In September 2025, Okta Threat Intelligence published research from a large-scale analysis into fraudulent employment schemes conducted by Democratic People’s Republic of Korea (DPRK) IT Workers (ITW).
That research collated data from over 130 actors, conducting over 6500 interviews with 500 companies.
In this post, we look specifically at the activities of two individual personas. We selected these two examples from a large list of actors that we continue to track because they exemplify the typical tools, techniques and procedures (TTPs) employed by DPRK ITW actors. Additionally, each had novel observables that can further inform defenders against these efforts.
These two actors reveal two interesting TTPs DPRK actors use to land employment: the abuse of legitimate LinkedIn profiles to pass reference checks, and the abuse of stolen identities.
#1 - Meet “JJ”
The first of the two actors we will detail we’ll refer to as “JJ”. This actor has prolifically interviewed for roles in multiple verticals over two years, with an overrepresentation of roles in AI and healthcare.
The email account used by this actor is similar in structure to other DPRK-linked actors, in that it utilizes a free webmail service and the account name incorporates references to software development and other randomized alphanumeric characters. Open-source intelligence (OSINT) research conducted into the email address used by this actor uncovered a number of online services accounts that are very typical of DPRK ITW actors. All of these accounts are used exclusively for job applications and associated tasks:
Job board and hiring platforms
Scheduling platforms popular with recruiters
Document organization workspaces with AI assistance
Dynamic DNS services
Online coding platforms
While not observed with this specific actor, Okta Threat Intelligence has also used OSINT techniques to observe email addresses used by DPRK actors being registered to the following services:
Freelancer employment platforms
Article authoring and publishing platforms
Document creation and managements
Language learning platforms
Online communications
Software development social platforms
Online PDF platforms
Coding assessment platforms
DPRK actors use these online accounts and fabricated resumes to effectively create an artificial “persona”. These personas appear "out of thin air", inheriting the online presence required for a professional applying for roles, but without any evidence of personal use of any internet services. The exclusive use of these specific services, combined with the absence of any personal online footprint, creates a pattern highly indicative of an artificial persona.
Additional “tells” very common to these actors can sometimes be observed in the document properties of PDF résumés they provide. Okta Threat Intelligence can provide customers with further details on these methods of detection - please talk to your account manager to find out more.
Becoming JJ
During the two years of observed activity, our threat actor JJ created and subsequently abandoned several personas.
Until recently, JJ told recruiters that he did not have a LinkedIn profile. Okta Threat Intelligence occasionally observes LinkedIn profiles associated with the persona email addresses set up by DPRK ITW actors. The scarcity of connections, posts, recommendations, other content, and activity on these profiles can be used to identify a lack of authenticity. Often we discover that a LinkedIn profile listed by a DPRK ITW actor has been disabled thanks to the detection and enforcement efforts of the LinkedIn security team.
In September 2025, JJ was observed providing recruiters an active LinkedIn profile for the first time. The LinkedIn profile matched the inauthentic name they were using to apply for roles at the time, and doesn’t feature a profile picture. At first glance, the LinkedIn profile appeared robust and realistic, unlike most LinkedIn profiles established for DPRK IT Worker fraud. For example, the profile had:
Almost 200 connections
Links to a GitHub account with realistic content (see later in report for example of an unrealistic GitHub account)
Multiple “skills” listed, many of which were endorsed by multiple third-parties. The endorsing LinkedIn accounts appeared to be authentic.
Figure 1. JJ’s claimed LinkedIn profile
A happy false-positive
Our investigation determined that the person represented in the LinkedIn profile was, until recently, a genuine employee of the listed organization.
Our assessment is that the actor has simply misrepresented a genuine Linkedin profile as their own, altering the name of their fraudulent persona to fit that of a real human to align with the employment criteria. Our confidence in this assessment was also based on the fact that the DRPK actor's email address was not the email address used for the legitimate LinkedIn profile. It was a form of “stolen valour” designed to increase their chances of employment.
A challenge for verification
This technique - creating a persona based on a real identity - reinforces the need for strong identity verification prior to any form of employment. Employers should not rely on a LinkedIn profile as a basis for determining employment history. Verification requests to current or recent employers, asking only if a person with that name was employed in the role in the timeframes listed on LinkedIn, will not reveal the fraud. It is trivial for a threat actor to employ this technique, or to generate resumes directly from a co-opted Linkedin profile using an online resume generator or an AI-augmented system that consumes a public profile as an input. The actor simply creates an altered email address and phone number and makes the task of an HR screener far more demanding.
Prospective employers should incorporate identity verification techniques such as mobile drivers license verification. If relying on knowledge factors, verifiers should only base assessments on definitively non-public information such as partially-redacted national ID number or the name of the last manager at the role. Employers cannot rely on date of birth for robust verification as this information is readily available in public data and people-search services.
#2 "EM" gets hired
We will refer to our second actor as "EM". EM’s employment fraud activity stretches back over a year, with hundreds of interviews again across all verticals, but very much favoring AI-related roles and organizations. Okta Threat Intelligence also observed EM interviewing with sensitive critical national infrastructure (CNI) organizations such as commercial aviation, communications providers, internet service providers, a voting technology company and intelligence and defense contractors.
