North Korean nationals who conceal their identities to infiltrate businesses as employees or contractors continue to expand their presence beyond technology companies and America’s borders.
Nearly every industry has been duped into hiring North Koreans in violation of sanctions, as technology companies represent only half of all targeted victims, threat researchers at Okta said in a report this week.
Okta Threat Intelligence found evidence confirming North Korean nationals have targeted and sought roles at any organization recruiting remote talent. The North Korean regime will pursue any opportunity to collect and launder payment if the application, interview process and work can be performed remotely, researchers said.
North Koreans are no longer limiting themselves to IT and software engineering positions. According to Okta’s research, more North Koreans are now applying for remote finance positions, such as payments processors, and engineering roles.
While technology firms attract the highest volume of applications and job interviews, other verticals including finance and insurance, health care, manufacturing, public administration and professional services appeared often in Okta’s analysis.
Researchers based the study on more than 130 identities used by facilitators and workers participating in the scheme, and linked those personas to more than 6,500 job interviews spread across about 5,000 companies over a four-year period through mid-2025.
Okta acknowledges this only reflects a small sample of North Korea’s scheme, but said it highlights the extent to which IT worker units are targeting more industries in more countries.
“It’s possible that increased awareness of this threat — as well as government and private sector collaborative efforts to identify and disrupt their operations — may be an additional driver for them to increasingly target roles outside of the US and IT industries,” Okta threat researchers said in the report.
Indeed, threat intelligence firms and officials have consistently warned about the growing pervasiveness of North Korea’s scheme. In April, Mandiant said hundreds of Fortune 500 organizations have unwittingly hired North Korean IT workers.
CrowdStrike, in August, said it observed a 220% year-over-year increase in North Korean IT worker activity, amounting to 320 incident response cases in the past year. The Justice and Treasury Departments have seized cryptocurrency, issued indictments and sanctioned people and entities allegedly involved in the yearslong scheme.
Okta analysis revealed a global expansion of the North Korea IT worker operation, with 27% of targeted roles based outside of the United States. Researchers observed North Korean operatives targeting roles in the United Kingdom, Canada and Germany, with each country accounting for about 150 to 250 roles.
Other top targeted countries include India, Australia, Singapore, Switzerland, Japan, France and Poland.
Okta cautioned that non-U.S.-based companies are likely less skilled and concerned with finding North Korean job applicants because the scheme was largely viewed as a U.S. technology industry problem. This creates an elevated problem in newly targeted countries, researchers said.
“Years of sustained activity against a broad range of U.S. industries have allowed Democratic People’s Republic of Korea-aligned facilitators and workers to refine their infiltration methods,” Okta said in the report. “Consequently, they are entering new markets with a mature, well-adapted workforce capable of bypassing basic screening controls and exploiting hiring pipelines more effectively.”
The post North Korea IT worker scheme swells beyond US companies appeared first on CyberScoop.
Okta Threat Intelligence uncovered a large-scale and sustained operation, reflecting the North Korean regime’s pursuit of any opportunity that allows for remote employment.
The post North Korea IT worker scheme swells beyond US companies appeared first on CyberScoop. Read MoreCyberScoop
