Executive Summary
Over the past few months, Okta Threat Intelligence conducted in-depth research into online services used by individuals identified by US authorities and trusted third parties as agents for the Democratic People’s Republic of Korea (DPRK).
Members of our team have now published a set of observables related to these devices, which are available to authenticated customer security contacts at security.okta.com. Note that these devices may be used for legitimate - or unsanctioned but benign - purposes by employees and on their own are not an indicator of DPRK activity.
Background
Fraudulent IT worker schemes
Multiple arrests and indictments (see Appendix B) have revealed the scale at which individuals operating on behalf of the DPRK have been mobilized into neighbouring countries to gain fraudulent employment in organizations across the globe.
The primary objective of these schemes is to raise funds for the DPRK and compensate for the significant financial sanctions applied to the North Korean regime. US agencies have also identified several outlier cases in which the access to systems provided for employment was used to facilitate espionage or data extortion.
The targets for these fraudulent schemes appear opportunistic and based on the availability of remote technical roles. The employers most at-risk are technology companies that are more likely to accept remote candidates for IT or software engineering roles, often on a contingent basis. However, these campaigns also extend to industry verticals well beyond the technology sector.
Okta Threat Intelligence used indicators associated with known DPRK facilitators and agents to track their use of GenAI applications. We also worked with highly targeted customers and partners, to develop preventative controls for this unique threat model. In the process, Okta has revised our own onboarding processes, shared awareness collateral and built out numerous methods of detection.
The research had a direct influence on feature enhancements built into Okta Workforce Identity, such as ID verification services, that Okta customers can use to reduce their exposure to this threat. These are discussed in the “Mitigating Controls” section of this advisory.
The Facilitators
Our understanding of this threat is shaped by the unique insight Okta Threat Intelligence can glean into the tools used by those individuals identified as “facilitators” of fraudulent employment schemes.
These facilitators provide the necessary in-country support, technical infrastructure and/or legitimate business cover to help individuals from sanctioned countries gain and maintain employment.
Facilitators apprehended by law enforcement in the United States are alleged to have knowingly provided a range of support services to DPRK nationals:
- Direct assistance in the recruitment process
- A domestic address for the shipment of company-issued devices
- Access to legitimate identity documents
- Operating company-issued devices on the remote worker’s behalf
- Installing remote management and monitoring (RMM) tools on the device to facilitate the remote work
- Authenticating, where necessary, on the remote worker’s behalf
One Arizona-based “laptop farm” operation exposed in May 2024 is alleged to have assisted in the placement of over 300 individuals in technical positions across the United States. In another January 2025 indictment, two US residents were accused of fraudulently obtaining employment and operating a laptop farm in North Carolina for DPRK nationals, after they’d successfully gained employment at 64 organizations.
Okta can now reveal the degree to which facilitators of fraudulent work schemes rely on emerging GenAI-enhanced services to scale their operations.
The role of AI
Using Generative AI to “test and learn”
In recent months, individuals strongly suspected to be DPRK-created personas have been recorded using real-time “deepfake” video during interviews.
Okta Threat Intelligence research has observed a far broader set of GenAI services used in these schemes, suggesting a very deliberate attempt by facilitators to keep pace with AI innovation. Facilitators are now using GenAI-based tools to optimize every step in the process of applying and interviewing for roles and to aid DPRK nationals attempting to maintain this employment.
Facilitators were observed using GenAI-based services specializing in:
- Unified messaging
- Recruitment platforms
- Resume/CV screening
- Candidate management
- Automated job screening
- AI-based chatbots
- AI code training
- Online shipping
While Okta Threat Intelligence is not able to observe the facilitators’ activities beyond the login page, the narrow range of functionality offered by many of these tools allows us to hypothesize on some likely use cases, which are provided in the table below.
