North Korea has Infiltrated the Tech Sector.

North Korea, long known as the most sanctioned and isolated regime on Earth, has somehow managed to insert its workers into hundreds of American companies. These aren’t operatives sneaking across borders or Cold War sleeper agents hiding behind suburban picket fences. They’re remote developers who appear in Zoom meetings, clock in from supposedly legitimate addresses in Japan or South Korea or Seattle, write code that passes muster, and collect paychecks like any ordinary employee. They’ve landed roles in AI labs, fintech startups, media organizations, blockchain firms, and even defense contractors—the exact spaces most countries try desperately to secure from foreign interference.

Cybersecurity firm No4 discovered this reality in the most jarring way possible. After hiring someone they believed to be a highly qualified software engineer, they mailed him his work computer. Within hours of opening the box, he attempted to install malware. Their systems caught him instantly, but the message rang loud and clear: if even a cybersecurity company can be compromised, then the rest of the corporate world is operating with shockingly thin defenses. And the truth that has become increasingly unavoidable is that thousands of companies are far more vulnerable than they think.

Since 2020, when the global workforce abruptly shifted to remote operations, North Korean operatives have taken advantage of the new landscape with remarkable efficiency. They have earned vast sums for the regime—hundreds of millions by some estimates—and gained access to sensitive systems in industries where access itself is a strategic asset. The financial benefit to Pyongyang is significant, but the larger concern is what these workers are positioned to do once circumstances demand more from them than just the occasional software update.

A Strategy Years in the Making

North Korea’s interest in digital work did not appear out of thin air. After enduring decades of steadily expanding sanctions, the country’s leadership needed a way to inject new revenue into an economy that had few legitimate exports. For years, Pyongyang had relied on the familiar toolkit of a sanctioned state: illicit foreign currency operations, counterfeiting, narcotics trafficking, and headline-grabbing cyber theft—like the 2016 Bangladesh Bank heist that pulled in $81 million. Yet even that dramatic moment was just a small flash from a program that had been quietly evolving throughout the 2010s.

The Kim regime understood earlier than most that the digital age created vulnerabilities far easier to exploit than old-fashioned espionage channels. So they invested heavily in computer science education, grooming a new generation of developers from childhood through elite universities designed to churn out programmers at scale. These institutions did not hide their dual purpose. They produced both hackers capable of launching disruptive campaigns—like the 2014 Sony Pictures attack that halted the release of The Interview—and legitimate-looking developers whose resumes would eventually blend seamlessly into the international tech labor pool.

By the late 2010s, North Korean workers were already operating overseas under false identities, though the extent of their reach was largely underestimated. Treasury sanctions exposed two front companies in 2018, but those actions barely scratched the surface. The infrastructure was already wide, and it only needed the right catalyst to expand exponentially.

That catalyst arrived in March 2020.

Remote Work—The Opening Pyongyang Couldn’t Have Predicted, but Quickly Used

When the pandemic forced companies to send their staff home, traditional hiring safeguards vanished almost overnight. No one met candidates face-to-face. No one verified physical addresses. HR departments were overwhelmed, budgets were collapsing, and every sector was scrambling to keep operations running. In that kind of environment, hiring someone who seemed competent on paper, could pass a video call, and would accept whatever salary was offered suddenly became an acceptable risk.

North Korean operatives flooded in.

At first, their approach was almost rudimentary: polished LinkedIn profiles claiming to be developers from Seoul or Tokyo, fabricated past employers, and references tied to carefully stolen identities. Many of them weren’t even particularly skilled at the work. They introduced bugs, missed deadlines, and sometimes disappeared mid-project. But companies were moving too fast and vetting too little to question the inconsistencies. In many cases, they simply fired the worker, replaced them, and never learned whom they had truly hired until investigative agencies reached out years later.

When you scale that pattern across hundreds of companies, you begin to see how profoundly embedded Pyongyang’s workforce became during those first eighteen months of the pandemic. And once they were in, the regime adjusted its strategy to increase both its effectiveness and its subtlety.

A Sophisticated Machine Emerges

By 2021, North Korea had refined nearly every part of its infiltration model. Résumés became more credible, cover stories more thorough, and the workers themselves more competent. The regime also shifted toward targeting industries that held long-term strategic value—especially AI, financial software, and blockchain platforms with large capital flows.

The U.S. government finally went public in 2022 with a joint advisory warning that thousands of North Korean IT workers were posing as non–North Korean nationals to secure remote jobs with Western companies. The advisory listed red flags such as inconsistent login locations, mismatched identity documents, and suspicious payment patterns. But instead of weakening the operation, the advisory essentially functioned as feedback. North Korea treated it like a training document, correcting weaknesses and adjusting tactics.

This next stage introduced one of the most effective tools yet: laptop farms. American intermediaries—either willing participants or conveniently naïve facilitators—received company-issued work laptops at their home addresses. They set them up on U.S. networks, installed remote access software, and handed full control to operatives overseas. From that moment on, every login, every file transfer, every calendar update appeared to originate from inside the United States. Companies relying on geographic security markers never stood a chance.

