Fake North Korean IT workers are rampant on LinkedIn – security experts warn operatives are stealing profiles to apply for jobs and infiltrate firms

North Korean IT workers are hijacking genuine LinkedIn profiles to apply for remote jobs and infiltrate enterprises.

Security Alliance (SEAL) said the technique, which marks an escalation from previous fake worker schemes, is hard to spot initially as the profiles appear completely genuine - as, in a way, they are.

The fraudsters appropriate real identities, leverage verified workplace emails and identity badges, and construct credible employment histories to pass background checks.

Once settled into remote roles, they route corporate laptops through “laptop farms” to maintain the appearance of a regionally based workforce.

While salary diversion helps finance the regime, there's also a more strategic threat in the form of persistent access, including the installation of malware and the theft of intellectual property.

Darren Guccione, CEO and co-founder of Keeper Security, warned the news should be viewed as a structural shift and significant escalation in cyber risk.

"What we are seeing is not an isolated fraud campaign, but the industrialization of professional identity manipulation, where nation-state actors combine stolen personal data, AI-generated imagery and deepfake video interviews to embed themselves inside unwitting organizations."

There are relatively simple ways to spot the fraud, however, such as asking applicants to connect with you on LinkedIn to ensure they have ownership and control of the account.

Meanwhile, SEAL said users experiencing identity impersonation involving fraudulent job applications should consider posting a warning on other social media pages to protect their identity and the broader ecosystem.

This should include the date the fraud was detected and the tactics that were observed. Users should list the accounts they control - and the communication channels not used for job discussions. Elsewhere, they should provide a method of verification, for example, "contact via company email".

Identity security needs a rethink

Guccione said enterprise leaders need to face up to the fact that identity is now the primary attack surface - and that in a remote and hybrid hiring environment, perimeter security offers little protection when adversaries are granted legitimate credentials and endpoint access.

Organizations must respond by hardening identity governance, for example. That includes rigorous identity verification during onboarding, enforcing phishing-resistant multi-factor authentication, applying least-privilege access from day one, and continuously monitoring for anomalous behavior.

“Privileged access has to be tightly controlled and audited at all times," he said.

"This campaign is a stark reminder that trust in digital identity must be earned and continuously validated. Without strong identity and access management controls, companies now risk providing expansive internal access to the very threat actors they are trying to defend against."

North Korea has been using fake remote workers to raise money for the regime for years now, with fraudsters claiming to be based anywhere from Italy and Ukraine to Japan, Malaysia, or Singapore.

While the scam initially targeted US companies, it has spread into Europe over the last year or so, with Google warning last summer that workers in Europe were recruited through various online platforms, including Upwork, Telegram, and Freelancer.

Payment was managed via cryptocurrency, the TransferWise service, and Payoneer.

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.