| Service Category | Task | Role of AI |
|---|---|---|
| Unified messaging | Manage communication on behalf of multiple candidates from sanctioned countries and their multiple personas. | Web Commerce Communications Limited dba WebNic.cc |
| Recruitment platforms | Post job applications similar to those advertised in targeted organizations to assess the success rates of legitimate applications. | These recruitment platforms offer access to systems of interest for facilitators: applicant tracking software (ATS). These algorithms determine whether a job application proceeds through automated checks.CVs and cover letters from legitimate jobseekers may form part of a training set for optimizing applications made on behalf of DPRK nationals. |
| Resume screening | Optimize CVs on behalf of multiple candidates from sanctioned countries and their multiple personas. | AI agents test uploaded CVs against ATS (applicant tracking software) to recognize which personas will be more successful in any targeted job advertisement. |
| Candidate management | Manage multiple job applications on behalf of multiple personas managed by a single person. | AI-enhanced tools are used to automate the process of tracking multiple job applications. |
| Mock interviews | Conduct mock interviews (webcam and text-based) with AI agents tasked with evaluating a candidate’s presentation skills and answers during an interview. | Facilitators can use these GenAI chat-based mock interviews to test the efficacy of deepfake overlays and scripted answers to job interview questions. |
| LLM-based chatbots | Answering questions and completing tasks during job interviews and any resulting employment. | AI chatbots are used in real-time by facilitators standing in for candidates to answer questions during interviews. They are likely used again by candidates to complete tasks during employment. |
| Code training services | Rapid adoption of unfamiliar development skills required by a hiring organization. | Candidates use AI-based training platforms to achieve sufficient competency in a given skill to gain and maintain employment for as long as possible. |
Table 1: AI-enhanced services and other tools used by facilitators of DPRK “wagemole” campaigns
Use cases for AI-enhanced tools
1. Unified Messaging
One of the most demanding challenges for facilitators is how to manage multi-channel communications on behalf of dozens of candidates from sanctioned countries and their multiple personas.
Okta Threat Intelligence observed the use of unified messaging services to manage many simultaneous mobile phone, instant messaging, and email accounts as well as other related chat services.
These unified messaging services use GenAI to transcribe or summarize conversations and deliver real-time translation of voice and text. They appear to be instrumental in helping a relatively small cadre of facilitators schedule job interviews with multiple DPRK candidate personas.
2. Recruitment platforms
Facilitators and candidates both make extensive use of jobseeking platforms to apply for roles. More surprising was the use of AI-enhanced recruitment platforms typically used by recruiters (not candidates), likely in an attempt to amplify the reach and accuracy of job postings.
Access to these tools provides facilitators with opportunities to advertise roles at front companies that are similar, if not identical, to those advertised by targeted organizations, in order to study the cover letters and resumes of legitimate candidates. The CVs and cover letters from legitimate job seekers may even form part of a training set for optimizing future applications made on behalf of DPRK workers.
At scale, these techniques dramatically improve the potential success of job applications, effectively using the recruiters own tools against them at scale.
3. Resume/CV Screening
Okta Threat Intelligence assesses that facilitators are highly motivated to generate successful cover letters, CVs and interviews and address any specific criteria in a given application.
Facilitators were observed making use of services that provide “AI Superpowers” to job applicants to help them “outsmart employers’ robots”, in order to improve the chances of a job application successfully progressing past the automated CV/resume scans used in recruiting platforms.
These services use GenAI agents to test uploaded CVs against ATS (applicant tracking software), iterating until they achieve a better result and learning which personas will be more successful in any given role.
4. Candidate management
Okta Threat Intelligence observed services that use GenAI agents to automate the process of filling in application forms on behalf of candidates and to track the progress of candidates through the application process.
Again, these capabilities address the challenge of facilitating job applications and employment on behalf of multiple individuals and their multiple personas over multiple timezones.
5. Mock Interviews
Once an application is successful, the next task for facilitators is to prepare their candidates (or the facilitator themselves, in some cases) for job interviews.
Facilitators were observed using AI-enhanced services that deploy GenAI agents to host and record first-round interviews on behalf of employers, then critique and offer improvement tips for the interviewee.
These automated “AI-based webcam interview review” services claim to assist with the appropriate use of lighting, video filters, and the candidate’s approach to conversation.
Okta Threat Intelligence assesses that mock interviews staged by AI agents can be used to evaluate the efficacy of deepfake overlays and of highly scripted answers to common questions, to decrease the chance of their deception being discovered.
