{
	"id": "d665be85-772f-45d7-a4a7-5723d4cc0cb4",
	"created_at": "2026-04-06T00:11:43.23826Z",
	"updated_at": "2026-04-10T03:20:45.966837Z",
	"deleted_at": null,
	"sha1_hash": "fd871d042046c37912f92c30d638c99f9c769aaa",
	"title": "The one interview question that will protect you from North Korean fake workers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 60950,
	"plain_text": "The one interview question that will protect you from North\r\nKorean fake workers\r\nBy Iain Thomson\r\nPublished: 2025-04-29 · Archived: 2026-04-05 23:11:45 UTC\r\nRSAC Concerned a new recruit might be a North Korean stooge out to steal intellectual property and then hit an\r\norg with malware? There is an answer, for the moment at least.\r\nAccording to Adam Meyers, CrowdStrike's senior veep in the counter adversary division, North Korean\r\ninfiltrators are bagging roles worldwide throughout the year. Thousands are said to have infiltrated the Fortune\r\n500.\r\nThey're masking IPs, exporting laptop farms to America so they can connect into those machines and appear to be\r\nworking from the USA, and they are using AI – but there's a question during job interviews that never fails to\r\ncatch them out and forces them to drop out of the recruitment process.\r\n\"My favorite interview question, because we've interviewed quite a few of these folks, is something to the effect\r\nof 'How fat is Kim Jong Un?' They terminate the call instantly, because it's not worth it to say something negative\r\nabout that,\" he told a panel session at the RSA Conference in San Francisco Monday.\r\nMeyers explained the North Koreans will use generative AI to develop bulk batches of LinkedIn profiles and\r\napplications for remote work jobs that appeal to Western companies. During an interview, multiple teams will\r\nwork on the technical challenges that are part of the interview while the \"front man\" handles the physical side of\r\nthe interview, although sometimes rather ineptly.\r\n\"One of the things that we've noted is that you'll have a person in Poland applying with a very complicated name,\"\r\nhe recounted, \"and then when you get them on Zoom calls it's a military age male Asian who can't pronounce it.\"\r\nBut it works enough that quite a few score the job and millions of dollars are being funneled back to North Korea\r\nvia this route.\r\nOnce placed in the coveted role, such workers are usually very successful in the company, since they have\r\nmultiple people working on one job to produce the best work possible - with the hope of getting a promotion and\r\nmore access to the business' systems - explained panelist FBI Special Agent Elizabeth Pelker.\r\n\"I think more often than not, I get the comment of 'Oh, but Johnny is our best performer. Do we actually need to\r\nfire him?\" she said.\r\nThe aims of these phony workers are two-fold, she explained. Firstly, they earn a wage and use their access to\r\nsteal intellectual property from the victim. This is usually exfiltrated in tiny chunks so as to not trigger security\r\nsystems.\r\nhttps://www.theregister.com/2025/04/29/north_korea_worker_interview_questions/\r\nPage 1 of 3\n\nOne mitigation strategy, she said, was to insist that any interviewee performed coding tests within the corporate\r\nenvironment. These allow the actual IP being used to get checked, interviewers to see how often the prospect is\r\nswitching between screens, and can allow other clues to leak out that all is not as it seems.\r\nIf the interloper is exposed and fired, however, they will usually have already collected login details, planted\r\nunactivated malware, and will then attempt to extort the maximum they can from the victim. She urged anyone\r\nwho spots a fake employee to contact their local FBI field office immediately.\r\nThe Red Queen's race\r\nBut the attackers are getting smarter, and in some ways the FBI is a victim of its own success.\r\nThe agency has been distributing advice to US companies but these memos are also being read in Pyongyang and\r\nthe workers are adapting their tactics. This sometimes involves using both aware and unwitting accomplices.\r\nFor example, to get around the IP address problem, laptop farms are springing up all over America. If an applicant\r\ngets a job, the firm will usually send him a laptop, at which point the interviewee explains that they've moved or\r\nhave a family emergency, so could they send it to a new address please?\r\nNorth Korea's fake tech workers now targeting European employers\r\nArizona laptop farmer pleads guilty for funneling $17M to Kim Jong Un\r\nUS 'laptop farm' man accused of outsourcing his IT jobs to North Korea to fund weapons programs\r\nNorth Korean dev who renamed himself 'Bane' accused of IT worker fraud caper\r\nSecurity biz KnowBe4 hired fake North Korean techie, who got straight to work ... on evil\r\nI'm a security expert, and I almost fell for a North Korea-style deepfake job applicant …Twice\r\nNorth Koreans clone open source projects to plant backdoors, steal credentials\r\nThis is most likely a laptop farm, where someone in the US agrees to run the laptop from a legitimate address for a\r\nfee, typically around $200 a computer, according to Meyers. Last year the FBI busted one such operation in\r\nNashville, Tennessee, and charged the operator with conspiracy to cause damage to protected computers,\r\nconspiracy to launder monetary instruments, conspiracy to commit wire fraud, intentional damage to protected\r\ncomputers, aggravated identity theft, and conspiracy to cause the unlawful employment of aliens.\r\nRather than creating identities, the North Korean workers have now taken to either stealing the ones they want, or\r\nfooling people into handing them over for a good cause. There's a growing business in Ukraine of convincing\r\npeople to share their identity with third parties under the pretext of using them against Chinese agents who are\r\npropping up Russia.\r\n\"Unfortunately, because this is supporting North Koreans, the money then goes back through to filter through to\r\nNorth Korea regime,\" said Chris Horne, senior director at jobs site Upwork. \"Then, in turn, it goes to support the\r\ntroops that come back in through Russia. So they're basically paying for their own demise in Ukraine right now.\"\r\nWe've also seen deepfake job interviewees that are good enough to fool IT professionals, sometimes more than\r\nonce. This technology is only improving and will get more and more convincing, Pelker warned.\r\nhttps://www.theregister.com/2025/04/29/north_korea_worker_interview_questions/\r\nPage 2 of 3\n\nThe key to fixing this, the panelists agreed, was to educate everyone in the interview process – right down to the\r\nlowest staffer – and to be hyper vigilant for warning signs. If possible, they said, one should have someone local\r\nswing around for a personal meeting, and maybe also avoid hiring fully remote employees. ®\r\nEditor's note: This article was updated to correctly state Chris Horne's employer, namely Upwork rather than\r\nUpworthy. We regret the error.\r\nSource: https://www.theregister.com/2025/04/29/north_korea_worker_interview_questions/\r\nhttps://www.theregister.com/2025/04/29/north_korea_worker_interview_questions/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.theregister.com/2025/04/29/north_korea_worker_interview_questions/"
	],
	"report_names": [
		"north_korea_worker_interview_questions"
	],
	"threat_actors": [],
	"ts_created_at": 1775434303,
	"ts_updated_at": 1775791245,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fd871d042046c37912f92c30d638c99f9c769aaa.pdf",
		"text": "https://archive.orkl.eu/fd871d042046c37912f92c30d638c99f9c769aaa.txt",
		"img": "https://archive.orkl.eu/fd871d042046c37912f92c30d638c99f9c769aaa.jpg"
	}
}