The Deepfake Developer: How North Korean IT Worker Fraud Is Rewriting the Rules of Remote Hiring

North Korean IT worker infiltration jumped 220% in a single year, a fraudulent candidate can now clear a live video interview using a real-time deepfake, and the scheme has expanded from the US into Poland, Romania, and Serbia. Here's what's actually happening in remote hiring fraud — and why in-person-verified nearshore hiring is becoming a security requirement, not just a delivery preference.

Security & AIThe Deepfake Developer: How North Korean IT Worker Fraud Is Rewriting the Rules of Remote Hiring

The Principal Engineer Who Was Never Real

In 2024, the security awareness training company KnowBe4 hired a new principal software engineer. The candidate passed four rounds of video interviews, cleared a background check, and cleared identity verification. On the day the corporate laptop arrived, the new hire began loading malware onto it. The employee was a North Korean IT worker operating behind a stolen US identity and an AI-enhanced stock photo, and the company that got fooled was a firm whose entire business is training other organizations to recognize social engineering.

That case is not an outlier — it is the modal outcome of a scheme that has scaled from a handful of opportunistic actors into what US Treasury and DOJ officials now describe as an industrial revenue operation for the North Korean government. Fortune reported that North Korean IT worker infiltrations of Western companies rose 220% over a single twelve-month period, with generative AI now "weaponized at every stage of the hiring process" — from the fabricated resume to the interview itself. Nine security officials told Axios in 2025 that they had yet to encounter a Fortune 500 company that hadn't accidentally hired at least one North Korean IT worker.

For engineering leaders, this is not a curiosity from the security beat. It is a direct threat to the exact hiring motion that most companies use to build remote and nearshore engineering capacity: post a role, screen resumes, run video interviews, extend an offer, ship a laptop. Every step in that motion was designed for a threat model where the person on the other end of the call was, at minimum, actually the person they claimed to be. That assumption no longer holds, and the companies still operating as if it does are the ones showing up in the next DOJ indictment.

Inside the Machine: Stolen Identities, Laptop Farms, and a State Payroll

The mechanics of the scheme are consistent enough across dozens of prosecuted cases that they now read like a documented business process rather than an improvised fraud. A North Korean IT worker, often based in China or Russia, applies for remote developer roles using a stolen or fabricated US identity — frequently a real Social Security number belonging to an actual American, paired with a synthetic or AI-enhanced photo. A US-based facilitator, sometimes witting and sometimes not, receives the job offer's onboarding paperwork and agrees to receive the company-issued laptop at a residential address.

That residence is a 'laptop farm': a house or apartment stacked with dozens of corporate laptops, each one shipped by a different unsuspecting employer, each one running remote-access software that hands control to an operative overseas. The facilitator collects a fee or a cut of the salary for keeping the physical hardware live and answering the occasional in-person verification request. The operative, working the actual job from thousands of miles away, banks a salary that in the US can run into six figures.

The scale is now documented in detail through DOJ prosecutions. One scheme used 68 stolen identities to defraud 309 US businesses, generating more than $17 million for the North Korean government. A separate case saw two US nationals sentenced for placing North Korean workers at more than 100 companies, generating $5 million. The US Treasury's Office of Foreign Assets Control has sanctioned facilitators tied to a program that funneled close to $800 million to the DPRK in 2024 alone, money that flows directly into the country's weapons and nuclear programs. CrowdStrike's most recent tracking puts the 2025 total at roughly $2 billion in stolen and illicitly earned revenue — and projects that financial services firms, not just tech companies, are the next major target.

Key Takeaways

  • A single laptop farm can host dozens of corporate laptops shipped by unrelated employers, each remotely controlled by an overseas operative
  • One prosecuted scheme used 68 stolen identities to defraud 309 US businesses for $17 million; a related case hit 100+ companies for $5 million
  • OFAC-sanctioned networks funneled close to $800 million to North Korea in 2024; CrowdStrike estimates roughly $2 billion in 2025
  • The revenue funds the DPRK's weapons and nuclear programs directly — this is state-sponsored fraud, not opportunistic gig-economy abuse

Why Generative AI Turned an Occasional Scam Into an Assembly Line

The North Korean IT worker scheme predates generative AI by years — early cases relied on real facilitators coaching real (if impersonated) people through interviews. What changed the scale and the difficulty of detection is the same wave of AI tooling that is reshaping every other part of software engineering. Palo Alto Networks found that it now takes as little as 70 minutes for someone with zero image manipulation experience to assemble a fake candidate capable of passing a live video interview: face-swap software overlays a synthetic face on the live feed in real time, synced to the operative's actual speech, with voice-cloning tools available to replace the voice entirely if the accent or cadence would otherwise give it away.