6. LLM-based chatbots
While most of the GenAI applications used by facilitators relate directly to training and recruitment, Okta Threat Intelligence also observed them constantly signing in to LLM-based chatbots.
Analysing patterns of activity, these generalized GenAI tools appear to be relied on heavily throughout the recruitment process, as well as by successful candidates once they gain employment.
7. Code training services
Candidates were also observed signing into free services that offer training in specific development languages and AI tools. These training platforms deliver a cursory awareness of unfamiliar development skills required by a hiring organization at interview, and the bare essentials required to maintain employment for as long as possible.
AI’s “power users”
Facilitators extensively employ AI-enhanced tools to help minimally skilled, non-native English-speaking workers maintain software engineering positions, allowing them to channel earnings towards the sanctioned DPRK regime. The scale of observed operations suggests that even short-term employment for a few weeks or months at a time, when scaled with automation and GenAI, can present a viable economic opportunity for the DPRK.
Mitigating Controls
To mitigate the threat posed by these campaigns, Okta Threat Intelligence recommends:
Identity Verification
Embedding Identity Verification in key business processes
Training and Reporting
Training staff to identify common indicators of fraudulent behavior
Detecting unauthorized use of remote access devices
Detecting the unauthorized use of RMM (remote management and monitoring) tools favoured by DPRK IT workers
Identity Verification
DPRK IT worker schemes exploit the fragmented nature of hiring processes in large organizations. Most organizations today use suppliers, partners, freelancers and contingent workers extensively as part of their extended enterprise.
Organizations are most vulnerable when identity verification is performed in silos at different stages of the hiring process. The risk is heightened further where external employment agencies are contracted to perform one or more of the critical tasks in the process - whether that’s advertising a position, conducting interviews, handling contracts or the logistics of onboarding a new contingent worker. At any stage of this process, opportunities arise for paid local facilitators to provide verifying documentation - or even to sit in on an interview - to help an applicant proceed to the next step.
Okta Workforce Identity now includes methods of adding an Identity Verification service as an Identity Provider. A third-party identity verification service typically requests that a user provide a government-issued identity document and prompts them to take a selfie to satisfy a liveness check. When configured as an Identity Provider in Okta, you can configure the solution to be applied during the riskiest moments in a user lifecycle, such as recruitment, user onboarding and account recovery.
We recommend identity verification is applied consistently, from the processing of applications, through to interviews, offer acceptance, the signing of contracts and onboarding. Each successive re-validation of an individual’s identity creates a “chain of trust” throughout the process.
Okta recently configured an integration with Persona, a leading Identity Verification service, to secure enrolment and self-service recovery flows for our own staff and contractors. This implementation, which is described in detail in a blog post, has informed the approach Okta now recommends to customers.
Training and reporting
Identifying fraudulent employment activity requires deep partnerships between security teams, talent teams and procurement functions to ensure background checks and identity verification is performed consistently, irrespective of whether the candidate is being hired or contracted through a third party.
The following red flags are common, but not exclusive, to fraudulent applications for employment. Given the individuals involved in these schemes have evolved their tradecraft significantly over time to improve their rate of success, we anticipate a need to continually adapt and add to this list.
Red Flags (Training and reporting)
During recruitment:
- A candidate expresses a preference for chat-based applications over voice and video calls, blaming poor internet coverage or other similar pretexts
- A candidate provides inconsistent data at various stages in the process (name, location, contact information, education and work history)
- Metadata from remote video conferencing places the candidate in a markedly different location than what was provided in their application
- A candidate appears to be using GenAI tools to answer questions during the interview process
- A candidate provides answers to common questions that appear to be scripted
- A candidates’ face appears to be digitally altered in real-time and they refuse when challenged to hold up a hand or object in front of their face.
