In recent years, North Korea has increasingly turned to telework in a bid to fund its controversial nuclear program. The country’s regime has allegedly infiltrated companies in the United States , and more recently Europe , by employing individuals with fraudulent identities . According to investigations by the FBI , the Department of Justice , and Google , these individuals are part of a larger network designed to generate income that primarily benefits the North Korean regime.
A structured framework. A cybersecurity researcher known as Sttyk has compiled a comprehensive database revealing the organizational structure of these infiltrators. The information—spanning “dozens of data gigabytes” and thousands of emails—suggests that the workers are divided into twelve groups , each led by a central figure referred to as a “master boss.” This hierarchical organization enables better coordination and resource allocation within their operations.
Utilization of spreadsheets and digital tools. The workers utilize software like Slack , Google , and Github , along with spreadsheets , to track their tasks and progress towards economic and strategic goals . Notably, they compile data on the specific job requirements of targeted companies, tracking necessary programming languages and existing communication with potential employers.
Acquisition of new identities. Recently, the BBC reported on a defector named Jin-Su , who shared insights from his experience as a false teleworker. He noted that much of his work involved creating fake identities to secure employment. Initially, he used Chinese identities, but as he realized the advantages of Western identities, he began acquiring names from countries like Hungary , Turkey , and the United Kingdom . This strategic pivot suggests a sophisticated understanding of global job markets.
Workers proficient in English conduct the most crucial outreach, as most communications occur via platforms like Slack, minimizing the need for face-to-face interactions. However, the rise of artificial intelligence in recruitment processes poses new challenges, as many firms have adopted AI-driven interviews, often making it easier to detect fraudulent candidates.
Targeted job sectors. The types of positions pursued by these false teleworkers predominantly reside within the technology sector. Investigations reveal a clear focus on areas like artificial intelligence , blockchain technology , and web development . By infiltrating these lucrative fields, they can maximize financial gains that, in turn, fund the North Korean war machine.
Financial implications. Jin-Su reported that false teleworkers often earn around $5,000 per month in roles spanning the United States and Europe. Despite having to remit 85% of these earnings back to North Korea, he noted that the income remains significantly better than the conditions experienced within their homeland. A recent United Nations report highlights that these workers collectively generate between €250 million and €600 million annually for their country.
The money these workers retain upon returning to North Korea offers considerable value, thereby weakening the motives for some to defect, especially since many operate from more liberated environments in Russia or China .
In parallel, another division of North Korean operatives focuses on cryptocurrency theft , bringing in staggering sums of illicit funds. Just this past March, hackers reportedly acquired approximately $1.5 billion , adding up to $1.3 billion from 47 separate incidents in December 2024.
Challenging working conditions. Despite the apparent advantages of working remotely for North Korea, conditions remain harsh. Slack communications from their leaders indicate that members should work “at least 14 hours a day.” While this is demanding, it pales compared to the extreme expectations set by some leading Silicon Valley firms.
Images are sourced from the Kremlin and Altumcode on Unsplash.
The infiltration of teleworkers as a method of funding North Korea’s ambitions poses serious implications for global cybersecurity. As this sophisticated nexus of technology and deception grows, the onus remains on global agencies and tech firms to develop robust defenses against these emerging threats. In an era where digital identities can be easily forged and manipulated, vigilance is paramount to prevent these hostile actions from continuing unabated.

