Continued Remote Hiring Concerns in IT Sector: What to Look for in 2025 and How to Mitigate Business Risk

January 9, 2025

Remote worker fraud is expected to continue to proliferate in 2025. Fully remote hiring and work, particularly in the technology sector, continues to pose unique business and legal risks for companies. Just in December 2024, a federal court in St. Louis indicted 14 nationals of the Democratic People’s Republic of North Korea (DPRK) for infiltrating organizations throughout the United States via a fraudulent hiring and work scheme. The recent indictment is just another indicator that these schemes will continue into 2025 as remote workers continue to compromise organizations to raise funds for foreign operations, like North Korea’s nuclear program. The infiltration by such workers continues to pose unique cybersecurity risks to employers and consequently their customers and employees.

Mandiant, now part of Google Cloud, has been tracking and reporting on IT workers operating on behalf of the DPRK since 2022. In a report issued in September 2024, Mandiant dives in to the fraudulent scheme that is trending in the IT workforce. 2024 alone has seen an increase in the fraudulent scheme subject to Mandiant’s report. In addition to the December 2024 indictment out of Missouri, there were efforts across the country leading to additional arrests and charges for various DPRK activity, including arrests in Tennessee arising from DPRK activity associated with a Nashville-based laptop farm and separate charges, seizures, and arrests in Washington DC including prosecutions of an Arizona woman who participated in a scheme that impacted over 300 U.S. companies.

KnowBe4, a self-reported victim of such a scheme, gave a chilling account of its experience of hiring a software engineer for its internal IT AI team who was hired using a valid but stolen U.S.-based identity with an “enhanced” AI photo. The worker immediately started to download malware after receiving their Mac workstation at an “IT mule laptop farm.” The worker manipulated session history files, transferred potentially harmful files, executed unauthorized software, and used a Raspberry Pi to download malware. As KnowBe4 notes, the scam is that these individuals are actually doing work, getting well-paid, and giving large amounts of money to North Korea to fund their illegal programs.

Reports seem consistent in describing this conspiracy carried out by foreign actors. At a high-level, IT workers from DPRK are contracted to enter the remote workforce in the U.S. using false identities to obtain jobs and transfer the money they earn back to their home country. So far, there is no reporting that the DPRK IT workers are exfiltrating data, but they certainly could with the access they have. As the scheme continues to grow, however, the concern for exfiltrating data and targeting more personal information increases.

The individuals infiltrating the U.S. workforce are usually skilled IT workers, which can make detection of the scheme more difficult. To get hired, the DPRK IT workers usually have a robust resume with foreign education credentials, fake references, and often stolen, but modified, U.S. identification. The DPRK IT workers may even pass background checks and attend remote onboarding sessions with video cameras on. Once hired, the DPRK IT worker is sent a laptop or other company equipment; the IT worker then often partners with U.S.-based individuals to assist in masking their alleged presence in the country. From what the U.S. government has described in various public filings, the U.S.-based persons run so-called “laptop farms” to make it appear that computers used by the DPRK nations are logging in from the United States. These individuals often secure multiple jobs across numerous companies.

Both private companies and the government have issued various guidelines and concerns about the growing threat of hiring bad actors from DPRK. In 2022, the U.S. Department of State, in connection with the U.S. Department of the Treasury and the Federal Bureau of Investigation, released an initial advisory (since updated) on the exact scheme Mandiant has studied.

More recently, the New York State Department of Financial Services (NYDFS) issued their own industry letter in November 2024 – another sign that the fraud scheme is a growing concern in 2025. The DFS industry letter repeated similar concerns regarding repeated attempts by threat actors from DPRK seeking IT jobs at U.S.-based companies.

So, what are the things to look out for? What are companies supposed to do when a threat is suspected? Unfortunately, there is no guaranteed way to eliminate the risk of DPRK hires. However, using the numerous resources available and implementing a comprehensive approach to identify potential red flags during and after the hiring process is critical to detecting possible IT worker fraud.

Known red flags to look out for:

  • Inconsistencies in name spelling, nationality, claimed work location, contact details, education history, work history, and social media profiles;
  • Unwillingness to appear on camera;
  • Concerns and inability to meet in person;
  • Language preferences do not match the region the individual claims to be from;
  • Shipping address for the laptop is different than the location listed on hiring materials;
  • Multiple logins into one account from various IP addresses in a short period of time;
  • Remote desktop sharing software;
  • Work hours are not regular business hours; or,
  • Installation of “mouse jiggler” software.

A robust vetting process and IT monitoring can help identify these flags for management’s attention.

Mitigation strategies can help as well. Consider doing the following:

  • Implement training with human resources and onboarding staff regarding common red flags seen in DPRK IT worker resumes;
  • Enhance identification verification by requiring multi-document verification or enhancing scrutiny over social media and public records;
  • Require applicants to appear on camera for all interviewing and consider periodic on camera check-ins once hired;
  • Only ship a laptop and other equipment to the location listed on the individual’s application or to a UPS store location near them that will require ID verification;
  • Enhance remote access network monitoring; and,
  • Maintain strong cybersecurity practices.

If you suspect that you inadvertently hired a DPRK worker, you should engage experienced counsel to navigate the scope of the insider threat, evaluate potential liability, and navigate any reporting requirements. If you learn that you have inadvertently hired a DPRK worker or suspect you might have, consider immediately terminating their access and reporting the matter to law enforcement.

* * *

Wiley’s Privacy, Cyber & Data Governance team assists clients with a full spectrum of privacy, cybersecurity, and data governance issues, which includes monitoring and advising on the development of state privacy laws and regulations. Please reach out to any of the authors with questions.

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek