Jo, as he came to be known to the cybersecurity experts watching his every move, was a hard worker.
He rose early, usually by 5 a.m. ET, and worked late into the night, often six days a week. Jo juggled three jobs and constantly applied to more — sometimes as many as 50 a day. He needed the money. Always professional, he quickly moved on from rejection and followed up with recruiters whenever there was a lull in communication. His inbox was full of job matches and interview confirmations.
One of those interviews would lead a team of cybersecurity investigators to the inner workings of a vast North Korean employment scheme with national security implications.
On a Tuesday in June, Jo put on his headset and logged on to a call for a hard-to-fill artificial intelligence role with Nisos, a corporate security and investigations company headquartered in Virginia. Jo appeared on screen wearing an orange T-shirt in a beige room. He said he was in Palm Beach Gardens, Florida.
"I heard you guys had, I think, Hurricane George recently," Magen Gicinto, chief people officer for Nisos, inquired. "How was your house? How was Palm Beach?"
"How can I say?" Jo paused before replying while looking off-screen. "Luckily my place was fine."
Minutes later, when asked to share his screen, he hastily logged off.
There had been no hurricane. And while there was an open job at Nisos, the company had no intention of hiring him. They had already begun to suspect that Jo wasn't exactly who he said he was.
For the past decade, North Korea has engaged in a wide-ranging effort to place remote workers at U.S. companies in order to funnel money back to its coffers and, in some cases, steal sensitive information. Those workers' salariesare used in partto evade sanctions and fund the communist regime's illicit programs, including its weapons of mass destruction and ballistic missile efforts, according toU.S. government agencies. Last year, the FBI announced the schemes were becoming"increasingly malicious" and the Department of Justice declared the issue a "code red."
With Jo, Nisos' executives believed they had stumbled on one of these North Korean workers. Few outside of the government have gotten an inside look into the operation, so they decided to take a chance: "hire" Jo, ship him a laptop and gain as much information as possible.
It worked. Nisossharedwith NBC News its open-source intelligenceanalysis, as well as videos with Jo and technical findings, providing an unprecedented look at the human dynamics and inner workings of a suspected operative taking part in a sprawling international employment scheme that is estimated to include hundreds of American companies, thousands of people and hundreds of millions of dollars per year.
"If you can think of a best-case scenario for an analyst that follows these things, this is a dream come true, because you never get this kind of access to what we assume is happening. Now we could actually see it happening in real time," said Jared Hudson, Nisos' chief technology officer.
Over a roughly three-month investigation, Nisos uncovered an apparent network of at least 20 North Korean operatives including Jo who had collectively applied to at least 160,000 roles. During that time, workers in the network — which some evidence showed were based in China — were employed by five U.S.-based companies and allegedly helped by an American citizen operating out of two nondescript suburban homes in Florida.
Monitoring the team's communications nearly 24/7 through its laptop, Nisos gained insights into what its analysts say was likely a Democratic People's Republic of Korea (DPRK) IT team, including how it functioned and how its members communicated with each other. Nisos gathered that the workers were likely based in China and used only each other as references in their job applications. And like many tight-knit workplaces, the team seemed to enjoy a collegial atmosphere. Jo and his colleagues exchanged Minion-themed GIFs and chatted, often in English, about getting drinks together, smoking cigarettes and playing the online gameskribbl.iotogether.
"We could see the coordination. We could see the facilitators. We could see the hierarchy of their cell," Hudson said. "It was the most insightful look inside an active DPRK employment fraud cell that I know of honestly."
Nisos says it coordinated with the FBI prior to mailing the laptop for the purposes of its internal investigation. It also worked with law enforcement to notify the individual whose identity was stolen by Jo.
"In keeping with Department of Justice policy, the FBI can neither confirm nor deny conducting specific investigations," an FBI spokesperson told NBC News.
At a press conference last July, Jeanine Pirro, the U.S. attorney for the District of Columbia, was direct in her messaging to American businesses: "Your tech sectors are being infiltrated by North Korea. And when big companies are lax and they're not doing their due diligence, they're putting America's security at risk."
Pirro's comments followed thesentencingof Christina Chapman, an Arizona resident who became the first American citizen convicted in the job schemes. Chapman received more than eight years in federal prison for helping North Korean IT workers generate over $17 million in illegal revenue. That operation infiltrated more than 300 U.S. organizations including government agencies using the stolen identities of 68 Americans — an operation the Justice Department called the largest identity-theft case of its kind.
"They are inside our house," Pirro warned.
