Threat Intel Solutions

#### [Cyber-crime](/security/cyber_crime/)**22** You have a fake North Korean IT worker problem – here’s how to stop it======================================================================**22** Thick resumes with thin LinkedIn connections are one sign. Refusing an in-person interview is another—————————————————————————————————–[Jessica Lyons](/Author/Jessica-Lyons ‘Read more by this author’) Sun 13 Jul 2025 // 11:02 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/07/13/fake_it_worker_problem/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=You%20have%20a%20fake%20North%20Korean%20IT%20worker%20problem%20-%20here%27s%20how%20to%20stop%20it) [](https://twitter.com/intent/tweet?text=You%20have%20a%20fake%20North%20Korean%20IT%20worker%20problem%20-%20here%27s%20how%20to%20stop%20it&url=https://www.theregister.com/2025/07/13/fake_it_worker_problem/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/07/13/fake_it_worker_problem/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/07/13/fake_it_worker_problem/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=You%20have%20a%20fake%20North%20Korean%20IT%20worker%20problem%20-%20here%27s%20how%20to%20stop%20it&summary=Thick%20resumes%20with%20thin%20LinkedIn%20connections%20are%20one%20sign.%20Refusing%20an%20in-person%20interview%20is%20another) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/07/13/fake_it_worker_problem/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) By now, the North Korean fake IT worker problem is so ubiquitous that if you think you don’t have any phony resumes or imposters in your interview queue, you’re asleep at the wheel.’Almost every CISO of a Fortune 500 company that I’ve spoken to — I’ll just characterize as dozens that I’ve spoken to — have admitted that they had a North Korean IT worker problem,’ [said](https://www.theregister.com/2025/05/04/rsac_wrap_ai_china/) Mandiant Consulting CTO Charles Carmakal during a threat-intel roundtable, admitting that even Mandiant’s parent company Google is not immune.’We have seen this in our own pipelines,’ added Iain Mulholland, Google Cloud’s senior director of security engineering. ’We’ve certainly seen applicants that fit into this category with various IOCs -[indicators of compromise-] that we’ve shared with partners and peers,’ Snowflake CISO Brad Jones told *The Register*.  These types of scams, largely originating from North Korea, or at least funneling money back to Pyongyang, have cost American businesses at least [$88 million over six years](https://www.theregister.com/2024/12/13/doj_dpkr_fake_tech_worker_indictment/), the Department of Justice said last year.In some cases, the fraudsters use their insider access to steal proprietary source code and other sensitive data, and then extort their employers with threats to leak corporate data if not [paid a ransom demand](https://www.theregister.com/2024/10/18/ransom_fake_it_worker_scam/). As US-based companies become more aware of the fake IT worker problem, the job seekers are increasingly [targeting European employers](https://www.theregister.com/2025/04/02/north_korean_fake_techies_target_europe/), too.Nearly all executives who spoke to *The Register* in recent months have seen a flood of these types of applicants applying for open positions, most of them in engineering and software development, and all of them remote work.In some instances, the scammers even used deepfake videos in attempts to get hired, including at a security company that uses AI to find vulnerabilities in code. ‘If they almost fooled me, a cybersecurity expert, they definitely fooled some people,’ Vidoc Security Lab co-founder Dawid Moczadło told us in an [earlier interview](https://www.theregister.com/2025/02/11/it_worker_scam/).’We believe, at this point, every Fortune 100 and potentially Fortune 500 have a pretty high number of risky employees on their books,’ Socure Chief Growth Officer Rivka Little told us.### Using a fake identity…to apply for an identity jobOver the past few months, Socure has seen a ton of fake candidates applying for open jobs, according to Little, who has been leading the charge on the IT worker scam front. This seems an especially ironic choice for employment scammers, because Socure provides identity verification services to other companies.For a senior engineering role, Socure used to receive between 150 and 200 applications over three or four months. That number has recently jumped to more than 1,999 purported job seekers in a two-month period. At least some of those extra applicants have weirdly suspicious profiles.’We were in our executive meeting one Monday morning, and our chief people officer said, ‘We’re getting these super-strange resumes. They don’t seem to be connected to people who are valid. This feels like a fake identity,” Little said. ‘There were just too many disconnects.’Chief among these disconnects were ‘shallow’ LinkedIn profiles paired with ‘beefy resumes,’ she explained, citing job-seeker claims of working at Meta, attending Ivy League schools, developing major tech companies’ flagship products … but then only having 25 LinkedIn connections.Once the recruitment team began meeting via video conferences with some of the applicants, they noted extremely Western-sounding names, like James Anderson, paired with East Asian appearances and accented English, in much higher numbers than they expected.