The downstream effect shows up directly in hiring funnels. One founder told Fortune that roughly 95% of the developer resumes his startup received were from North Korean engineers posing as Americans. InCruiter, after adding deepfake detection to its interview platform in early 2026, found fraudulent activity in 25 to 30% of flagged sessions — nearly double the rate that experienced human interviewers had been catching manually. The tooling that makes AI coding assistants and agentic development possible is the identical tooling that makes it economically trivial to manufacture a convincing fake senior engineer.

This is the same pattern this publication has tracked across AI-generated code, AI-generated bug reports, and AI-generated open-source pull requests: a task that used to require serious effort — and therefore carried a natural cost that filtered out low-effort actors — has been made cheap enough that volume alone breaks the systems built to handle the old cost structure. Interview panels, reference checks, and portfolio reviews were never designed to catch a synthetic face convincingly answering questions about a real codebase in real time.

Key Takeaways

  • Palo Alto Networks: a convincing fake video-interview candidate can be assembled in as little as 70 minutes with zero prior experience
  • One startup founder reported roughly 95% of developer applicants were North Korean engineers posing as US citizens
  • InCruiter's deepfake detection found fraud in 25–30% of flagged interview sessions — nearly double the rate manual screening caught
  • Generative AI didn't invent this fraud — it removed the cost floor that used to keep it rare

The Scheme Just Crossed the Atlantic — Including Into Serbia

For the first several years of enforcement, this looked like a distinctly American problem: US Social Security numbers, US bank accounts, US-based laptop farms. That has changed as DOJ prosecutions made the US a harder target. CrowdStrike is now tracking new laptop farms established in Western Europe, specifically in Poland and Romania, where operatives are getting hired as full-stack developers under European identities and having company hardware shipped to European facilitator addresses instead of American ones. The UK is seeing a parallel pattern.

The regional detail that should get the attention of any Eastern European nearshore provider directly: investigators identified a fraudulent persona built around a resume claiming a degree from Belgrade University, and a separate confirmed case of a DPRK IT worker infiltrating a Serbian token/crypto company and stealing approximately $175,000 before moving the funds overseas. A CSIS analysis of the scheme's global expansion and CrowdStrike's reporting on the shift toward financial services as the next major target both point the same direction: this is not a one-region problem that Eastern Europe can watch from a safe distance. It is actively operating in the same labor markets that legitimate nearshore providers recruit from.

This matters enormously for the credibility of the nearshore model itself. The entire value proposition of hiring a senior engineer in Belgrade, Warsaw, or Bucharest rests on the premise that the person on the call is who they say they are, has the credentials they claim, and is physically where they say they are. A scheme that specifically fabricates Eastern European personas to exploit that exact trust is a direct attack on the nearshore value proposition — which means the industry's response to it needs to be taken as seriously as any other structural risk to the model.

Why Anonymous, Marketplace-Sourced Remote Hiring Is the Perfect Vector

The North Korean IT worker scheme does not thrive equally across every hiring channel. It thrives specifically in the parts of the remote hiring market built around anonymity and speed: freelance marketplaces where a profile can be created in minutes, staff-augmentation vendors who subcontract candidates they've never met in person, and any hiring process where 'remote' has quietly come to mean 'unverifiable.' The FBI's own guidance singles out exactly this profile — companies relying purely on virtual meetings, with no cross-check against a physical presence, a registered local employer, or a verifiable education and employment history.

This is the uncomfortable overlap with the broader outsourcing conversation this publication has covered extensively: the volume-oriented, lowest-bidder model that has always been vulnerable to quality problems is the same model that is structurally vulnerable to this specific fraud. A vendor whose business model is sourcing whoever is cheapest and fastest to place, with no persistent employment relationship, no physical office, and no institutional accountability for who they actually put in front of a client, is not just a quality risk. In 2026, it is a national-security-adjacent risk that a growing number of general counsel and CISOs are explicitly flagging in vendor due diligence.

The inverse is also true, and it is the more useful takeaway for engineering leaders currently building or expanding a nearshore team. A provider that employs engineers directly — with real local tax registration, a physical office its clients can visit, a verifiable multi-year track record, and named engineers whose identity was confirmed in person before day one — is structurally resistant to exactly the fraud pattern described above, for the same reason it has always been resistant to the bait-and-switch and quality problems covered elsewhere on this blog. Verification rigor and delivery quality turn out to share the same root cause: an employer who actually knows who they hired.

What Real Verification Actually Looks Like

The FBI, Treasury, and firms that have investigated this fraud in depth converge on a consistent set of controls, and none of them require exotic technology — they require the discipline of actually doing verification rather than treating it as a formality. Live video interviews should include an unobscured, verifiable background, and a request to pan the camera toward a window or exterior view; scammers coach around static backgrounds but rarely have a second location to fake convincingly on demand. Candidates should be asked specific, unscripted questions about their claimed current location that a real local resident would answer without hesitation.

