Nearly every Fortune 500 company is hiding the same uncomfortable secret: they have hired a North Korean IT worker.

Why it matters: Despite how widespread the issue is, few companies are willing to talk publicly about it.

• Experts say reputational risk, legal uncertainty and embarrassment all contribute to the silence — which in turn makes the problem harder to solve.
• Dozens of resumes, LinkedIn profiles and fraudulent identity documents shared with Axios lay bare the scale and sophisticated nature of the scams.

The big picture: For North Korea, this is a precious revenue stream that evades American sanctions — capitalizing on the wealth of high-paying remote worker roles in the U.S. to route cash back to Pyongyang.

• In the past two years, companies and their security partners have begun to grasp the scale of the problem — and now, they're sounding the alarm about where it's headed next.
• "They've been stealing intellectual property and then working on the projects themselves," Michael "Barni" Barnhart, principal investigator at DTEX Systems, told Axios. "They're going to use AI to magnify exponentially what they're already doing — and what they're doing now is bad."

Between the lines: It sounds easy to simply weed out North Korean job applicants. But some of the world's biggest firms have found it devilishly difficult.

• That's because the North Korean operation has become as complex as a multinational corporation. It involves several North Korean government offices, dozens of China-based front companies, and Americans willing to facilitate the fraud.
• And the undercover North Korean IT workers are often exceptional at their jobs — at least until they start stealing sensitive data or extorting companies that try to fire them.

Getting a job at a U.S. company — and going undetected — is a team effort that involves several North Korean IT workers, China-based companies and even Americans.

• Many North Korean workers are even stationed in China and other nearby countries to keep suspicions low.

First, the workers identify potential identities they can assume. Those are stolen from a real person, or even from a dead U.S. citizen.

• To pull off this deception, they create fake passwords, Social Security cards and utility bills. Many of them use the same recognizable tablecloth in the background of fake ID photos, Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, said.
• For instance, in a December indictment of 14 North Koreans, the workers were found using stolen identities to apply to dozens of jobs.

Second, the workers find open jobs in software development, technical support and DevOps posted on Upwork, Fiverr, LinkedIn and third-party staffing platforms.

• The workers then use AI tools to help generate passable resumes and LinkedIn profiles, according to Trevor Hilligoss, senior vice president at SpyCloud Labs.
• "There's a hierarchy: There's a group of people who are the interviewers, and they're the ones with the really good English specialties," Hilligoss told Axios. "When they get hired, that gets turned over to somebody that's a developer."
• Those developers often juggle several jobs and multiple different personas.

Zoom in: Job interviews would seem like the obvious time to catch a fraudulent application.

• But the "applicants" — whether they're using their real faces and voices or AI-enabled personas — are practiced interviewers with the skills necessary to complete technical coding assignments.
• In multiple cases, hiring managers realized something was wrong only weeks later when employees looked or behaved differently than during the interview, Barnhart said.

After landing the job, the developers step in and request that their company laptop be shipped to a U.S. address — often citing a last-minute move or family emergency.

• That address often belongs to an American accomplice, who typically operates what's known as a laptop farm.
• These facilitators are told to install specific remote desktop software onto the laptops so the North Korean workers can operate the laptops from abroad.
• In July, the FBI said it had executed searches of known or suspected laptop farms on 21 premises across 14 states, seizing 137 laptops.

Then there's the challenge of ensuring the salaries actually reach the North Korean regime.

• That often requires the facilitators to forward the paychecks to front companies across China or funnel them through cryptocurrency exchanges.
• In a report published in May, researchers at Strider Technologies identified 35 China-based companies linked to helping the North Korean operations.

Hiring processes are so siloed that it's difficult for managers to see all the signs of fraud until the North Korean workers start their roles, said Sarah Kern, lead North Korea analyst at Sophos' Counter Threat Unit.

• Even if a company suspects something is wrong, the forensic signals can be subtle and scattered. Security teams may detect unusual remote access tools or strange browser behavior. HR might notice recycled references or resumes that use the same phone number.
• But unless those insights are pooled together, it rarely raises alarms.
• "There's not one giant red flag to point to," Kern said. "It is multiple technical forensic aspects and then such a human aspect of small things to pick up on that aren't necessarily going to be in telemetry data from an endpoint detection standpoint."

Yes, but: Even when these workers are detected, they're not easy to fire.

• Many of them are so talented that managers are reluctant to even believe they could actually be in North Korea, Alexandra Rose, director at Sophos' Counter Threat Unit, told Axios.

If these workers are caught, employers then face a litany of problems:

• Some workers will download sensitive internal data and extort the company for a hefty sum in a last-ditch effort to bleed the company of whatever money they can.
• In a small number of cases, workers have filed legal complaints, including workers' compensation claims, Barnhart said. In one case, he said, he had a worker try to claim domestic violence protections as they were being fired just to buy time.
• "There is a lot of focus on companies that cybersecurity shouldn't just be for the CISO," Rose said. "You want a bit of that security feel throughout the company, and this is the kind of case that demonstrates why that is."

The bottom line: Some companies also hesitate to report these incidents, fearing they could be penalized for unknowingly violating U.S. sanctions — even though law enforcement officials have said they're more interested in cooperation than prosecution.

➡️ Go deeper: Read and share the full deep dive

@ D.C.

👀 Director of National Intelligence Tulsi Gabbard says the United Kingdom has dropped its demand for Apple to create a "back door" in its encryption to access user data. (BBC)

🗳️ President Trump says he wants to ban mail-in ballots and get rid of voting machines ahead of the 2026 midterms. (New York Times)

🇷🇺 Trump responded to reports that Russia may have been behind a hack of the federal court filing system: "Are you surprised?" (Axios)

@ Industry

🔒 Sam Altman says that OpenAI is strongly looking at adding encryption to ChatGPT. (Axios)

💰 Accenture is buying Australian cybersecurity firm CyberCX in a deal valued at around $650 million. (Reuters)

👋🏻 Nir Zuk, founder of Palo Alto Networks, is retiring as the company's chief technology officer and has left the board. (Wall Street Journal)

@ Hackers and hacks

⚠️ Workday says hackers obtained "commonly available business contact information" in a recent social engineering attack targeting one of its Salesforce databases. (Dark Reading)

🚨Cisco disclosed a maximum-severity vulnerability in its firewall management software that could allow attackers to executive high-privilege commands. (CyberScoop)

🔍 Reporters say that within 10 minutes, they were able to find a trove of sensitive information about users of an app where men share information about the women they're dating. (TechCrunch)

North Korean IT worker operations have been a huge talking point on this year's cybersecurity conference circuit — so much so that people were handing out stickers joking about the fraud in Las Vegas earlier this month!