> He was affable, a nice guy. He was making jokes. There was nothing about him that would make me not want to work with him’You can’t profile people, so with the first few we were like, that’s interesting. But then when it was 10, 20, 30 — this is implausible at that rate and number, demographically,’ Little said. ‘We decided to follow through on a couple of candidates to really suss out what is going on here, and also to allow us to capture consent, because you can’t really dig into someone’s identity background unless you have consent to do so.’In all of these cases, Little’s team noted a number of oddities: new-ish email addresses, phone numbers that didn’t match claimed geographic locations, routing everything through a VPN, and educational backgrounds that didn’t check out.Little said she fed a handful of job applicant questions into ChatGPT and saved the chatbot’s responses for reference during the interview.’If his answers are anywhere close to these, then we’ll also know there’s a problem, and that’s exactly what happened,’ she said. ‘It was insane.’The fraudster’s answers weren’t word-for-word ChatGPT, Little noted. ‘These people are smart, they’re not unskilled, they’re sophisticated,’ she said. ‘But what he said versus what came from ChatGPT was clearly related.’Making it even more confusing, Little genuinely liked the candidate. ‘He was affable, a nice guy,’ she said. ‘He was making jokes. There was nothing about him that would make me not want to work with him.’### Spotting the patternsLittle has an interesting background in that she previously led an anti-fraud program at a bank, and also the human resources department at Socure. But, as she notes, few HR or hiring managers are also trained in cybersecurity and identity management — their job is to assess talent, not identify potential security risks.’It’s not uncommon that an HR leader wouldn’t be exposed to a CTO or a CISO or a head of fraud, and so they may be experiencing this pattern and not necessarily knowing what to do with it,’ Little said. ‘We’re a pretty small company, and so every single function in our world is together all the time. But if you’re at Pepsi, is that happening? Probably not.’Therein lies another part of the problem, according to Netskope CISO James Robinson, who told *The Register* his cloud security firm has also received fraudulent worker applications. ‘I think every CISO is struggling with: Is it a CISO problem? Or is it an organizational and, really, earlier on, an HR problem? And how to do that partnership with HR?”Security people are very aware of how to do investigations,’ Robinson continued. ‘But we’re not necessarily aware of what you can and can’t ask during an interview.’* [I’m a security expert, and I almost fell for a North Korea-style deepfake job applicant …Twice](https://www.theregister.com/2025/02/11/it_worker_scam/)* [US sanctions alleged North Korean IT sweatshop leader](https://www.theregister.com/2025/07/09/us_sanctions_north_korean_it/)* [North Korean dev who renamed himself ‘Bane’ accused of IT worker fraud caper](https://www.theregister.com/2025/01/24/north_korean_devs_and_their/)* [North Korea’s fake IT worker scam hauled in at least $88M over six years](https://www.theregister.com/2024/12/13/doj_dpkr_fake_tech_worker_indictment/)Once Netskope began receiving resumes that seemed to use stolen or fake identities with an extra-AI polish boost, Robinson set up a briefing with the local FBI and included not only security but also HR and legal in the meeting. ‘And we started working on a plan that we can use during the screening phase,’ he said.The team also shared this plan with outside recruitment agencies to help them verify that an applicant was who they purported to be.’The recruiters started to identify profiles that were being created off of someone else’s profile — the company is different, but the name is similar to someone else’s name, the job experience is the same,’ Robinson said.As a company that provides services for remote workers, Netskope also wants to support its own remote workforce, which