Inside North Korea’s Remote IT Worker Scheme

Over the past several years, thousands of North Korean nationals—often posing as remote IT workers—have infiltrated Western and Japanese companies and generated billions of dollars for the DPRK regime.

As Strider’s Inside the Shadow Network report details, North Korea has developed an operational model that actively exploits the structure of the global talent market. Understanding how this model works—and why it continues to succeed—is a critical step for Western and Japanese companies seeking to protect their revenue, innovation, and reputation, while also avoiding U.S. and UN sanctions violations.

Tactics, Techniques, and Procedures (TTPs) in Practice

One of the primary tactics underpinning these schemes is the use of disguised identities and front companies. North Korean IT workers routinely operate under aliases, supported by forged documents and fabricated credentials, to secure employment with foreign firms. In many cases, they establish front companies that appear to be legitimate IT services firms that allow these individuals to interact with global clients without raising suspicion.

Freelancing platforms are also an entry point for North Korean nationals targeting Western and Japanese companies. Sites like Upwork, Freelancer, and Fiverr are popular platforms where companies can connect with skilled freelancers looking for remote technical work. These platforms typically require some form of identity verification based on information provided by freelancers, but they make clear that they cannot guarantee a user is who they claim to be. This creates opportunities for North Korean nationals—often using stolen identities—to infiltrate the talent pool of global companies under the guise of remote IT work.

But that initial access is just the beginning. Once a national is embedded in a company, their access to critical systems often expands. Additional permissions are granted. Credentials are issued. Over time, what began as limited work on one or two projects can evolve into broad visibility across a company’s core systems.

In some cases, that access is leveraged directly for cybercrime activities. This can include the deployment of ransomware, phishing campaigns, and hacking operations coordinated with North Korean state-sponsored groups such as the Lazarus Group. The proceeds from these cybercrimes are funneled back to the DPRK regime, helping fund its nuclear and missile programs.

Other nationals focus on application and software development, creating apps and programs marketed to global audiences, often under the banner of foreign companies. At first glance, these apps and programs can appear legitimate and innocuous. They can cover many different fields, including business, health and fitness, social networking, sports, entertainment, and lifestyle. But these apps and programs can also serve as a Trojan horse for malicious code that allows North Korean nationals to conduct surveillance, steal data from users, and generate illicit revenue.

The DPRK has also shown a growing interest in cryptocurrency markets as a mechanism to evade international sanctions. A recent report from the blockchain watchdog company Chainalysis found that North Korea stole more than $2 billion in cryptocurrency last year. That amounts to over half of all crypto stolen globally in 2025 and brings the DPRK’s total identified haul since 2016 to nearly $7 billion. These markets are prime targets for North Korean IT workers, who create and deploy malware to mine cryptocurrencies, hack exchanges, and participate in initial coin offerings.

The Broader Threat Ecosystem

This operational model goes beyond the tactics, techniques, and procedures of individual actors. It depends on a broader ecosystem that allows North Korean nationals to work outside the DPRK and remain connected to global platforms and markets.

Strider is shedding light on how this ecosystem operates. Powered by a dataset spanning nearly 20 billion global open-source documents, Strider is using advanced AI technology and proprietary methodologies to uncover and map complex threat networks and identify potential intermediaries. That research shows that intermediaries based in the People’s Republic of China (PRC) play a particularly important role in this ecosystem. In practical terms, these intermediaries help solve the logistical challenges of operating overseas for North Korean workers.

One example is the Liaoning China Trade Industry Co., Ltd., which was sanctioned by the United States last year after it was discovered that the company had shipped equipment—including computers, graphics cards, HDMI cables, and more—to Department 53, an entity subordinate to the DPRK Ministry of National Defense. It is this type of support that allows North Korean nationals to remain fully equipped and functioning without raising any alarms or jeopardizing their identities.

Strider’s data allows even deeper analysis of PRC operational support. Using Organizations Search, its proprietary third-party due diligence platform, Strider identified 35 additional organizations linked to Liaoning China Trade that could also be supporting Department 53. In many cases, these organizations appear to operate in normal commercial sectors and present themselves as legitimate businesses. But beneath the surface, they pose a significant risk to Western and Japanese companies, which may engage with these organizations and unknowingly expose themselves to potential sanctions violations and serious reputational harm.

While the PRC plays a central role in this scheme due to its proximity and vast digital economy, Strider’s research shows that North Korean IT workers also operate from Russia, Southeast Asia, parts of Africa, and the Middle East. These regions differ in regulatory and political context, but they offer similar advantages: access to the global internet, uneven oversight, and distance from the DPRK.

Conclusion

Government entities are working to uncover and eliminate the DPRK remote worker threat, but the scope and scale of this operation are already far greater than most companies recognize. Addressing this network requires coordinated vigilance across both public and private sectors. To help combat threats like this, Strider developed a tool—Falsified Resume Screening—to help organizational leaders detect fabricated or inconsistent credentials in job applicants.

Moving forward, business leaders must take a proactive approach to safeguarding their organization from unwittingly hiring a remote worker from the DPRK—because the integrity of their workforce, sanctions compliance, and reputation are at stake.