The Invisible Insider: North Korea’s Shadow Workforce

This week, I’ve been thinking about remote work: not the kind that saves you a commute, but the kind that slips past your KYC program and into your codebase.

The United Nations published a report outlining how North Korean IT workers are infiltrating firms globally by exploiting weak identity and access management (IAM) practices. Often hired through freelance platforms or third-party vendors, these workers pose as remote developers, concealing their true identity and nationality.

In some cases, they go as far as renting proxy identities from real people: passport scans, LinkedIn accounts, even live video calls… all to fool employers into thinking they’re US- or South Korea-based engineers. Meanwhile, the money earned from these contracts, sometimes in crypto, is funneled back into DPRK’s weapons program.

The Anatomy of a Sanctions Evasion Campaign

Here’s what makes this case so striking: these actors aren’t breaching your network through malware or zero-day exploits. They’re walking in through the front door, posing as employees.

According to the UN report:

• DPRK IT workers have operated under false identities, often using intermediaries to obscure origin.

• They target smaller firms, often start-ups or contractors with limited due diligence.

• They exploit remote work culture, where onboarding and verification processes are entirely digital, and often weak.

• They cash out via crypto or third-party intermediaries, distancing themselves from formal financial institutions.

IAM: Identity Is the New Perimeter

This entire scheme hinges on one thing: you believe they are who they say they are.

And that makes it an identity problem, not just a sanctions problem.

Many firms still approach onboarding like a checklist: run a background screen, tick a KYC box, ship the laptop. But when facing a hostile state actor willing to forge entire personas and social footprints, the typical vendor or employee vetting process is simply not enough.

What’s worse? In some cases, these workers gain privileged access, including to infrastructure, source code, and client data, with little continuous authentication in place.

Compliance Meets Cybersecurity

This isn’t just a cautionary tale for HR or InfoSec. It’s a wake-up call for compliance.

Here are a few lessons we should take away:

• Vendor onboarding ≠ KYC light: Even third-party developers need meaningful verification.

• Ongoing monitoring > onboarding: Identity must be continuously validated, not just checked once.

• Crypto payouts and cross-border gigs aren’t red flags on their own, but when combined with weak IAM, they can be a vector for sanctions evasion.

• Geofencing and IP monitoring can help, but are easily bypassed, especially if the worker is using a rented identity.

• Collaboration across functions: compliance, legal, and cybersecurity must work together to identify and mitigate the risk early.

Parting Thoughts

This isn’t about fearing remote work. It’s about knowing when “remote” becomes “anonymous.” The DPRK case is a reminder that financial crime doesn’t always look like a suspicious wire or fake invoice. Sometimes it looks like your new front-end developer.

Sanctions evasion is evolving. So must we.

As always, thanks for reading.

Source: UN Report

Alexey