EM has a statistically high occurrence of succeeding in first interviews and being offered multiple rounds of interviews with individual organizations, and is likely to have been hired by several organisations into software development roles.
We set out to discover some of the secrets to EM’s success.
The co-opted persona used by EM appears to have been crafted based on an online photograph of a legitimate person who unfortunately also displayed enough information online to enable the DPRK (and potentially others) to co-opt his identity.
The real EM and an identity problem
EM claims to be a US citizen when asked about employment eligibility, and presents very realistic identity documents. Research into the name used by this actor finds that there is only one real person with this distinct name. We found photos of a person, holding up an identity document almost identical to the document our actor presents as his own, with a different photograph and signature.
Figure 2. A leaked identity on Facebook, redacted
The DPRK EM
EM’s professed residential and employment history differs significantly from that of the real person whose identity was assumed. Okta Threat Intelligence observed EM offering two different contact phone numbers. Both are VoIP phones - ubiquitous with DPRK actors - and one has a Caller ID location that contradicts their professed biography. The LinkedIn profile listed in their resume has since been taken down by the team at LinkedIn.
lookup cname = SEATTLE WA lookup cname = WESTPORT WA
DPRK ITW actors often create impressive-looking GitHub accounts to backstop their technical proficiency for job interviews. EM is no exception to this.
Figure 3. An impressive GitHub account
A GitHub account used by EM has thousands of contributions, ostensibly dating back to 2011.
Figure 4. GitHub heatmap, misrepresenting aged commits
Figure 5. The earliest commit presented on GitHub
However it appears that EM forged most of the commit dates .
The actual earliest contribution date from EM in this account can be determined using the GitHub API (see request response below), which returns a date of December 2024, not 2011.
➜ ~ curl -s https://api.github.com/repos/em███████/D██████-W██████ | jq -r '.created_at'
2024-12-14T██:██:00Z
This actor simply changed the year of their unsigned commit date from 2024 to 2011.
The many (AI) faces of EM
The face of EM, as presented in various online profiles, is inconsistent. None of them are at all similar to the image used in EM’s forged identity documents.
Figures 6,7. AI-generated profile pictures
They appear to the human eye as likely AI creations, and multiple online AI-detection tools offer mixed-high confidence assessments when asked if the profile pictures were AI generated.
Figure 8. Online AI checker (source: writehuman.ai)
A third profile picture, likely sourced from a now-deleted LinkedIn account, lacks the necessary resolution to accurately determine if it was AI-generated. It is again clearly not the same as the forged identity or other AI-generated images used by the actor.
Figure 9. Yet another appearance for EM
The other DPRK EM?
During the course of our research, Okta Threat Intelligence assessed two additional professional profiles with a distinctly different biography and profile picture that tools identified as likely not being AI-generated.
Figure 10. Another DPRK profile for EM
Figure 11. A third DPRK profile for EM
As the table below shows, the two profiles show a very different story. This may be a different DPRK ITW actor using the same identity, or an earlier iteration of EM’s fictional biography.
|
Original EM biography |
Second EM biography |
|
|---|---|---|
Current Location |
Seattle |
Miami |
Education |
Degree from a university in Japan |
Degree from University of Florida |
Prior roles |
|
|
Current Location
Seattle
Education
Degree from a university in Japan
Prior roles
- Several tech roles in Seattle, currently self-employed
- A position at a Boston-based betting company
- A position at a New-York-based financial institution
- Prior roles in Spain and Japan
Current Location
Miami
Education
Degree from University of Florida
Prior roles
- Software engineer for a software development company
- Developer for a large consultancy
- Software Engineer for another consultancy
Your new (DPRK) hire
During our research, we often make assessments as to whether a DPRK ITW actor has successfully been hired into a role. In this case we can say with high confidence that EM has been hired: thanks to a LinkedIn post by their new employer, welcoming their newest hire.
Figure 12. Welcoming a new (DPRK) hire
The photo used in this post is even more obviously AI-generated than any of the other photographs we analyzed.
Steps have been taken to contact this organization to inform them of our observations.
Conclusion
Just as with genuine candidates hunting for work, the vast majority of interviews with DPRK facilitators and agents do not progress to a second interview or job offer.
Some actors however seem to be more competent at crafting personas and passing screening interviews. Their skill isn’t limited to an ability to impress a prospective employer, but also to the tools and techniques that DPRK ITW actors use to try to obfuscate their actual origins.
Given the vast quantities of job applications and interviews being conducted, the various operators in the IT Worker scheme are clearly “learning from their mistakes” - in many cases duplicating approaches (CV structure and elements, Linkedin profile construction and interview support technologies) that have succeeded in progressing one application over another. A kind of IT Worker natural selection is at play. The most successful actors are very prolific, and scheduled hundreds of interviews each. We consider it likely that they often act as “interview brokers” in order to land employment positions that are then handed over to other DPRK ITW actors.