The stakes are high. Inone case, a North Korean worker stole sensitive information related to U.S. military technology, according to the Justice Department. Inanother,an American accomplice obtained an ID that enabled access to government facilities, networks and systems.At least three organizationshave been extorted and suffered hundreds of thousands of dollars in damages after proprietary information was posted online by IT workers.Last summer, a North Korean IT worker was charged with stealing over $700,000 worth of cryptocurrency assets from a Georgia-based company — evidence, investigators say, that the IT schemes are becoming more sophisticated and aggressive in their targeting of cryptocurrency companies.
Analysts warn that North Korean IT workers are targeting larger organizations, increasing extortion attempts and seeking out employers that pay salaries in cryptocurrency. More recently, securityresearchershave uncovered fake job application platforms impersonating major U.S. cryptocurrency and AI firms, includingAnthropic, designed to infect legitimate applicants' networks with malware to be utilized once hired.
The global cybersecurity company CrowdStrike identified a220% risein 2025 in instances of North Koreans gaining fraudulent employment at Western companies to work remotely as developers.
"This is where North Korea enjoys the benefits of having the resources of a state, but behaving like a nonstate criminal group," said Jenny Jun, an assistant professor of international affairs at the Georgia Institute of Technology who has testified before Congress on North Korea's cyberoperations. "It would be like if they stole a bunch of jewels and then set fire to the museum to hide their trails. They do the equivalent of things like that in cyberspace."
The payoff flowing back to Pyongyang from these schemes is enormous. Some North Korean IT workersearn more than $300,000 per year, far more than they'd be able to earn domestically, with as much as 90% of their wages directed back to the regime, according to congressionaltestimonyfrom Bruce Klinger, a former CIA deputy division chief for Korea.
TheUnited Nationsestimates the schemes, which proliferated after the pandemic when more companies' workforces went remote, generate as much as $600 million annually, while a U.S. State Department-led sanctions monitoringassessmentplaced earnings for 2024 as high as $800 million.
The IT scheme proceeds, according to thereport, are used to evade sanctions and in part fund North Korea's weapons of mass destruction and ballistic missile programs in what has been described in congressional testimony as one of the country's "cash cows."
Roman Rozhavsky, the assistant director of the FBI's Counterintelligence Division, said that the scheme has succeeded in part due to the broader move toward remote work sparked by the Covid pandemic.
"Covid definitely opened the Pandora's box to this, because every job became virtual, and it became a lot easier for them to get these jobs," Rozhavsky added.
"Hey, we've got a live one here," Jared Hudson messaged his Nisos colleague Magen Gicinto from his home office in Atlanta. "Let's see, maybe there's something we can do."
He had just finished his initial interview with Jo and thought something wasn't right.
Jo's command of English was poorer than expected, and Hudson thought he might have been reading AI-generated answers to his questions, pausing for an unusual amount of time before responding.
"It was very much like interacting with a politician reading off a teleprompter. I was like, 'This guy is reading and he's dynamically responding to my questions.' So that's where I was like, 'Yeah, he's using AI for sure,'" Hudson recalled.
After a deeper résumé review turned up more red flags, Hudson, Gicinto and the Nisos team devised a plan to bait Jo.
The team's suspicion grew stronger when Jo abruptly ended his second interview, logging off midconversation when prompted to share his screen. During the call, he did not provide a portfolio, something an engineer with over 15 years of experience would commonly be expected to have.
About two weeks later, Gicinto reached back out to Jo with an offer: a $5,000 retainer fee to help with what Nisos described as "urgent AI priorities." He responded right away that he was ready to work, providing a mailing address in Florida and bank information for an account in Missouri.
"We know that most of their motivation is financially driven," Gicinto said. "I think that financial piece really hooked him back into the conversation."
In early August, after alerting the FBI, Nisos says it mailed a laptop enabled with monitoring software to a single-story home in Palm Bay, Florida. Once the laptop was delivered and plugged in, Nisos activated its web camera. Immediately they could see that there were 40 devices linked together on a shared network, 20 of which were likely part of a laptop farm.
"We're freaking out at this point. It's super exciting that we have access to an actual laptop farm," said Ben Racenberg, a former CIA target analyst who is the North Korea research lead for Nisos and helped devise its investigative plan.
Jo logged into Nisos' laptop, which gave the team tracking him access to the messaging platform that his suspected cell of North Korean workers were using to coordinate job applications among themselves. The workers managed job references for each other, interview schedules and updates on applications. They also tracked application totals and job status updates. Jo was curious about America, too. "What sports do Americans usually play?" Nisos could see he Googled one morning.
In order to learn more about where the workers were likely based, Nisos shared two documents with Jo that had a tool attached to determine the IP address and location of the user. Once Jo opened the document, Nisos detected the documents were accessed using a type of virtual private network frequently associated with North Korean IT workers based in China.
Nisos' access to Jo's email address indicated he was connecting from an IP address near Shanghai.
"We didn't expect them to sign into their command and control infrastructure on our laptop. But once they did that, we had full insight into everything," Hudson said.