During offer:
- A successful candidate is willing to accept lower rates for their work or seek unorthodox methods of payment
- A successful candidate requests a change of shipping addresses for company-issued devices
- Information supplied during background checks is inconsistent with information provided in the candidate’s application (such as education, employment history or location)
During onboarding and employment:
- A contractor or employee is frequently unavailable for scheduled video calls with colleagues, often using family emergencies or illness as a reason
- A contractor or employee is unwilling to show their background when they are asked to appear on video calls
- A contractor or employee has intermittent difficulties with signing in to company systems
- A contractor or employee demonstrates poor performance relative to skills and capabilities assessed during the interview process
- The hours worked by a contractor or employee are inconsistent with the business hours or the timezone they were employed in
- A contractor or employee requests changes of payment information, owing to issues with their bank account
Detect use of unauthorized remote access tools
Other critical controls include those that prevent or detect installation of unauthorized remote access tools and devices- especially those commonly used in laptop farms - installed on or plugged into company-issued devices.
An IP-KVM is a hardware device that allows remote access and control of computers via a network connection. Small, low cost devices are available that transmit keyboard, video and mouse (“KVM”) signals to remote users without the need for software to be installed on the device. This makes them difficult to detect using traditional endpoint detection and response tools. We are not aware of any signatures provided by EDR vendors that are designed specifically to detect the use of such devices.
Noting reports of the extensive use of IP-KVM devices being used to enable remote access to laptops in DPRK laptop farms, Okta Threat Intelligence has tested a number of them in order to develop various approaches to detection.
Members of our team have now published a set of observables related to these devices, which are available to Okta customers at security.okta.com. Note that these devices may be used for legitimate - or unsanctioned but benign - purposes by employees and on their own are not an indicator of DPRK activity.
Based on the findings of our research, we strongly recommend implementing multiple detection methods and adopting a risk-based approach to determine whether a IP-KVM device connected to a host is being used maliciously.
Appendix: Further Reading
- Exposing DPRK's Cyber Syndicate and Hidden IT Workforce - DTEX - May 2025
- Fake Engineer - Advanced Deepfake Fraud and How to Detect It - Vidoc Security - March 2025
- Two North Korean Nationals and Three Facilitators Indicted for Multi-Year Fraudulent Remote Information Technology Worker Scheme that Generated Revenue for the Democratic People’s Republic of Korea - US Department of Justice - January 2025
- Fourteen North Korean Nationals Indicted for Carrying Out Multi-Year Fraudulent Information Technology Worker Scheme and Related Extortions - US Department of Justice - December 2024
- Advisory on North Korean IT Workers - Office of Financial Sanctions Implementation, HM Treasury - September 2024
- Justice Department Disrupts North Korean Remote IT Worker Fraud Schemes Through Charges and Arrest of Nashville Facilitator - US Department of Justice - August 2024
- We found North Korean engineers in our Application Pile. Here’s what our ex-CIA founders did about it - Cinder blog - August 2024
- How a North Korean Fake IT Worker Tried to Infiltrate Us - KnowBe4 Security Awareness Training - July 2024
- The North Korean IT Workers (podcast) - Mandiant - July 2024
- Charges and Seizures Brought in Fraud Scheme Aimed at Denying Revenue for Workers Associated with North Korea - US Department of Justice - May 2024
- Alert Number: I-101823-PSA - US Federal Bureau of Investigation - October 2023
- Justice Department Announces Court-Authorized Action to Disrupt Illicit Revenue Generation Efforts of Democratic People’s Republic of Korea Information Technology Workers - US Department of Justice - October 2023
- Treasury Targets DPRK Malicious Cyber and Illicit IT Worker Activities - May 2023 - US Department of the Treasury
- Advisory on the Democratic People’s Republic of Korea Information Technology Workers - Republic of Korea - Ministry of Foreign Affairs -February 2023
- Guidance on the DPRK Information Technology Workers - US Department of the Treasury - May 2022
A note on estimate language
Okta Threat Intelligence teams the following terms to express likelihood or probability as outlined in the US Office of the Director of National Intelligence Community Directive 203 - Analytic Standards.
| Likelihood | Almost no chance | Very unlikely | Unlikely | Roughly even chance | Likely | Very likely | Almost certain(ly) |
|---|---|---|---|---|---|---|---|
| Probability | Remote | Highly improbable | Improbable | Roughly even odds | Probable | Highly Probable | Nearly Certain |
| Percentage | 1-5% | 5-20% | 20-45% | 45-55% | 55-80% | 80-95% | 95-99% |
