On National Social Engineering Day, we’re pulling the lid off one of the most dangerous insider threat campaigns in the world — North Korea’s fake remote IT worker program.

Using AI-generated résumés, real-time deepfake interviews, and U.S.-based “laptop farms,” DPRK operatives are gaining legitimate employment inside U.S. companies — funding nuclear weapons programs and potentially opening doors to cyber espionage.

We’ll cover the recent U.S. sanctions, the Christina Chapman laptop farm case, and the latest intelligence from CrowdStrike on FAMOUS CHOLLIMA — plus, we’ll give you specific, actionable ways to harden your hiring process and catch these threats before they embed inside your network.

Actionable Takeaways for Defenders

1. Verify Beyond the Résumé:Pair government ID checks with independent work history and social profile verification. Use services to flag synthetic or stolen identities.
2. Deepfake-Proof Interviews:Add unscripted, live identity challenges during video calls (lighting changes, head turns, holding ID on camera).
3. Geolocation & Device Monitoring: Implement controls to detect impossible travel, VPN/geolocation masking, and multiple logins from the same endpoint for different accounts.
4. Watch for Multi-Job Signals: Monitor productivity patterns and unusual scheduling; red flags include unexplained work delays, identical deliverables across projects, or heavy reliance on AI-generated output.
5. Hold Your Vendors to the Same Standard: Ensure tech vendors and contractors use equivalent vetting, monitoring, and access control measures. Bake these requirements into contracts and third-party risk assessments.

References

• U.S. Treasury Press Release – Sanctions on DPRK IT Worker Scheme
• CrowdStrike 2025 Threat Hunting Report – Profile of FAMOUS CHOLLIMA’s AI-powered infiltration methods
• National Social Engineering Day – KnowBe4 Announcement Honoring Kevin Mitnick