Summary
The Federal Bureau of Investigation (FBI) is providing an update to previously shared guidance regarding Democratic People's Republic of Korea (North Korea) Information Technology (IT) workers to raise public awareness of the threat posed to U.S. businesses. North Korea is evading U.S. and U.N. sanctions by targeting private companies to illicitly generate substantial revenue for the regime. North Korean IT workers use a variety of techniques to disguise their identities, including leveraging U.S.-based individuals, both witting and unwitting, to gain fraudulent employment and access to U.S. company networks to generate this revenue.
These witting and unwitting U.S.-based individuals provide a U.S.-based location for companies to send devices, enabling North Korea to circumvent controls companies may have in place to prevent the hiring of illicit, overseas workers as well as controls intended to prevent unauthorized access to company networks by North Korean IT workers, including through the unauthorized installation of remote access software. North Korean IT workers' activities illegally violate U.S. and U.N. sanctions and threaten the security of the targeted companies. Companies that outsource IT work to third-party vendors can face additional vulnerabilities since these companies are removed from the direct hiring process.
Specifically, U.S.-based facilitators have provided the following services to North Korean IT workers:
- A U.S.-based internet connection enabled through U.S. company laptops received on their behalf by facilitators in the United States.
- Setup of U.S.-based infrastructure, including by enabling remote desktop connections to U.S. company laptops through protocols or remote desktop connection software download and installation.
- Reshipment of U.S. company laptops to North Korean IT workers overseas.
- Setup of financial accounts for North Korean IT workers. Some U.S.-based facilitators receive shares of the proceeds earned through North Korean IT worker employment schemes.
- Creation of accounts on popular job search sites for use by North Korean IT workers.
- Assistance purchasing and funding web services, such as artificial intelligence models and background check programs for use by North Korean IT workers.
- Attendance at virtual interviews and meetings on behalf of North Korean IT workers; and
- Creation of U.S.-based front businesses, including businesses purporting to offer short-term technical contract workers.
Tips to Protect Your Business
Scrutinize identity verification documents
Check for misspellings and cross-reference photographs and contact information (e.g. phone numbers, addresses, emails, etc.) with social media profiles, portfolio websites, and payment platforms.
Verify prior employment and education
Verify prior employment and higher education history directly with businesses and educational institutions.
Require in-person meetings
When possible, mandate in-person drug tests or fingerprinting to verify identity and claimed location. If needing to rely on virtual meetings:
- Mandate video and request that their backgrounds be unobscured.
- Have the individual point the camera out a window and ask questions about their claimed current location and the location listed on their identification documents.
- Ask the individual to wave their hand in front of their face as it may prompt a malfunction in AI generated video.
Capture images of individuals
Capture images for comparison with future meetings. Sometimes an individual is employed to pass the initial interview, but the on-the-job work is completed by a different individual.
Analyze payment methods
Compare payment accounts of all employees, flagging those using similar documentation to establish accounts or with matching banking information. Monitor employees who change their bank accounts often, due to banks closing accounts of concern. Beware of agreements to pay employees using virtual currency, which enables funds to be transferred internationally without high levels of scrutiny.
Shipping work related materials
If sending documents or work-related equipment such as a laptop, only send to the address listed in the employee's identification documents. If the employee requests delivery to a different address, require additional documentation to verify the address. Additionally, do not grant access to any systems until the background check is completed.
Contracted IT workers
If your company employs contracted IT workers that have been hired by a third-party company, seek to educate the third-party company about this guidance. Contract IT work is a common way that North Korean IT workers procure employment.
Contact your local FBI Field Office Private Sector Coordinator
Building and maintaining a working relationship with your FBI Private Sector Coordinator allows beneficial collaboration and information-sharing between the FBI and the private sector; while mitigating threats through longstanding, mutually beneficial partnerships.
Reporting
Report suspected North Korean IT worker activities to:
- Your local FBI Field Office: www.fbi.gov/contact-us/field-office
- FBI's Internet Crime Complaint Center: www.ic3.gov
- FBI tip line: 1-800-CALL-FBI (225-5324)
Reference
In 2022 and 2023 the United States, along with foreign partners, issued public advisories involving North Korean IT workers that described how they operate and provided red flag indicators along with due diligence measures for businesses to avoid hiring North Korean IT workers.
In 2024 and 2025 FBI provided further guidance regarding North Korean IT workers and their use of witting and unwitting US-based individuals.