North Korean operatives are successfully infiltrating hundreds of Western companies by posing as remote IT workers, according to a new report from cybersecurity leader CrowdStrike. This surge in fraudulent employment is designed to generate illicit revenue for the regime’s sanctioned nuclear weapons program.
A 220% Spike in Fraudulent Hiring
Data from CrowdStrike’s 2025 threat-hunting report reveals a staggering 220% increase in incidents over the past year. Researchers identified more than 320 cases where North Korean nationals secured developer roles at Western firms under false pretenses. These operatives leverage fabricated identities, forged resumes, and falsified work histories to bypass hiring scrutiny.
The “Famous Chollima” Modus Operandi
CrowdStrike, which tracks these actors under the designation “Famous Chollima,” notes that the sophistication of these schemes is evolving. The operatives increasingly utilize generative AI to polish resumes and deploy deepfake technology to manipulate their appearance during remote video interviews.
Beyond simple salary theft, the infiltration poses a severe cybersecurity risk. Once embedded, these workers gain internal access to corporate networks, allowing them to exfiltrate proprietary data and stage extortion attempts against their employers.
Combating the Infiltration
While the exact number of North Korean IT workers currently embedded in U.S. companies remains unknown, experts estimate the figure reaches into the thousands. To mitigate this threat, CrowdStrike emphasizes the need for rigorous identity verification during the recruitment process.
Some organizations have adopted unconventional screening methods, such as asking candidates to express critical opinions regarding North Korean leader Kim Jong Un. Because these workers are under constant state surveillance, such requests often force them to abandon the application, effectively flagging them as fraudulent.
Crackdown on “Laptop Farms”
The U.S. Department of Justice has intensified efforts to dismantle the infrastructure supporting these operations. This includes targeting facilitators who manage “laptop farms”—racks of devices that allow North Korean operatives to tunnel their connections through the U.S., making it appear as though they are working from domestic locations.
As detailed in a June indictment, one identified operation successfully compromised the identities of 80 Americans between 2021 and 2024 to secure positions at over 100 U.S. companies. These efforts remain a critical priority as the regime continues to fund its military ambitions through global corporate exploitation.