A North Korean scheme to plant fake IT workers inside Western companies has been exposed from the inside, after one of its operatives tried to infiltrate the very firm that tracks the fraud.
Risk intelligence provider Nisos recently detailed how a supposed Florida-based AI architect applied for a remote job at the company in June 2025, and how the application unraveled into a look inside an active fraud cell.
A Resume Too Good to Be True
The resume mirrored Nisos’ job posting almost word-for-word and listed tools that did not exist during the stated employment periods. A brand-new email address with no breach history, a VoIP phone number and several conflicting resumes deepened the suspicion.
Nisos said the interviews settled it. The candidate’s eyes tracked across the screen as if reading, and the firm concluded an AI tool was supplying answers in real time.
To be sure, the team invented a hurricane and asked how it had hit the candidate’s supposed home in Florida. The candidate calmly reported minor rain and wind from a storm that never happened.
Read more: North Korean Hackers Targeted KnowBe4 with Fake IT Worker
Inside the Laptop Farm
Rather than walk away, Nisos played along. Canary tokens traced the operative’s connections to Astrill VPN, a service favored by North Korean workers, and the delivery address for the work laptop matched neither the resume nor the real Floridian whose identity had been stolen.
Nisos shipped a rigged laptop to the address and, through its camera, saw a closet stacked with machines, a literal laptop farm.
The devices were driven by PiKVM hardware, which lets a remote operator control a computer as if sitting at it, even before it boots, and is hard for corporate security to spot.
The access laid bare the cell’s setup:
-
Roughly 40 devices on the network, about 20 actively in use
-
Multiple personas employed at different companies at once
-
A Tailscale mesh VPN linking the machines
-
Willing Americans hosting the laptop farms on US soil
A National Problem
Nisos said hundreds of suspected laptop farms operate across the US, with wages routed through American bank accounts opened under stolen identities before reaching North Korea.
US authorities have said in the past that such revenue helps fund the regime’s sanctioned weapons programs.
Nisos urged employers to treat remote hiring as a security problem: deepening background checks, adding unexpected questions to interviews to expose AI coaching and monitoring device behavior after a hire, since standard vetting no longer catches operatives this well prepared.