Nisos also got a firsthand look at just how good the operation was at attracting employers. Last August, Jo's inbox populated with job prompts, matches and interview requests. Subject lines included "let's meet!" and "thanks for your interest," according to screenshots reviewed by NBC News showing the Gmail account used for applications.
Advertisement
Nisos estimated that in about a year, Jo, who was likely a newer member of the team, applied to about 5,000 jobs. The group appeared to be sorted into four teams managed by captains who docked workers' salaries by $1 per mistake made on applications or for incorrect roles.
NBC News made multiple attempts to reach the suspected North Korean worker known as Jo, without receiving a response.
In Pyongyang, the cyberworkforce pipeline, including potential IT workers, begins at an early age. Promising math and science students are selected in elementary school and fast-tracked through computer science and hacking training before being placed into cyberunits under military and state agencies, according to arecent reportby DTEX, a risk-adaptive security and behavioral intelligence firm that tracks North Korea's cybercrime.
"It's all super organized and very much metric-driven. It was applications, applications, interviews, interviews," Racenberg said.
And it was very, very human. Like any employee, Jo relied on colleagues for help. They, like him, were hardworking. They shared laptops and sometimes the jobs themselves.
"They attended interviews all day every day, and then once they secured a job, they would collect paychecks until they were terminated," said Hudson. "Just rinse and repeat. It was a volume game."
With the ability to see which other U.S. companies Jo and his team were working for — all remote technology roles — Nisos' CEO, Ryan LaSalle, began making calls to their security teams to alert them of the fraud.
"Most of the companies weren't aware of it, even if they had pretty robust security teams," LaSalle said. "It wasn't really high on the radar."
In September, without any assigned work or pay from Nisos, Jo returned the laptop. It was shipped from a different rental home, in Melbourne, Florida. By that time, Nisos was confident it had collected enough technical signals to confirm North Korea's role.
But Nisos still had questions. Racenberg recalls messaging his colleague Gicinto at the time, saying: "I cannot believe that we actually found a laptop farm, and now we want to figure out who is the person who is running this."
Jo may not have been in Florida, but Nisos found that he seemed to have had help stateside.
North Korean IT teams rely on an expansive global network of facilitators, often ranging from individuals in the U.S. recruited to run laptop farms to bank representatives and brokers based in China who help launder the proceeds through a complex web of cryptocurrency exchanges so they can be used to purchase real-world goods. In at least one case, a facilitator was recruited through a cellphone video game application, according to an interview with law enforcement cited in court documents.
FBI officials say laptop farms are a crucial way North Korean IT teams trick U.S. companies into believing their remote workers are in the U.S. — providing both a physical address to mail laptops to and a U.S. internet connection. Once equipped with certain remote access software and tools, workers can log into those laptops remotely.
So far, at least 10 alleged U.S.-based facilitators have been federally charged, including one active-duty member of the U.S. Army, for their alleged roles in hosting laptop farms, laundering payments and moving proceeds through shell companies. At least six other alleged U.S. facilitators have been identified in court documents but not named.
In one instance, an American citizen, Kejia "Tony" Wang, traveled to China in 2023 to meet with co-conspirators and IT workers in Shenyang and Dandong, according to court documents. Laptops from over 100 U.S. companies, including a California-based defense contractor, were sent to Wang, who also set up shell companies to help route wages earned overseas. Wangpleaded guiltyto charges related to wire fraud, money laundering and identity theft and is awaiting sentencing next month.
"We believe there are many more hundreds of people out there who are participating in these schemes," said Rozhavsky, the FBI assistant director. "They could never pull this off if they didn't have willing facilitators in the U.S. helping them."
Once illicit money has been earned, it needs to be consolidated and converted to government-issued currency. North Korean teams typically rely on a maze of Chinese networks to launder it, according to industry reports.
"Every bad guy you can think of is using Chinese money launderers. Now, this is how money moves internationally," said Nick Carlsen, senior investigator on the global investigations team at the blockchain analytics company TRM Labs and a former intelligence analyst at the FBI focused on North Korea.
Since Kim Jong Un took power in 2011, North Korea has honed and expanded a portfolio of cybercrime operations beyond IT work — pulling in billions through cryptocurrency thefts including a record $1.5 billion heist last year, according to theFBI. Analysts say these operations have made Kim wealthier and more geopolitically relevant than ever before, validating his long-held view of cyberoperations as an"all-purpose sword."
In recent years, North Korea's partnership with Chinese money laundering networks has unlocked a new level of speed and efficiency that North Korean operators had not been able to achieve independently.
"The transformative element is the existence of these superliquid Chinese financial networks," Carlsen said. "They can absorb a lot of money, convert it and transfer it in whatever domestic currency you want. That's the big change."
