
For Kim, the first hint that something was amiss came from the names on the résumés: Steven Smith, Jeremy Pierce and Rodney Gilyard. “These are names most people would associate with Caucasian males,” Kim said.
But during video interviews, all three candidates appeared to be Asian men.
“I was a little taken aback, but I withheld judgment because I didn’t want to be accused of racial profiling,” Kim recalled.
Still, their accents gave him pause. “I could only tell that they weren’t native speakers of English, which I thought was also strange since they gave me such American names,” he said.
Kim added that he usually recognizes Korean accents and did not initially assume the applicants were North Korean.
He was not the only one inclined to overlook an apparent mismatch between a job applicant’s name and ethnic appearance.
In a similar case that took place earlier this year, a San Francisco-based AI start-up accidentally hired a suspected North Korean operative who also used a Western-sounding name on their job application.
The company’s chief operating officer (COO), who spoke to the Korea JoongAng Daily on condition of anonymity, said the applicant’s personal details were not considered suspicious by the employees who interviewed him due to the diversity of workers in the tech industry.
“Everyone’s from somewhere else in Silicon Valley. A foreign accent, by itself, wouldn’t necessarily raise concerns,” he said.
Shifty behavior, red flags
Incongruous names and accents were not the only signs that these applicants were not who they claimed to be.
Job interviews at tech companies typically consist of multiple stages, including one where applicants elaborate on their previous work experience and another where they demonstrate their ability to perform the technical requirements of the position, such as code writing.
It was during these technical interviews that Kim noticed that Pierce and Smith appeared ill at ease demonstrating and explaining their coding abilities.
“Gilyard was really quite good,” Kim said. “But Pierce’s and Smith’s coding abilities weren’t at the level of the experience they claimed.”
There were also some unusual moments. Smith refused to turn his camera on during his technical demonstration, while Pierce froze mid-explanation for 30 seconds — though Kim could still hear voices in the background.
“It seemed like he was getting help from someone nearby,” Kim said.
That suspicion of outside assistance was echoed by the COO of the AI start-up, who later discovered that different individuals had appeared in the same candidate’s interviews.
“Though we don’t record interviews as a matter of practice, we realized during our internal investigation that multiple people had represented the same applicant,” the COO said, adding that the company did not initially catch this deception because four different employees conducted the interviews.
Following the incident, the company instituted a rule requiring all candidates to keep their cameras on during virtual meetings.
Kim also found it suspicious that even the most skilled of the three applicants, Gilyard, was unable to provide details about life in Jersey City, his purported locale.
“He said there wasn’t much to do around there, which is weird because it’s right by Manhattan,” recalled Kim, who has previously lived in both New Jersey and New York.
Alarm bells go off
Impressed as he was with Gilyard, Kim decided to conduct one final check — a call with the applicant’s former employer — before hiring him.
That step stopped Kim cold in his tracks.
Not only did Gilyard’s alleged former employer refuse to turn his camera on during his call with Kim, he also spoke with an accent similar to Gilyard’s. Unable to ignore his suspicions, Kim ran Gilyard’s IP address through a verification service.
“When I read the report, alarm bells went off in my head,” he said. “It said the IP address was associated with known scams and cybercriminal activity.”
![The resume of a suspected North Korean cyber operative who used the alias Rodney Gilyard to apply to a job opening at Robin Kim's company in 2023. [ROBIN KIM]](https://koreaseafood.online/data/photo/2025/11/07/d41074c2-57b9-4d22-8129-9ec9a9494a1f.jpg)
The resume of a suspected North Korean cyber operative who used the alias Rodney Gilyard to apply to a job opening at Robin Kim's company in 2023. [ROBIN KIM]
Kim decided not to hire Gilyard shortly thereafter, but he was only able to put his finger on his suspicions later, after reading a cybersecurity report on the tell-tale patterns of North Korean IT workers, which matched what he saw during the interviews.
At the AI start-up, cybersecurity checks also played a key role in uncovering the deception.
A day after the new hire began work, the company received an alert that the worker’s IP address matched that of a so-called laptop farm in New Mexico tied to North Korean cyber operations.
“We terminated his employment that day,” the COO said.
But the final confirmation came in a call from a man in Texas, who was confused after receiving a welcome package from the company.
“It turned out the applicant had stolen this man’s identity,” the COO said. “He had no idea it was being used this way.”
Laptop farms
This pattern aligns with recent warnings from U.S. officials. According to the Justice Department, the North Korean government pays Americans to install remote access tools on company-issued laptops and host the machines in their homes. By controlling the computers from afar, the North Korean operatives can appear as domestic workers.
Sometimes, the U.S.-based accomplices ship the laptops to countries like Russia and China, where North Korean agents can operate with greater ease.
In a recent case that has received extensive media attention, an American woman was sentenced to over eight years in prison on Thursday for hosting laptop farms in houses in Arizona and Minnesota, thus enabling North Korean agents to pose as domestic IT workers at more than 300 U.S. companies.
The woman, Christina Chapman, admitted to stealing the identities of 68 U.S. citizens. According to U.S. officials, Chapman stored the laptops on labeled shelves, each linked to a different company and stolen identity. She was charged alongside three North Korean nationals affiliated with the regime’s Munitions Industry Department.
Officials say the money generated by these remote positions directly supported North Korea’s weapons programs.
Last week, the U.S. Treasury also imposed sanctions targeting a North Korean trading company and three individuals for their involvement in helping the regime evade sanctions and generate revenue through fraudulent IT worker schemes.
Better scrutiny needed
With the proliferation of remote work opportunities during and after the Covid-19 pandemic, experts warn that the risk of inadvertently hiring North Korean cyber operatives has only grown for companies.
Dan Stone, CEO of the professional networking company Icebreaker, said that his company’s website has witnessed an uptick in suspected North Korean IT workers and other hostile state actors “sending connection requests en masse in order to create the illusion of legitimacy and pass themselves off as genuine jobseekers.”
Small and mid-sized companies, he added, are especially vulnerable as they often lack the means to thoroughly vet applicants and end up “deciding whether to hire workers based on their technical abilities.”
Stone estimates that between 500 and 1,000 Web3 jobs are being filled each month by North Korean operatives, many likely juggling multiple roles.
“There’s actually an increasing level of awareness regarding this problem,” he said. “But because companies have work that needs to get done, due diligence often takes a back seat during their hiring processes.”
Stone further emphasized that digital hiring trends have outpaced digital verification means.
“We’ve evolved into a highly digital society, but we’ve not evolved the corresponding tools to verify whether online profiles are trustworthy,” he noted, adding that “the fact that we don’t have these tools is being used against us.”
Stone pointed out that the popular ways that tech companies use to assess a candidate, such as their profiles on LinkedIn or GitHub, can be “populated retrospectively, allowing hostile actors to forge professional experiences and connections with people who have never actually met or worked with them.”
He recommended that companies look beyond candidates’ technical skills and ask them more detailed questions about their lives to verify their backgrounds. He also suggested that employers should ask people they know and trust to vouch for job seekers.
However, he acknowledged that advancing AI tools may soon render even rigorous screenings ineffective. “We’re already seeing AI used to alter voices and appearances on video,” Stone said. “Even if you ask better questions, AI can help them tell better lies.”
BY MICHAEL LEE [[email protected]]
with the Korea JoongAng Daily
To write comments, please log in to one of the accounts.
Standards Board Policy (0/250자)