Here Is What That Looks Like From an Investigator’s Perspective.
The DPRK remote IT worker scheme is not a cybersecurity problem. It is an identity fraud problem at state scale. The tools that can detect and attribute it are the same tools built for investigating threat actors, not screening job applicants.
Research published in March 2026 by IBM X-Force and Flare mapped the full operational infrastructure behind North Korea’s remote IT worker program, a scheme in which DPRK operatives secure employment at companies across North America and Western Europe using stolen and fabricated identities, then use that access to generate revenue for Pyongyang’s weapons programs, steal sensitive data, and in some cases extort their employers after departure.
The scale is difficult to overstate. IBM X-Force and Flare estimate more than 100,000 North Korean workers are deployed across 40 countries. Facilitators submit up to 400 job applications per day per operative across LinkedIn, Indeed, and Dice. Individual workers earn upwards of $300,000 per year. The program generates approximately $500 million annually for the regime. One operation alone, prosecuted by the DOJ, infiltrated more than 300 U.S. organizations including government agencies using the stolen identities of 68 Americans, which prosecutors called the largest identity theft case of its kind.
This is not a new threat. What is new is the scale, the sophistication, and the explicit targeting of larger organizations. CrowdStrike documented a 220% increase in 2025 in DPRK operatives gaining fraudulent employment at Western companies. The DOJ has formally declared the issue a code red. DPRK operatives are now applying to remote positions using real LinkedIn accounts belonging to individuals they are impersonating, complete with verified workplace emails and identity badges.
The framing that most organizations apply to this threat is wrong. They treat it as an HR screening problem. It is an identity intelligence problem, and it requires a different set of tools to detect, investigate, and attribute.
The Identity Fabrication Playbook
The IBM X-Force and Flare research gives the most detailed public account of how DPRK operatives construct and maintain their identities. Understanding the mechanics is essential to understanding where intelligence-led detection can intervene.
Identity construction. Operatives begin with either a stolen real identity, obtained through identity theft of an actual person, often an American with plausible credentials, or a fabricated identity built from assembled components. Stock photos are edited with AI-generated faces. Resumes are built by looking up real local companies and universities to manufacture plausible work histories. LinkedIn profiles are populated with verified-seeming connection networks.
Technical infrastructure. The operative’s device, shipped by the employer, arrives at a western collaborator who sets up remote access tools allowing the North Korean to dial in from China, Russia, or Laos. The session appears to originate from a domestic IP address on a device registered to the expected location. One physical machine can host multiple simultaneous identities.
Scale through facilitation. Recruiters present the scheme to unwitting western collaborators as an early-stage startup opportunity. Collaborators receive employer laptops, complete I-9 paperwork using the fabricated identity, pass background checks, handle payroll, and in some cases take employment drug tests. The operative never appears in person at any stage.
Access exploitation. Once employed, operatives perform their assigned work while pursuing one or more secondary goals: steady revenue extraction, intellectual property theft, or access accumulation for future exploitation. At contract end, some operatives extort former employers by threatening to release proprietary data, having exfiltrated it during their tenure.
Why Traditional Screening Fails
The DPRK IT worker program has been specifically engineered to defeat the controls that most organizations use to verify identity and assess risk in hiring.
- Background checks verify that a name and Social Security number match. When the operative is using a real American’s stolen identity, that check passes.
- I-9 verification confirms that a person has documents. When a western collaborator completes the I-9 with real identity documents belonging to the stolen identity, the verification passes.
- Video interviews are conducted by the operative using AI face-changing software, or in some cases by a different person while the actual worker handles the technical questions through a separate channel.
- LinkedIn profile verification confirms the profile exists and has connections. A profile built over time with manufactured history and real connection accumulation passes this check.
- Reference checks contact people listed as references. Those references are other operatives or collaborators prepared to provide verification.
The U.S. Attorney for DC put it directly: your tech sectors are being infiltrated by North Korea, and when companies are not doing their due diligence, they are putting America’s security at risk. The implied challenge is that due diligence as traditionally defined is insufficient. The problem is not effort. It is method.
The Identity Intelligence Approach
The DPRK IT worker scheme is, at its core, an identity attribution problem. The operatives maintain multiple fabricated identities simultaneously, reuse identity components across personas, and leave traces across digital channels that a sufficiently comprehensive identity intelligence platform can surface and connect.
Constella Hunter is built for exactly this class of problem. Where traditional HR screening asks whether a presented identity is valid on its face, identity intelligence asks whether the underlying digital footprint is coherent, consistent, and human.
The relevant investigative questions for each candidate or contractor are the same questions any Hunter investigation begins with:
- Does the email address associated with this identity have a believable history? An email address created recently, with no breach history, no forum registrations, and no digital footprint consistent with years of professional activity is a signal. Constella’s data lake holds 54.6 billion records across 15 years and 125 countries. A real person’s email address appears in it somewhere. A fabricated one often does not.
