North Korean IT operatives are increasingly using artificial intelligence tools to pose as remote workers, win jobs, and draw salaries from European companies, the Financial Times reported, citing cyber security experts who said the threat is spreading beyond the United States.

The newspaper said the “fake worker” scheme is tied overwhelmingly to North Korea and has become part of a broader effort by Kim Jong Un’s regime to generate hard currency through deception. According to the report, North Korean operatives posing as remote workers infiltrated more than 300 U.S. companies between 2020 and 2024, generating at least $6.8 million for Pyongyang, based on U.S. Department of Justice figures cited by the FT.

Jamie Collier, lead adviser in Europe at Google Threat Intelligence Group, told the FT that such operations are expanding into Europe, including North Korean agents establishing “laptop farms” in Britain.

“Recruitment has not naturally been seen as a security issue, so it’s an area of weakness in companies’ systems and these operatives are targeting that vulnerability,” Collier told the newspaper. “When we had to tell a client that one of their workers was actually a fake North Korean operative, the feedback was ‘are you 100 percent sure, because he’s one of our best employees’.”

An October report by blockchain analysis firm Chainalysis found that DPRK workers were often placed in positions abroad by the sanctioned Chinyong (Jinyong) IT Cooperation Company and used VPNs, forged or stolen IDs, and AI-generated voices and faces to pass remote-hiring checks. On-chain patterns showed “salary-like” payments, frequently around $5,000 at near-monthly intervals and often requested in stablecoins favored by OTC brokers, the company said. 

North Korean perpetrators ultimately funneled their salaries through decentralized exchanges, cross-chain bridges, and mainstream exchanges to break up audit trails before the funds were commingled with other illicit proceeds, according to Chainalysis. 

Such scams typically begin with stolen or borrowed identities, including dormant LinkedIn accounts that are hijacked or accessed with the accountholder’s consent, the FT reported. Operatives then forge resumes and identity documents, use accomplices to generate endorsements and deploy AI-generated masks, avatars, and deepfake video filters to improve their chances in remote interviews, the newspaper said.

Alex Laurie, chief technology officer at Ping Identity, told the FT that large language models had significantly improved the plausibility of false applicants by helping them create culturally appropriate names, email formats, and communications that avoid obvious linguistic or cultural warning signs.

After companies tightened remote hiring procedures because of concerns over AI-assisted applicants, North Korean operatives adapted by paying “facilitators”—real people—to sit for online interviews on their behalf, the FT reported.

The newspaper said the next stage often involves intercepting laptops sent by employers to new hires, allowing operatives to log in remotely and use large language models and chatbot commands to carry out work, sometimes while holding multiple jobs.

On Thursday, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) imposed sanctions on six individuals and two entities for their alleged roles in North Korean government-orchestrated IT worker schemes that Treasury said systematically defraud U.S. businesses and generated nearly $800 million in 2024. The funds were used to support Pyongyang’s weapons of mass destruction programs, OFAC said. 

Read more at the Financial Times