Identity should be cross-checked independently of what the candidate submits: government ID matched to a live selfie through a liveness-detection step, education and prior employment verified directly with the institutions and companies named — not just the references the candidate provides — and photos and contact details cross-referenced against social media and payment-platform profiles for inconsistency. Amazon's internal fraud team combines this kind of anomaly detection with manual review specifically looking for hijacked online profiles and geographic mismatches between claimed location and technical signals like IP address and language settings.

Equipment handling is its own control point. Corporate laptops should ship only to an address that matches the identity documents already verified — never to an address a new hire requests changed after the interview process closes, without additional independent verification of that change. And access provisioning should ramp gradually: a new engineer, however senior, should not receive broad production or client-data access on day one, precisely because the earliest days of an employment relationship are when an undetected fraudulent hire does the most damage before anyone notices something is wrong.

At StepTo, this is not a bolt-on compliance exercise — it is the difference between our model and the marketplace alternative. Every engineer on a client's dedicated team is a named, in-person-interviewed employee of our Belgrade office, hired through standard Serbian employment and tax registration, not a profile assembled on a freelance platform. Clients can visit the office. They can meet the team. That is a deliberate structural choice, and in 2026 it is also a security control.

Key Takeaways

  • Live video verification: unobscured backgrounds, camera pans to an exterior view, unscripted questions about claimed current location
  • Independent identity checks: government ID plus liveness detection, direct verification of education and employment with the institutions themselves
  • Equipment control: ship only to the address on file; treat any late address-change request as a red flag requiring re-verification
  • Gradual access provisioning: new hires, regardless of seniority, should not receive broad production or data access before verification is complete

The Questions to Ask Any Outsourcing or Staffing Partner Right Now

For CTOs and business owners currently building or evaluating a remote or nearshore engineering relationship, this risk needs to become an explicit line item in vendor due diligence, alongside the security and quality questions already covered elsewhere in this series. Ask directly: are the engineers on our team direct employees of your company, or subcontracted through a marketplace or a chain of smaller vendors you don't have visibility into? Were they interviewed and identity-verified in person, or purely over a single video call with no independent cross-check?

Ask whether the vendor has a physical office presence you can visit, and whether they will let you meet the specific people assigned to your project — not a sales team, the actual engineers. Ask what happens to background checks and reference verification when a candidate is sourced through a subcontractor rather than hired directly; in our experience, the answer to this question reliably separates providers who have thought seriously about this risk from those who are exposed to it without realizing it.

None of this replaces the technical and delivery-quality due diligence this publication has recommended in prior posts — it sits alongside it. But it deserves the same weight, because the consequence of getting it wrong is no longer just a bad hire. It is a compromised laptop inside your infrastructure, sanctions exposure for the company that paid the salary, and — as CSIS and Treasury have both documented — a direct funding line to a nuclear weapons program. That is a different category of risk than a missed sprint deadline, and it should be evaluated with a different level of seriousness.

Key Takeaways

  • Ask whether engineers are direct employees or subcontracted through a marketplace or vendor chain you can't see into
  • Ask to meet the specific engineers assigned to your project in person or on video with independent identity verification — not just the sales team
  • Ask how reference and background checks are handled when candidates come through a subcontractor rather than direct hiring
  • Treat this as a distinct due diligence category, not a subset of general quality vetting — the downside risk (compromise, sanctions exposure) is categorically different

The Bottom Line

The North Korean IT worker scheme is not a story about a distant geopolitical threat — it is a direct, documented attack on the exact hiring motion that remote and nearshore engineering depends on, and it is expanding into the same European markets where the nearshore model has built its reputation over the past decade. The companies getting burned are not careless; KnowBe4 trains other companies on social engineering and still hired an operative as a principal engineer. The lesson is not that remote hiring is broken — it's that verification has to be treated as infrastructure, not paperwork: real employment relationships, physical offices, identity checks that don't stop at the resume, and access provisioning that assumes trust is earned over the first weeks, not granted on day one. For engineering leaders evaluating a nearshore partner in the second half of 2026, that verification discipline is no longer a nice-to-have in the pitch deck. It is the question worth asking first.

Building a team in Eastern Europe?

StepTo helps European and US companies build senior-led nearshore engineering teams in Serbia. Let's talk about what your next engagement could look like.

Start a conversation
I

Written by

Igor Gazivoda

Co-founder & CEO · StepTo

Igor has 15+ years in software engineering and business development. Former CTO at a Series A fintech startup, he specializes in scaling engineering teams, nearshore strategy, and AI-driven product development. He holds a Master's in Computer Science from the University of Belgrade and has published on distributed systems architecture.

LinkedIn →
Performance-led engineering

Senior engineers who move work forward, not just tickets.

Work with accountable, English-fluent professionals who communicate clearly, protect quality, and deliver with a steady operating rhythm. Cost efficiency matters, but performance is why clients stay with us.

Delivery signals · senior engineering team
Senior ownership
Lead-level
Delivery rhythm
Weekly
Timezone overlap
CET
1 teamaccountable for outcomes, communication, and execution