- Does the digital identity cohere across platforms? Hunter connects identity signals across breach data, forum activity, credential leaks, device fingerprints, and behavioral patterns. An operative maintaining multiple personas simultaneously will exhibit anomalies in how those identities cohere across platforms that a single, real person would not.
- What does the device and network fingerprint tell us? The remote access infrastructure DPRK operatives use, VPNs, North Korean-specific tools like OConnect and NetKey, virtual machines accessed through collaborator hardware, leaves fingerprints. Hunter’s ability to correlate device identifiers (HWIDs) across infostealer logs and breach data surfaces exactly this kind of infrastructure reuse.
- Are there connections to known threat actor infrastructure? DPRK operatives reuse infrastructure across campaigns. An email address or device fingerprint that appears in Constella’s data lake connected to known threat actor activity, underground forums, or credential marketplaces is a signal no background check would surface.
- Does the claimed employment history verify against breach and forum data? A candidate claiming to have worked at a major technology company for five years will have left digital traces consistent with that employment. Email addresses tied to corporate domains, forum registrations from that period, credential exposures. An operative who fabricated that history will not have those traces. The absence of expected signals is itself investigative data.
The Investigative Workflow
For organizations that have already onboarded remote contractors or are concerned about existing exposure, Hunter supports a retrospective investigation workflow that traditional screening cannot.
Starting from a name, an email address, or a phone number provided during onboarding, Hunter can expand the digital footprint in seconds: identifying associated aliases, connected email addresses, forum registrations, device fingerprints from infostealer logs, credential exposures, and behavioral patterns. Investigations that would require a senior analyst two hours of manual pivoting across fragmented data sources complete in seconds.
For organizations conducting ongoing due diligence on contractors with access to sensitive systems, Hunter enables continuous monitoring: alerts when a contractor’s associated identity signals appear in new breach data, when associated email addresses register on high-risk forums, or when device fingerprints appear in infostealer packages.
For law enforcement and national security teams already investigating the DPRK IT worker scheme, Hunter provides the attribution layer that connects individual personas to broader infrastructure, maps the relationships between facilitators and operatives, and surfaces the identity reuse patterns that link apparently separate fraud operations to common actors.
What Organizations Should Do Now
- Treat remote contractor onboarding as an identity investigation, not a credential verification. The question is not whether the documents are real. For stolen identities, they are. The question is whether the digital footprint behind the identity is consistent with the claimed history. That requires identity intelligence, not document review.
- Make the HR-security handoff explicit and operational. The IBM X-Force and Flare report is explicit: defending against DPRK IT worker infiltration is not solely a security team responsibility. It requires a joint process between HR, security, hiring managers, and investigators. That joint process needs shared tools and shared intelligence, not separate workflows.
- Flag specific technical signals in the interview and onboarding process. The research identifies concrete indicators: requests to use personal devices rather than employer hardware, use of known North Korean VPN tools (OConnect, NetKey, IP Messenger), requests to redirect payroll to cryptocurrency, reluctance to appear on video without significant lag or quality issues, and shipping addresses that do not match the claimed location.
- Investigate anomalies during employment, not just at onboarding. DPRK operatives who successfully pass onboarding continue to exhibit behavioral patterns during employment: unusual access patterns, work activity that appears to originate from multiple simultaneous sessions, communication patterns inconsistent with the claimed time zone. Continuous identity monitoring and behavioral analysis close this gap.
- If you suspect existing infiltration, treat it as an insider threat investigation. Organizations that discover a DPRK operative already employed should engage security operations, legal, and law enforcement before taking action. Premature disclosure to the operative allows destruction of evidence and identity abandonment. Hunter’s attribution capabilities support the forensic investigation that follows.
The Broader Identity Fraud Landscape
The DPRK IT worker scheme is the most documented and state-organized example of identity fraud at enterprise scale, but the underlying attack pattern: fabricated or stolen identities used to gain trusted access to organizations, is not unique to North Korea. The same techniques, stolen identity components, AI-assisted profile construction, infrastructure designed to defeat location verification, apply to a range of threat actors operating for financial, intelligence, and espionage purposes.
The identity intelligence approach that Hunter enables for the DPRK problem is the same approach that applies to insider threat investigations, fraud ring attribution, vendor impersonation, and the full range of identity-driven intrusions that Constella’s 2026 Identity Breach Report documents as the dominant attack pattern of the current era. Attackers no longer break in. They log in, they apply, they onboard, and they operate inside trusted environments using identities that traditional verification cannot distinguish from legitimate ones.
The investigation starts with identity. Hunter is where that investigation begins.
Schedule a Demo
See how Constella Hunter accelerates identity attribution investigations, surfaces fabricated digital footprints, and connects the signals that traditional screening misses.
Sources: IBM X-Force and Flare Research, Inside the North Korean Infiltrator Threat (March 2026); Help Net Security (March 19, 2026); The Register (March 18, 2026); NBC News (March 2026); The Hacker News (February 11, 2026). Statistics: CrowdStrike 2026 Global Threat Report.