presents its own set of struggles when trying to verify employees.’We require people to come to the office to pick up their computer,’ Robinson said as an example. The firm’s hiring team also reached out to their peers to discuss best practices to avoid becoming a North Korean IT worker scam victim. This included requiring in-person onboarding, double- and even triple-checking addresses before shipping work computers, and only shipping them to registered home addresses.’Also, funny enough, it’s not just catching something that is happening late-stage, but also catching something that is causing the applicant to just pass on the job,’ he added. ‘The fraudulent applicants will usually say, ‘I can’t do that.’ They just pass.’This was Socure’s experience, too. After stringing one suspected scammer along throughout the interview process, Little told the fake IT worker, ”We’re going to do a document verification with you. So the next time we meet, please be ready, it’s very simple, we’ll send you a bar code, and you can do it from your device.’ He never showed up.’And, yes, AI can help — not only the bad guys, but also the organizations doing the hiring, according to Jones.’The Snowflake security team partners with peer organizations, security threat intelligence vendors, and government agencies to curate an aggregated IOC data set that is integrated into the resourcing tools used by our recruiting tools,’ he said.These IOCs, or indicators of compromise, include email addresses, physical addresses, and phone numbers that have been flagged as associated with non-legitimate candidates.It’s also important to train what Jones calls the ‘human firewall,’ the people reviewing and interviewing candidates, to look for warning signs, too.’Initially, this could include a resume that looks too good to be true, like having experience in every technology or hot product on the market,’ Jones explained. ‘During screening, there are other indicators, such as large delays when answering questions — such as someone or something doing translation and research — confusing products or technologies, as well as environmental signs such as being in a call center.’The final step is always an in-person interview. ‘Any excuses for why they would not be able to facilitate this is another red flag,’ he said. ‘Given our collaboration with peers, third-parties, and government agencies, we believe no nefarious candidates have progressed beyond our first interaction with our human firewall.’However, criminals are a wily, adaptive bunch. Once one gang notices a certain technique or tactic is successfully raking in money for a rival gang (think: ransomware), they are likely to adopt a similar illicit business strategy.’Yes, it’s connected to North Korea, but is it going to stay that way? Definitely not,’ Little said. ‘It will come from all kinds of bad actors. Any organized crime ring will figure out that this is a way in, and will start to hit it.’ ® [Sponsored: Is your password ecosystem ready for the regulators?](https://go.theregister.com/tl/3211/shttps://www.theregister.com/2025/07/08/password_ecosystem_regulators/) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/07/13/fake_it_worker_problem/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=You%20have%20a%20fake%20North%20Korean%20IT%20worker%20problem%20-%20here%27s%20how%20to%20stop%20it) [](https://twitter.com/intent/tweet?text=You%20have%20a%20fake%20North%20Korean%20IT%20worker%20problem%20-%20here%27s%20how%20to%20stop%20it&url=https://www.theregister.com/2025/07/13/fake_it_worker_problem/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/07/13/fake_it_worker_problem/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/07/13/fake_it_worker_problem/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=You%20have%20a%20fake%20North%20Korean%20IT%20worker%20problem%20-%20here%27s%20how%20to%20stop%20it&summary=Thick%20resumes%20with%20thin%20LinkedIn%20connections%20are%20one%20sign.%20Refusing%20an%20in-person%20interview%20is%20another) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/07/13/fake_it_worker_problem/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [Cybercrime](/Tag/Cybercrime/)* [Fraud](/Tag/Fraud/)* [North Korea](/Tag/North%20Korea/) More like these × ### More about* [Cybercrime](/Tag/Cybercrime/)* [Fraud](/Tag/Fraud/)* [North Korea](/Tag/North%20Korea/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [End Point Protection](/Tag/End%20Point%20Protection/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Personally Identifiable Information](/Tag/Personally%20Identifiable%20Information/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) ### Broader