{ "id": "8cac4259-b2bc-40af-a97a-3749c50a5450", "created_at": "2026-04-06T00:17:20.039581Z", "updated_at": "2026-04-10T03:21:54.400722Z", "deleted_at": null, "sha1_hash": "80a44b558d52a764e002ec58fc623dc900a0ba73", "title": "How a North Korean Fake IT Worker Tried to Infiltrate Us", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 293997, "plain_text": "How a North Korean Fake IT Worker Tried to Infiltrate Us\r\nBy Stu Sjouwerman\r\nPublished: 2024-07-23 · Archived: 2026-04-05 23:36:39 UTC\r\nIncident Report Summary: Insider Threat\r\nFirst of all: No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4\r\nsystems. This is not a data breach notification, there was none. See it as an organizational learning moment I am\r\nsharing with you. If it can happen to us, it can happen to almost anyone. Don't let it happen to you.  \r\nStory updated 10/19/2024 with 10 critical updates to your hiring process. See further below. We also wrote an\r\nFAQ, answering questions from customers.\r\nTLDR: KnowBe4 needed a software engineer for our internal IT AI team. We posted the job, received resumes,\r\nconducted interviews, performed background checks, verified references, and hired the person. We sent them their\r\nMac workstation, and the moment it was received, it immediately started to load malware.\r\nOur HR team conducted four video conference based interviews on separate occasions, confirming the individual\r\nmatched the photo provided on their application. Additionally, a background check and all other standard pre-hiring checks were performed and came back clear due to the stolen identity being used. This was a real person\r\nusing a valid but stolen US-based identity. The picture was AI \"enhanced\". \r\nThe EDR software detected it and alerted our InfoSec Security Operations  Center. The SOC called the new hire\r\nand asked if they could help. That's when it got dodgy fast. We shared the collected data with our friends at\r\nMandiant, a leading global cybersecurity expert, and the FBI, to corroborate our initial findings. It turns out this\r\nwas a fake IT worker from North Korea. The picture you see is an AI fake that started out with stock photography\r\n(below). The detail in the following summary is limited because this is an active FBI investigation. \r\nSUMMARY: This report covers the investigation of Employee ID: XXXX hired as a Principal Software Engineer.\r\nOn July 15, 2024, a series of suspicious activities were detected on that user account. Based on the SOC teams\r\nevaluation of the activities it was found this may have been intentional by the user and suspected he may be an\r\nhttps://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us\r\nPage 1 of 3\n\nInsider Threat/Nation State Actor. Upon initial investigation and containment of host, a more detailed inquiry into\r\nthe new hire took place.\r\nOn July 15, 2024, a series of suspicious activities were detected on the user beginning at 9:55pm EST. When these\r\nalerts came in KnowBe4’s SOC team reached out to the user to inquire about the anomalous activity and possible\r\ncause. XXXX responded to SOC that he was following steps on his router guide to troubleshoot a speed issue and\r\nthat it may have caused a compromise.\r\nThe attacker performed various actions to manipulate session history files, transfer potentially harmful files, and\r\nexecute unauthorized software.  He used a raspberry pi to download the malware. SOC attempted to get more\r\ndetails from XXXX including getting him on a call. XXXX stated he was unavailable for a call and later became\r\nunresponsive. At around 10:20pm EST SOC contained XXXX's device.\r\nHow this works is that the fake worker asks to get their workstation sent to an address that is basically an \"IT mule\r\nlaptop farm\". They then VPN in from where they really physically are (North Korea or over the border in China)\r\nand work the night shift so that they seem to be working in US daytime. The scam is that they are actually doing\r\nthe work, getting paid well, and give a large amount to North Korea to fund their illegal programs. I don't have to\r\ntell you about the severe risk of this. It's good we have new employees in a highly restricted area when they start,\r\nand have no access to production systems. Our controls caught it, but that was sure a learning moment that I am\r\nhappy to share with everyone. \r\nTIPS TO PREVENT THIS \r\nScan your remote devices, to make sure no one remotes into those.\r\nBetter vetting, making sure that they are physically where they are supposed to be.\r\nBetter resume scanning for career inconsistencies.\r\nGet these people on video camera and ask them about the work they are doing.\r\nThe laptop's shipping address different from where they are supposed to live/work is a red flag.\r\nRECOMMENDED PROCESS IMPROVEMENT\r\nBackground check appears inadequate. Names used were not consistent.\r\nReferences potentially not properly vetted. Do not rely on email references only.\r\nImplement enhanced monitoring for any continued attempts to access systems.\r\nReview and strengthen access controls and authentication processes.\r\nConduct security awareness training for employees, emphasizing social engineering tactics\r\nWHAT TO LOOK OUT FOR:\r\nUse of VOIP numbers and lack of digital footprint for provided contact information\r\nDiscrepancies in address and date of birth across different sources\r\nConflicting personal information (marital status, \"family emergencies\" explaining unavailability)\r\nSophisticated use of VPNs or VMs for accessing company systems\r\nAttempt to execute malware and subsequent cover-up efforts\r\nALERT HR ABOUT:\r\nhttps://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us\r\nPage 2 of 3\n\nThe subject has demonstrated a high level of sophistication in creating a believable cover identity, exploiting\r\nweaknesses in the hiring and background check processes, and attempting to establish a foothold within the\r\norganization's systems.\r\nThis is a well-organized, state-sponsored, large criminal ring with extensive resources. The case highlights the\r\ncritical need for more robust vetting processes, continuous security monitoring, and improved coordination\r\nbetween HR, IT, and security teams in protecting against advanced persistent threats. Left is the original stock\r\npicture. Right is the AI fake submitted to HR. \r\nNorth Korean IT Worker Threat: 10 Critical Updates to Your Hiring Process\r\nKnowBe4 was asked what changes were made in the hiring process after the North Korean (DPRK) fake IT\r\nworker discovery. Here is the summary and we strongly suggest you talk this over with your own HR department\r\nand make these same changes or similar process updates. Here is the blog post with these critical updates:\r\nRecommended Resources:\r\nThe U.S. Government is aware of this threat and has been warning against it since 2022. Here is the link.\r\nGoogle: Assessed Cyber Structure and Alignments of North Korea in 2023\r\nMandiant Podcast on Spotify: The North Korean IT Workers\r\nMandiant Blog\r\nBrian Krebs shared the post on LinkedIn and the comments are heartwarming.\r\nSource: https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us\r\nhttps://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us" ], "report_names": [ "how-a-north-korean-fake-it-worker-tried-to-infiltrate-us" ], "threat_actors": [], "ts_created_at": 1775434640, "ts_updated_at": 1775791314, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/80a44b558d52a764e002ec58fc623dc900a0ba73.pdf", "text": "https://archive.orkl.eu/80a44b558d52a764e002ec58fc623dc900a0ba73.txt", "img": "https://archive.orkl.eu/80a44b558d52a764e002ec58fc623dc900a0ba73.jpg" } }