The third-party contractor risk
Our research revealed a large number of DPRK IT Workers seek temporary contract work as software developers hired out to third-party organizations. We assess that these companies are potentially less likely to enforce rigorous background checks on these short-term fixed task employees than the companies that they are contracting to would for direct-hire employees.
This highlights the importance of performing such checks not only on direct-hire employees, but also on all individuals given access to company resources via third-party service providers.
Background checks can never be optional
In this report we’ve highlighted an example of the deliberate co-option of the identity of a genuine person, together with their professional history. Rigorous background checking and employment verification will be needed to pierce this identity misrepresentation. Yet we also observed the hiring of an actor whose artificial identity would not stand up to even the most cursory use of a search engine.
Organizations that unwittingly hire a DPRK actor risk a potential de facto breach of sanctions obligations and associated legal exposure. Each compromised hire can also provide the DPRK with:
Direct financial gain (salary payments diverted to the regime)
Privileged internal access to sensitive systems, data, and networks
Operational leverage for ransomware, extortion, or follow-on cyber activity
Loss of commercially-sensitive corporate secrets
Strategic intelligence collection and access to support future offensive operations
Organizations should therefore adopt a layered defense, including rigorous identity verification during recruitment, ongoing monitoring of the access and behaviour patterns of remote workers, and a clear incident response plan for managing insider or supply chain threats. When hiring for positions of elevated trust and access, in-person verification of identity and documents and collection/provision of equipment and access tokens is a relatively small cost given the risk the organization is taking on. Access for remote employees and especially third-party contractors should be strictly limited to the minimum required to perform their role.
Steps to take to counter this threat
Okta Threat Intelligence assesses that organizations across all verticals — particularly those advertising remote or contract roles — should adopt a layered and proactive approach to recruitment, onboarding, and insider-threat monitoring. Okta recommends that organizations:
1. Strengthen applicant identity verification
Require verifiable government-issued ID checks at multiple stages of recruitment and employment
Cross-check stated locations with IP addresses (include VPN usage detection), time-zone behaviour, payroll banking information and delivery addresses provided for shipping hardware.
Use accredited third-party services to authenticate identity documents, prior employment, and academic credentials
2. Tighten recruitment & screening processes
Train HR and recruiters to identify red flags. Encourage processes that would identify whether a candidate is swapped out between rounds of interviews. Teach them to identify behavioural cues such as poor knowledge of the area they claim to reside in, a refusal to meet in person, a refusal to turn on camera or remove background filters during interviews, or interviewing using a very poor internet connection. Identify duplicated résumés, inconsistent timelines, mismatched time zones and unverifiable references. Assess the candidate’s online footprint and social media presence against the information provided. Where evidence of previous work is provided, investigate whether these projects were simply cloned from the repositories of legitimate user profiles.
Verify the history of edits to CVs and PDFs in document metadata and other technical “tells” associated with duplication and reuse.
Add structured technical and behavioural verification (live coding or writing performed under recruiter observation).
Require corporate email references (not free webmail) and confirm via outbound call to the main switchboard numbers of the reference organization. Ensure these references incorporate elements other than revealed in for example public LinkedIn profiles, such as last-manager’s name.
3. Enforce role-based and segregated access controls
Default new or contingent workers to least-privilege profiles and unlock additional access once probationary checks are complete.
Segment development, testing and production; require peer review and approval workflows for code merges and deployments.
Monitor for anomalous access patterns (large data pulls, off-hours logins from unexpected geos/VPNs, credential sharing).
Employ access certification campaigns to govern ongoing access.
4. Monitor contractors and third-party service providers
Where possible, contractually mandate ongoing identity verification standards, background checks, strong authentication policies, device-security baselines and rights to audit.
Require named-user accounts (no shared logins or internal service accounts where possible) and separate tenant/project access for each client environment.
5. Implement insider-threat and security awareness programs
Establish a dedicated insider-risk function or at least a working group spanning HR, Legal, Security, and IT.
Provide targeted training for recruiters, hiring managers, and technical leads on ITW tradecraft and screening controls.
Educate and empower hiring managers and staff members to observe and submit reports of potentially strange behaviour by their peers that raise questions as to their identity, goals, and locations.
Create safer reporting channels for suspicious behaviour or candidate concerns.
6. Coordinate with law enforcement and industry peers
Share indicators of compromise and suspicious candidate patterns with national cybercrime units and ISAC/ISAO groups.
Develop methods for the “insider-risk” group to receive and action indicators (email addresses, IP addresses, VPN providers, document creation, and behavioural indicators) and be prepared to “share back” relevant findings.
Actively participate in information-sharing forums to track evolving ITW tactics and tooling.
7. Conduct regular risk assessments and red-team exercises
Model insider and malicious contractor attack paths; quantify potential business impact.
Perform red team exercises that test the hiring pipeline (simulated DPRK application and interviews) to assess identity verification processes.
Update incident response plans to include scenarios involving malicious insiders, compromised contractors, and expedited access revocation.
Okta Threat Intelligence appreciates the assistance of Epieos in the research for this post.
