North Korea’s Deepfake Remote Workers: How They’re Getting Inside U.S. Companies — and How to Stop Them

It sounds like the plot of a cyber-thriller: overseas operatives posing as legitimate IT workers, passing video interviews with AI-altered faces, and logging into corporate systems from U.S.-based “laptop farms.” But this isn’t fiction. It’s a real, ongoing North Korean campaign to infiltrate American companies, earn hard currency for sanctioned programs, and potentially lay the groundwork for cyber espionage.

In this week’s Cyberside Chats, we pulled the lid off one of the most sophisticated insider threat operations in the world. Using AI-generated résumés, real-time deepfake interviews, and clever infrastructure tricks, North Korean IT operatives — many tied to units like FAMOUS CHOLLIMA — are slipping past traditional hiring defenses.

“It’s scary because these aren’t just low-level scams — they’re embedding people who could have administrative access into corporate environments,” noted Matt Durrin, LMG Security’s Director of training and research, during the episode.

Here’s how the scheme works, the signs to watch for, and how you can protect your organization before these deepfake insiders get a foothold.

The Mechanics of the Scam

This campaign blends social engineering, emerging AI tech, and old-fashioned deception. Based on recent U.S. Treasury sanctions and DOJ cases, as well as intelligence from CrowdStrike, here’s the blueprint:

1. AI-Generated Résumés: Operatives use stolen or fabricated work histories, polished by generative AI tools, to produce résumés tailored to open IT positions in U.S. companies.
2. Deepfake Interviews: Using real-time face-swapping and voice-cloning, DPRK operatives can convincingly impersonate someone else during a video call. Even live back-and-forth can be masked, making it hard for interviewers to spot the fakery without specialized checks.ops
3. U.S.-Based “Laptop Farms”: Once hired, the operatives often ship corporate-issued laptops to accomplices in the U.S., who keep them physically connected to corporate networks. This evades geolocation controls that would otherwise flag logins from overseas.
4. Multi-Job Tactics: Some DPRK IT workers hold multiple remote roles, increasing their income potential while also boosting access to diverse systems and data.

A Real Case: The Christina Chapman “Laptop Farm”

In a case that reads like a techno-thriller, Christina Marie Chapman — an Arizona woman — was sentenced to 102 months in prison for operating a “laptop farm” that enabled North Korean cyber operatives to pose as U.S.-based IT workers. According to the Department of Justice, Chapman facilitated remote employment at 309 U.S. companies, including Fortune 500 firms, and ultimately funneled more than $17 million in illicit revenue to the DPRK.

During a raid on her property in 2023, investigators seized over 90 laptops, each linked to a specific company or stolen identity. Chapman also shipped 49 devices overseas, including to a Chinese city near the North Korean border, to further conceal the operation. The DOJ revealed that the identities of 68 U.S. individuals were stolen, causing false tax liabilities and legal headaches for innocent victims. She was ordered to forfeit approximately $284,556 intended for the DPRK and pay $176,850 in restitution.

This case illustrates how a single point of failure, one trusted insider, can facilitate mass-scale infiltration.

The Bigger Picture: Why This Matters

While the immediate goal is revenue, funding North Korea’s nuclear weapons program, the potential long-term risk is infiltration for espionage. “Once they’re inside, they could pivot to other systems, gather intelligence, or introduce malware at the right time,” Durrin stated.  That means any U.S. company hiring remote IT talent could be a target, and the threat extends to contractors and third-party vendors.

How to Defend Your Organization

Here are five actionable steps, drawn from intelligence reports and LMG Security’s own advisory experience, that can help you catch these deepfake insiders before they embed:

1. Verify Beyond the Résumé

• • Pair government ID checks with independent work history and social profile verification.
  • Use tools and services to flag synthetic or stolen identities.
  • Consider a formal Cybersecurity Risk Assessment to identify gaps in your hiring and vendor security processes.

2. Deepfake-Proof Interviews

• • Introduce unscripted identity challenges in video interviews (ask for lighting changes, have the candidate turn their head, or hold up ID).
  • Consider using deepfake detection tools when hiring for sensitive roles.
  • Train the people making hiring decisions to recognize red flags. For example, we offer Managed KnowBe4 Employee Cybersecurity Training, which includes modules specifically for managers and HR teams on identifying social engineering and deepfake-enabled scams, in addition to general security awareness training for all employees.

3. Geolocation & Device Monitoring

• • Set up alerts for impossible travel, VPN masking, or multiple logins from the same endpoint.
  • Ensure remote access tools and corporate VPNs log and flag suspicious patterns.

4. Watch for Multi-Job Signals

• • Monitor productivity anomalies, repeated delays, or identical deliverables across projects.
  • Review the proportion of AI-generated content in employee outputs.

5. Vet Vendors and Contractors

• • Require equivalent screening and monitoring for all third-party providers. We can implement third-party risk management services and policy development guidance to streamline your processes.
  • Bake these requirements into contracts and risk assessments

Why Acting Now Matters

This threat isn’t just about money laundering — it’s about securing the integrity of your workforce. With tools like generative AI and deepfake technology becoming more accessible, the cost of inaction is rising fast.

KnowBe4’s National Social Engineering Day announcement highlights the ongoing importance of security awareness, but awareness alone isn’t enough. It must be paired with robust verification, monitoring, and vendor management.

The Bottom Line

North Korea’s deepfake job scam is a wake-up call: insider threats are no longer limited to disgruntled employees or careless contractors. They now include state-sponsored actors leveraging AI to pass your hiring process and operate under your radar.

Proactive vetting, real-time interview controls, and vigilant monitoring are your best defense — but only if you start before the threat is at your digital doorstep.

If you want to ensure your hiring process and vendor relationships can withstand this type of attack, contact us, and we can help you assess and strengthen your defenses without slowing your business down.