Most of these intermediaries operate across southern China and Southeast Asia including Myanmar, Hong Kong, Macao and China's Fujian province — rapidly moving cryptocurrency across blockchains using so-called "mixers" that break stolen funds into smaller pieces to obscure their origin. IT worker proceeds are typically smaller sums and involve fewer intermediaries, said Andrew Fierman, head of national security intelligence at the blockchain tracking company Chainalysis, while the larger crypto heist sums require complex, multilayered laundering chains.
Carlsen noted that funds from both IT worker schemes and crypto heists frequently end up with Chinese brokers tied to organized-crime syndicates. "You see overlaps withpig-butcheringscams and with drug cartels," he said. "These are the same networks absorbing this money." Cryptocurrencies have made that convergence easier. "It's the lubricant," he added. "The oil that allows all these gears to interact with each other."
The U.S. government has taken some steps to address North Korea's IT worker scheme, but experts warn the threat is intensifying as workers' use of AI continues to scale up around the globe.
Cybersecurity analysts say U.S. enforcement tools are struggling to keep pace with the scale and sophistication of Pyongyang's cyberoperations. Many of the individuals involved operate from countries that lack extradition agreements with the U.S., placing them largely beyond the reach of U.S. law enforcement.
"It's a whack-a-mole game. It's virtually impossible to fully disrupt this," Carlsen said. "It's just a never-ending process."
He argues the most effective strategy is to make schemes less profitable by cutting off the regime's ability to cash out through money laundering organizations.
The U.S. government has ramped up efforts to do that. On Thursday, the Treasury Departmentsanctionedsix individuals and two entities for their roles in DPRK government-orchestrated IT worker schemes, including facilitators based in North Korea, Vietnam, Laos and Spain.
Last fall, federal authorities announced a wave of criminal indictments, forfeitures, sanctions and asset freezes targeting North Korea's illicit cyber activity.
InOctober, the Treasury Department severed Cambodia-based Huione Group, a financial-guarantee network, from the U.S. financial system, alleging it laundered billions in illicit proceeds, including at least $37 million in cryptocurrency linked to North Korean operations. Weeks later, eight individuals and two entities, including North Korean bankers and institutions, weresanctionedfor laundering funds derived from cybercrime and IT worker fraud schemes.
North Korea, for its part, has denied any wrongdoing.
Last year, following the Department of Justice's indictment of several North Koreans for their alleged roles in the scheme, the country's foreign minister condemned U.S. actions as "an absurd smear campaign" targeting the "non-existent 'cyber threat' from the DPRK," the Korean Central News Agency reported.
In response to questions about Chinese nationals' involvement in the scheme, Chinese Embassy spokesperson Liu Pengyu said, "We oppose false allegations and smears which have no factual ground at all."
The scheme itself is also becoming more complex. North Korean IT teams are now subcontracting work to developers in Pakistan, Nigeria and India, expanding into fields like customer service, financial processing, insurance and translation services — roles far less scrutinized than software development.
"Unless you have external information, you might not know they're North Korean," said Michael Barnhart, who leads nation-state threat intelligence at DTEX. "They're trying to move themselves into middle management, and it's working."
That expansion also means concerns that North Korean workers could cause real-world harm by jeopardizing lives, something Barnhart has seen up close.
In 2021, as part of awave of attackson NASA and military bases, a North Korean hacking team infected a Kansas hospital's computer systems with ransomware, crippling servers and demanding roughly $100,000 in bitcoin to restore their function. The hospital paid. Barnhart helped investigate the hack alongside the FBI, and it was that case that made clear to him the ways in which North Korea's malicious hacking teams sometimes cooperate with IT teams to support their missions, something that was not widely known at the time.
What he saw was a hacking operator engaged in IT work, including placing other IT workers in jobs. The income from those jobs supported the hacking unit's primary malware operations to commit computer intrusions against U.S., South Korean and Chinese government or technology victims.
"It started off as revenue generation, but the lines are getting blurrier and blurrier. If the time comes, they've got chess pieces inside organizations all over the world — and they'll start acting from the inside," he said.
Rozhavsky expressed similar concerns.
"Even if a company gets rid of them, we don't know what backdoors they could have left for access in the future," he said. "So it's definitely a ticking time bomb that could have negative consequences down the line."
Lawmakers are also seeking stronger defenses. Sens. Gary Peters, D-Mich., and Mike Rounds, R-S.D., introduced the Protecting America from Cyber Threats Act, which would renew key cybersecurity authorities for another decade and encourage private companies, like Nisos, to share information about cyberthreats with the federal government.
Still, thousands of workers, the driving force of the IT schemes, remain out of reach, the majority of whom are based in China.
"These are the smartest people in North Korea. That's kind of the tragedy of it," Carlsen said. "They've taken their best and brightest and made them criminals."
0 Comments