Announcing our $5M seed roundLearn more

Why one North Korean IT Worker is rarely just one

Why one North Korean IT Worker is rarely just one


5 minute read

Table of Contents

When a company discovers it has hired a North Korean IT worker, the instinct is to treat it as a single bad hire that slipped through. However, one hire is usually the entry point for several more. 

The operation is not after a single job. It runs on volume, and once it gets one worker inside a company, it uses that leverage to get more in. 

The operation needs volume

To understand why one hire leads to many, it helps to look at the pressure the workers are under. The December 2024 indictment of 14 North Korean nationals described an operation organized like a business, with delegation leaders who each managed at least 50 workers and group leaders who supervised them day to day. Every one of those workers is expected to earn a minimum, and the standard quota is around $10,000 a month per worker. A manager responsible for 50 people cannot hit those numbers with a handful of jobs. They need a steady flow of placements, and they need it constantly, because identities get exposed and roles come to an end.

That pressure shapes how the operation behaves once it is inside a company. A company that has hired one worker successfully has just proven it can be penetrated. Its interview format, its screening, and its process have all been tested and passed. To the operation, that is not a single win. It is a channel worth using again.

How they get in more than once

Producing that volume starts well before anyone applies. Building the fake candidates is a job in itself, and some members do nothing else. They assemble resumes, forged IDs, portfolio sites, and interview scripts. The candidates then use AI-generated headshots, face-swapping software, and real-time voice changers to get through video interviews. Because each one is cheap and fast to build, the operation can put many into the same company at once, each looking like a separate person. To get in front of the employer they use one of the following methods: 

  • Referrals -  The most direct route is the referral. Once a North Korean IT worker is established at a company, they frequently recommend other North Korean workers for open roles. This works for the same reason referrals work everywhere. A hiring manager trusts a candidate introduced by a current employee and moves them through the process faster and with less scrutiny. The hired candidate can also coach the new candidate on who will interview them, what tools the team uses, and what to say to make sure they pass all stages of hiring. If the company asks for references, the operation can supply those too, using other fake identities it controls to pose as former managers. 

  • Staffing and recruiting agencies -  Many workers never apply directly. They come in through staffing firms and recruiters that look completely ordinary, which puts a trusted middleman between the company and the candidate. The company assumes the agency has already vetted the person, so no one checks the identity again. Some of these agencies are real and simply fooled. Some know exactly what they are doing. And in some cases the agency is not a real agency at all, but a front the operation set up to funnel its own candidates in. 

  • Stacked identities -  Another way to collect several salaries is to get hired more than once, each time under a different fake identity. Every identity comes with its own resume and a real person's details, either stolen or rented, usually through a US-based accomplice. So a company that thinks it hired three separate engineers may have hired one worker, running three identities. In the 2025 nationwide case, two US-based accomplices used the stolen identities of more than 80 Americans to place workers at over 100 companies.

What this means for a company

The known cases show this is built to happen at scale. Over and over, investigators find not one worker at a company but several, connected by the same referral, the same recruiter, or the same accomplice. 

So finding one North Korean IT worker should be the start of the search, not the end. Look at anyone hired around the same time, brought in through the same referral or recruiter, or sharing the same devices, addresses, or payment accounts. Because one person can be behind several hires, the links are usually there once someone looks for them.

All of this works for one reason: no one checked that the candidate was a real, specific person before hiring them. The fix is simple: confirm that each candidate is a real, distinct person before the first interview. 

This is why we built Tofu. Tofu verifies that every candidate is a real, distinct person before they reach an interview, so a referral, an agency, or a stack of identities all run into the same wall. If your team hires remote, it is worth putting that check in place before the next role goes live. 

Come talk to us and we will walk you through it.



« Back to Blog