Some farms connected a dozen laptops. Others managed hundreds. By 2024, investigators uncovered one operation that used more than 300 stolen identities to create E-Verify–approved freelancer accounts, placing North Korean workers at over 300 U.S. companies. Among them were a major TV news network, a well-known aerospace contractor, and several Fortune 500 firms.

And this was the point where artificial intelligence poured gasoline on the fire.

AI Becomes Pyongyang’s Silent Partner

As generative AI tools became widely accessible, North Korean operatives started to use them not only to polish résumés and write impeccable cover letters but also to complete technical tasks, generate plausible portfolio projects, smooth out language issues, and even aid in real-time deception during interviews. Chatbots could produce grammar-perfect emails in seconds. Coding assistants could solve problems that operatives struggled with. AI image tools allowed them to enhance stolen photos into more convincing profile pictures.

The sophistication of these tools accelerated the regime’s infiltration faster than any crackdown could keep up. Even the cyberattack attempt against No4, which made headlines because the company went public about it, represented a clumsy example. That operative was caught within thirty minutes because he moved quickly and carelessly. But the truly dangerous operatives were the ones who paced themselves—those who simply logged in, did their assigned tasks competently, collected their paychecks, and quietly maintained privileged access for months or even years without raising any alarm.

As 2024 rolled into 2025, it was clear that this wasn’t just a revenue pipeline for North Korea. It was a long-term intelligence operation with implications far beyond the incomes of the workers involved.

The Damage Comes Into Focus

The Justice Department eventually revealed that more than one hundred U.S. companies had been compromised in cases they could actually prosecute. The true number is almost certainly much higher. In one particularly serious breach, a North Korean operative embedded in a California defense contractor retrieved files marked as highly sensitive and subject to strict export controls. Those files, which contained details of U.S. weapons technology, were transmitted directly to North Korea’s intelligence services and now play a role in shaping Pyongyang’s understanding of the military environment it may face in future conflicts.

The significance of this becomes clearer against the backdrop of North Korea’s evolving military alignment. By late 2025, roughly fifteen thousand North Korean troops had been deployed to assist Russia in the Kursk region. The regime had supplied Russia with artillery throughout the war in Ukraine, and in exchange, received advanced naval technology that directly contributed to the construction of its largest warship to date. Monitoring teams also reported nearly three billion dollars’ worth of cryptocurrency theft tied to North Korean groups, with targeted breaches increasingly focusing on artificial intelligence, blockchain infrastructure, and defense-related technologies.

The connection between these infiltrations and North Korea’s rapid military advancements is no longer speculative. It is documented, quantifiable, and deeply concerning.

A Threat Still Growing

Cybersecurity firms have tried to respond, but their efforts remain fragmented. Okta identified 130 North Korean-linked identities that collectively attempted more than 6,500 job interviews across 5,000 companies. CrowdStrike investigated 320 separate incidents in a single year, an extraordinary jump from the previous year. Microsoft suspended thousands of suspicious Outlook accounts tied to the operation. Yet the landscape remains uneven. Mid-sized companies and industries like healthcare and finance lack the robust security teams that major tech firms can deploy. Meanwhile, Southeast Asian laptop farms continue to flourish, creating an international network of hard-to-detect access points.

The tools North Korean operatives rely on are advancing just as fast as the countermeasures. Deepfake software used during interviews can already mask identities convincingly, and while it can currently be disrupted with simple hand-waving tests, that workaround will not last long. The same technologies that make remote work seamless also make deception easier—an imbalance that favors a state willing to exploit every gap.

The New Digital Cold War

In previous eras, infiltrating a foreign government required years of cultivation, clandestine travel, and high-risk espionage. Today, a hostile regime can embed itself in the infrastructure of the most powerful companies in the world with nothing more than a polished résumé, a VPN, and a well-rehearsed video interview.

North Korea’s infiltration program began as an economically motivated workaround to sanctions. Over time, it evolved into a global espionage strategy that leverages AI, distributed labor networks, and the inherent trust built into the modern tech industry. And now, as artificial intelligence becomes intertwined with everything from battlefield logistics to autonomous targeting systems, the stakes of this infiltration are rising faster than governments can adapt.

Reversing this trend would require a fundamental restructuring of how companies vet employees, how remote work is managed, and how international collaboration in tech is regulated. The reality, however, is that the global workforce is moving in the opposite direction—more distributed, more digitally mediated, and more dependent on rapid hiring across borders.

It is a collision between two incompatible systems: a global tech ecosystem built on openness and mobility, and an authoritarian state that treats every interaction as an opportunity for advantage. The consequences of that collision are still unfolding, and the world is only beginning to understand how deeply North Korea has embedded itself into the digital machinery of the twenty-first century.