topics* [APAC](/Tag/APAC/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/07/13/fake_it_worker_problem/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=You%20have%20a%20fake%20North%20Korean%20IT%20worker%20problem%20-%20here%27s%20how%20to%20stop%20it) [](https://twitter.com/intent/tweet?text=You%20have%20a%20fake%20North%20Korean%20IT%20worker%20problem%20-%20here%27s%20how%20to%20stop%20it&url=https://www.theregister.com/2025/07/13/fake_it_worker_problem/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/07/13/fake_it_worker_problem/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/07/13/fake_it_worker_problem/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=You%20have%20a%20fake%20North%20Korean%20IT%20worker%20problem%20-%20here%27s%20how%20to%20stop%20it&summary=Thick%20resumes%20with%20thin%20LinkedIn%20connections%20are%20one%20sign.%20Refusing%20an%20in-person%20interview%20is%20another) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/07/13/fake_it_worker_problem/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) **22** COMMENTS #### More about* [Cybercrime](/Tag/Cybercrime/)* [Fraud](/Tag/Fraud/)* [North Korea](/Tag/North%20Korea/) More like these × ### More about* [Cybercrime](/Tag/Cybercrime/)* [Fraud](/Tag/Fraud/)* [North Korea](/Tag/North%20Korea/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [End Point Protection](/Tag/End%20Point%20Protection/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Personally Identifiable Information](/Tag/Personally%20Identifiable%20Information/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) ### Broader topics* [APAC](/Tag/APAC/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### US sanctions alleged North Korean IT sweatshop leaderTurns out outsourcing coders to bankroll Kim’s nukes doesn’t jibe with Uncle SamCyber-crime4 days -| 4](/2025/07/09/us_sanctions_north_korean_it/?td=keepreading) [#### Now everybody but Citrix agrees that CitrixBleed 2 is under exploitAdd CISA to the listPatches3 days -| 3](/2025/07/10/cisa_citrixbleed_kev/?td=keepreading) [#### Iranian ransomware crew reemerges, promises big bucks for attacks on US or IsraelTells would-be affiliates they don’t need to worry because cyberattacks don’t violate a cease fireSecurity5 days -| 7](/2025/07/09/iranian_ransomware_crew_reemerges/?td=keepreading) [#### Why rapid proliferation of cloud native apps requires faster, more efficient toolsetsKubernetes enables easy, rapid AI app development, making it the industry standard for AI workloadsSponsored feature](/2025/05/13/nutanix_cloud_native_ai_apps/?td=keepreading) [#### Massive browser hijacking campaign infects 2.3M Chrome, Edge usersupdated These extensions weren’t malware-laced from the start, researcher saysResearch5 days -| 38](/2025/07/08/browser_hijacking_campaign/?td=keepreading) [#### CitrixBleed 2 exploits are on the loose as security researchers yell and wave their handsNetScaler vendor issued a patch but otherwise, stony silencePatches6 days -| 5](/2025/07/07/citrixbleed_2_exploits/?td=keepreading) [#### Suspected Scattered Spider domains target everyone from manufacturers to ChipotlePlus: Qantas makes contact with ‘potential cyber criminal’Security6 days -| 3](/2025/07/08/suspected_scattered_spider_domains_target/?td=keepreading) [#### Crims are posing as insurance companies to steal health records and payment infoTaking advantage of the ridiculously complex US healthcare billing systemCyber-crime16 days -| 7](/2025/06/27/patients_providers_records_payment_scam/?td=keepreading) [#### At last, a use case for AI agents with sky-high ROI: Stealing cryptoBoffins outsmart smart contracts with evil automationAI + ML3 days -| 14](/2025/07/10/ai_agents_automatically_steal_cryptocurrency/?td=keepreading) [#### Aloha, you’ve been pwned: Hawaiian Airlines discloses ‘cybersecurity event’update ‘No impact on safety,’ FAA tells *The Reg*Cyber-crime16 days -|](/2025/06/27/aloha_youve_been_pwned_hawaiian/?td=keepreading) [#### CVSS 10 RCE in Wing FTP exploited within 24 hours, security researchers warnIntruders looked up how to use curl mid-attack – rookie errors kept damage minimalPatches2 days -| 10](/2025/07/11/1010_wing_ftp_bug_exploited/?td=keepreading) [#### US shuts down a string of North Korean IT worker scamsResulting in two indictments, one arrest, and 137 laptops seizedCyber-crime13 days -| 1](/2025/06/30/us_north_korea_workers/?td=keepreading)

Related Tags:
Octo Tempest

NAICS: 551 – Management Of Companies And Enterprises

NAICS: 55 – Management Of Companies And Enterprises

NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 334 – Computer And Electronic Product Manufacturing

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 33 – Manufacturing – Metal

Electronics And Other

NAICS: 51 – Information

Associated Indicators: