Ep. 1: Strange Things Are Happening

They're writing code, managing or passwords, training the next generation of AI models. They're gaining trust and access.

“They've turned up at Fortune 500 companies in entertainment, ag, tech, cyber security companies.”

We've found them at defense contractors and U.S. government agencies. One even popped up at a nuclear utility.

On paper, they're the dream hire, skilled, low maintenance, always remote, and often affordable.

And by most accounts, they're doing the work, but strange things are happening. As far back as 2023, we had a couple odd incidents and we just didn't understand what was happening. The person that wanted to be on camera. That person didn't really look right on screen.

That person took a lot of time to answer questions. You see them looking off-screen where they're using some sort of chatbot to answer questions. Players are waking up to a deeply unsettling realization.

“The person they hired is not who they thought they were.”

We have an individual that didn't seem to know what they were supposed to know.

Persons' resumes might say they got 15 years as a senior developer. Yet the ID shows it must have been 10 years old when they went to college. These mystery workers, they're applying by the thousands. They're making it past HR screenings and background checks. And once they're in, they know how we work.

In some cases, even better than we do ourselves. Some of these guys are funny. I wouldn't say it's innovative as much as it is how well they understand our system. Like, how do they understand our society so well?

They know that HR can't talk to a certain person if they're on med leave, if they're

sick. I've seen an IT worker that started smelling the heat and they knew that they were coming for him. So he immediately went on med leave and hey, I'm sick who knows what they're capable of.

“The colon, when his first came up, I remember putting my head in my hand and saying, "This”

was my worst nightmare." They're probably thinking these workers are part of a scammering or a ransomware crew. And that description is not far off. It's zoom out in a different picture emerges. These workers aren't freelance criminals.

They're part of a global labor pipeline, managed, trained, and deliberately planted by a nation's state, and not the usual suspects, not China, not Russia. Though both will make a cameo, the actor behind this operation, it's the one we least expect. North Korea, North Korea.

North Korea employs sophisticated computer hackers trained to launch cyber infiltration and cyber tax against the R.K. and U.S. attention on. Like his father and his grandfather has played an extremely weak hand brilliantly. There are people who like to get out there and say, "This man's crazy." If so, he is crazy, but pretty brain strategist, a pretty brutal player, and pretty savvy

at understanding how small technological edges nuclear and cyber enable him to have the power to reach out at the United States and other enemies. I'm Nicole Pearloroth, and this is to catch a thief. I've spent the past 16 years swimming in cyber threats. For a decade, I was the New York Times League Cyber Reporter.

I wrote a book. This is how they tell me the world ends, investigating the ins and outs of the cyber arms market. And now, I travel the world educating people about cyber threats, and partnering with those to determine to solve them.

Ask any cyber expert, which nation continues to blind side us, and one name keeps coming up, not because it's the biggest or the most technologically advanced, but because no country punches further above its weight, the North Korea. Its hackers have crippled a Hollywood movie studio, taken direct aim at free speech, stolen billions in cryptocurrency, and now, they're infiltrating the global workforce at a scale

They've proven remarkably innovative, and they're early adopters.

“North Korea embraced cryptocurrency long before most governments even understood it.”

And now they're doing the same with AI, evolving far beyond the cartoonish caricature. We still cling to. Here's Andrew Scott, who spent most of his career inside three letter agencies, like the CIA, tracking China and North Korean cyber threats from the inside. Inside government, we started looking at the North Korean cyber program, a team adgeniors

of cyber. We discount the level of, I hate to use the word, but sophistication of the North Korean. We think of them as a hermit kingdom. We think of them as isolated. We think of them as impoverished.

When in reality, they are incredibly capable, and they've spent the time, energy, effort, and money into building something that they can use to achieve their aims.

“North Korea has spent decades cleverly evading sanctions through smuggling, shell companies,”

and covert trades of coal and weapons for fuel and cash. We continue to see illegal imports of additional refined petroleum using ship-to-ship transfers, which are clearly prohibited under the UN resolution. We must all be accountable for cutting off North Korea's illegal coal exports, which provide funds that go directly to its WMD programs.

The perception that sanctions can bring us on our knees is a pipe dream of the people who are ignorant about us.

But today, the regime's most powerful sanctions of Asian tools aren't smuggling routes.

It's hacking and remote IT work. I'll tell you that most interesting thing I've ever seen is without a doubt the IT worker problem. This is an employment fraud from a state tied to intelligent service. That was John Holt-Quest, chief analyst at Google Thread Intelligence.

I remember telling people IT workers in a room, and nobody knew what they were talking about.

“When I talk about it now, everybody's already had an experience with it, right?”

To be clear, this is a nuclear-armed adversary on our payroll. But this isn't just a story about paycheck fraud. Because the insider access they gain, it can be used for something else entirely. They are going to turn that insider access from a revenue paid sell rate position into an insider threat position.

If you're paying 150k a year and they've seen opportunity to steal $2 million, I've seen

it happen. They'll do it. Have they ever done it? They've done destructive attacks. They've done stuff on the inside, so really what we have now is a worldwide chess game.

They've put all their pieces in place. If push comes the shove, you have thousands and thousands of organizations at your disposal that you can start blowing up from the inside. But we're getting ahead of ourselves because the story you're about to hear didn't begin with a million dollar breach or a geopolitical stand-off.

It begins somewhere far more ordinary. Just off the billway in Arlington, Virginia, where a single employee acting strangely set off a chain of events no one saw coming. Yeah, it's a fascinating story back in 2022. We were working through a threat investigation for one of our clients.

Meet Ryan LaSalle, the CEO of Neesos, a company that investigates what it calls "human risk." Companies hire Neesos to look into insider threats, usually when they suspect a competitor is planted a mall, or on rare occasions, a nation-state operative. In this case, the client asked Neesos to take a closer look at a former IT worker,

someone who'd left a strange impression on leadership. Neesos won't name the client because of confidentiality agreements, but suffice to say it's one of America's most influential media brands. They had a weird sense as something was not right with a person who'd just left the company. They were remote worker, they're celled up on camera, when they are, they're pretty included.

They're backlit. You can't see them. They're performance in their skills, not matching their resume, their behaviors seeming kind of anti-social, the disconnect from their team, there was a lot of weird things about

in the back of his neck.

“The sense was the person wasn't who they said they were.”

So we kicked off an investigation and found a lot of strange things.

Neesos hands the case to one of their best, Ben Reesonberg, an analyst who'd come to the firm from the CIA. Benus declined to turn over everything they've got on this one worker. We ask our clients to send us basic phone numbers, email addresses, pictures of the person from meetings, and then we dive in and seeing what's out there about this person in the

wild. And we quickly found that the photo of the LinkedIn page for the individual was reused on other people's LinkedIn pages, different names with the same profile photo, which kind of tip does off that it is probably somebody who is trying to get jobs multiple other companies and claim to have different experiences.

So that's sort of the tipping point.

These LinkedIn personas with the same photo, they all seem to materialize overnight, despite

linked the resumes and polished work histories, many of these profiles had only recently

“been created, and they're self-referential.”

They're connected to one another, several even list the same colleges and former employers. And those former employers, they don't pass the sniff test either. One company, for instance, claimed to be located in Michigan when I looked to see what the building was. It used to be a frat house back in a day, nobody lived there.

And everyone who claimed to have worked at this fake company in a former Michigan frat house hadn't been on LinkedIn for very long. In fact, until recently, these people had very little digital exhaust at all. By now, if you're a real person living in this most interesting century, there's a 99.99% chance you've been the victim of some kind of data breach.

For informations out there, your user names, your passwords, they're all laid out on the dark web. But these employees somehow they've managed to evade every known breach. What breach data really is is a bunch of email addresses are passed with leaked on the dark web for LinkedIn users, for instance.

And if somebody is not appearing in those breaches and leaks, that's usually indication that something will set up its fake or brand new. And not on these people have breached data out there on the email addresses on their phone numbers on their names. These people seem to come out of thin air.

Exactly. That is probably one of the most ironic things for most security professionals that usually gets a laugh. I'm like, wait, you're telling me the thing that I spend my life trying to protect against a data breach is one of the number one ways you can tell someone's real or not, because

everybody who's real has been impacted. That's correct. We've all gotten those notices from our health insurers, from our retailers, from all the different places that we have lost data. And so if you haven't, then you haven't existed in a digital life.

But it wasn't just this one worker. Everyone in his network had miraculously managed to avoid every known data breach. And when Nisa's dug into their email addresses, it became clear they weren't looking at an isolated case. They were looking at a system.

They all used certain numbers, so we see zero or three one seven and all the email addresses. So it might be Mike Myers zero one three one seven. The next email that we see in the application is Michael Jones zero three one seven. So there's patterns that usually use dot dev in their email address or dot engineer. So they know what kind of jobs they're applying to.

It makes it easier when they back end to remember all this. Once it's clear this worker's online presence had been systematically faked, Nisa's chipsets focused to his laptop and its physical location. So once we figured out that there's something going on that this is an employment scheme,

“we asked the client, can you send us the shipping address for the laptop?”

What was really interesting in that case, this is the first time we saw this happening was

that the shipping address was changed right before the laptop was supposed to go out. This was a big tell and one that will come up again and again. We asked where we can send you a laptop from our company and you change your address the very last second. I live in Texas, but my mom is really sick and so I'm visiting her in Atlantic and you

send it to the her house in Atlantic. It's very understandable to an HR team, like of course we want you to be with your mom when she's sick will send you a laptop right there. But it's also a classic redirection and that's exactly what happened with this one. So in this case, the employee had actually told this client he lived in Atlanta.

But then at the last minute he told them his mom was sick and he asked them to ship the laptop to Nashville. So Nisa's looks into this address and what they find was no worker, no one who even looked

the story at all.

“Okay, if your privacy hackals are going up right now, it's worth reminding everyone”

that your corporate laptop is not a personal device.

You have no expectation of privacy there, your location, your emails and browsing activity. It's all fair game. The moment you do anything to trigger a security alert. But I should also mention that these investigations aren't meant to be arbitrary. They're driven by risk signals.

Signals that are defined and often constrained by HR and legal frameworks. Yeah, I've covered cases where these investigations have gone way off the rails, but not here. Because in this case, there were more than enough red flags. There was two individuals who lifted that address who were just finishing their college

education on the social media, we saw that they had congratulate themselves on just finishing this degree.

And we noticed that those people were not the person that applied or that even looked like

the person that applied. So we determined that that was probably either somebody housing it there or somebody subletting a room with something like that was happening in that regard. As Neesa starts investigating the traffic from this one laptop, they discover that employees have been using a VPN, a virtual private network, to bounce their internet connection around

the globe. Now, the use of a VPN isn't suspicious, VPNs are common, often required. They allow employees to securely access corporate systems from anywhere. That this VPN stood out, astral, an offshore VPN registered in Lichtenstein. One of the few VPNs that reliably evades China's Great Firewall.

Okay, so at this point, are you thinking someone's outsourcing their work to China or that

“this is some nation-state level Chinese spy network?”

We didn't know if it was nation-state focused or not. We just said, here are all the data points that we have. We do think that there's something that's shady going on. But in the beginning, we had no idea. You just thought it was weird.

It gets weirder. When they look closer, they realize this wasn't just one connection. The same VPN infrastructure appeared to be routing activity from dozens of laptops, tied to dozens of different companies. When we peeled back the onion a little bit more and got more into the network, this individual

friends, them was working for Fortune 500 companies. We found all different sectors. It was across the board. It wasn't just one sort of targeted industry per se. So we had technology, we had social media, media companies, healthcare, fin tech.

And then it just got bigger and bigger to the point where we then were able to figure out IP addresses matched up with what the FBI provided for, known VPN addresses for DPRK. DPRK. The democratic people's Republic of Korea, shorthand for North Korea. Turns out, as Nesos was heads down in its investigation in 2022, they'd missed an urgent

government advisory from the FBI state and treasury earlier that year. The agencies had warned companies that North Korea was dispatching thousands of skilled IT workers overseas to get remote work and generate revenue for the regime. You'd think that advisory would have been big news. But like most cyber threats, it barely registered.

Even within the cyber security industry, most people missed it. Nesos only found the advisory mid-investigation, but when they cross-matched their technical findings with the accounts listed in the advisory, Bingo, a match. Oh my god, I cannot believe we tied it to something that's fantastic. We all jumped around.

We're like, this is unbelievable. This is amazing. But we need to go back to our client immediately and tell them because now it's not just an employment scheme, it is something that's way bigger. And we said, I think we have a link to North Korea.

They got on a phone immediately, so we had a meeting and they said, "Wow, this is unbelievable." But I think it was shock that this is North Korea. The next question that came was, why are they targeting us? And this is something that we still get asked by clients and prospective clients is, "Why us, why now?"

And that's the million dollar question.

Why are North Koreans taking remote jobs at U.S. companies? Are they stealing trade secrets, setting footholds for future ransomware attacks, or extortion, or worst-case scenario, are these sleepers cells for crippling attacks?

“The truth is, we can't rule anything out.”

But strangely, most of this comes down to something far simpler. The paycheck, and that's because, well, they need the money. The North Koreans will do anything for money, especially hard currency.

and veteran thinker on how cyber is reshaping global conflict."

“We have put every sanction known to man on the DPRK, or actually because of their proliferation”

right at activities, missiles and nooks. North Korea has successfully tested a hydrogen bomb

many times more powerful than devices used in previous tests.

We are getting more reaction from North Korea regarding those recent U.N. sanctions against the regime. "The sanctions really cannot take place until such time as we have demonstrated that North Korea has been completely demuncurized." The U.S. has sanctioned North Korea various forms for over 70 years, but North Korea's

first nuclear test in 2006 really sent things into overdrive. Since then, the U.N. has only tied in the chokehold, hoping to force Pionyang to give up its nuclear ambitions. Instead, the regime has adopted.

“The DPRK started inventing new, startingly innovative ways to bring in cash.”

Now for those of us who are completely ignorant to the Korean War, can we ask you to give us kind of a two-minute history lesson on the region and how this current dynamic came to be? So everyone, I hope, watches Korean television, and if you don't you probably listen to K-pop, it's called K-Drama, it's great, and they have a lot of historical dramas.

The angst for the Koreans is that they had an independent kingdom, and it became a Chinese protectorate, and the Japanese invaded Korea and took it over and made it a colony. That was about 1910. It was a very unhappy moment for the Koreans, so you had a Chinese vassal state for a couple centuries.

“You know, the Japanese colony, a very tough Japanese colony.”

During World War II, when estimated 200,000 women, mostly Koreans, were kidnapped and forced to become sex slaves for Japanese troops. And then, of course, the end of World War II, unfortunately, the U.S. drew a map that had a line, our side and their side, the north, held by the Soviets, the South, held by the Americans. That line, the 38th parallel, was actually drawn in the span of 40 minutes by a couple of

exhausted U.S. kernels late at night. Consulting a national geographic map, they divided the Korean Peninsula into two roughly equal pieces, but this line didn't follow a river or a mountain range or any natural feature. They just and differently drew it through villages and families, and it was meant to be temporary, but instead it hardened into a permanent fault line, a single line that still dictates

everything that came after. And so, the current leader, as a grandfather, Kim, said, "Hey, this is my big moment.

I always wanted to roll the hope in Insla, and so he invaded a very messy invasion."

In June 1950, under the direction of Kim Il-sung, North Korean forces crossed the 38th parallel. South Korean villages awoke to a world suddenly filled with noise and flamed. The communists made bold by months of small-scale reading across the 38th parallel, and finally launched their undeclared, all out war on a conquest. This attack has made it to be completely unprepared, and went back and forth for a few

years, very messy war. The worst seaside for three years, until it froze, unresolved, to this day. The scene has set the formalities remain, a set of documents is signed by General Harris. The red delegates watch their representative, but his signature to the treaty. The armistice is signed, and cameras record the moment of history.

And finally, they ended up with this DMZ demilitarized zone where they're on one side, we're on the other.

We still have a big presence in Korea, military presence in Korea. For a long time, granddaddy Kim was still hopeful that he could become the ruler of Korea. One point even sent a team into South Korea to assassinate the Korean president to take it over. So a complicated history, that's kind of where we are, and it's been stuck ever since. There's actually no peace agreement between the US and Korea.

We're still technically at war, there's just a pause while we sort things out.

style economic model seemed to be about the same.

“North Korea might have been even a little richer in the 1950s, and over the intervening 60 years”

or so, South Korea pulled way ahead. North Korea's still a dump, Soviet style dump, and South Korea's wealthy developed country with some great stuff. This is really the crux of it. South Korea's surged into a global economic powerhouse, North Korea collapsed inward.

isolated, sanctioned, and desperate for cash, and that desperation needed an outlet. Let's say you're the leader of a country that has a 1956 Soviet style economy. You're not going to make a lot of money. So the Koreans got into smuggly and forging one of the reasons why the $100 bill looks different is because the North Koreans were able to make a $100 bill that was indistinguishable

from the real thing and just pumped them out, right? I still think they try and do that. These North Korean $100 counterfeits were so convincing that they even earned a nickname from law enforcement, supernotes, and in 2013, supernotes actually forced the U.S. Treasury to redesign the $100 bill.

“That's why you now see that blue 3D security ribbon woven into the paper.”

But their counterfeits are still legendary. My name is Adam Myers, and I am the head of counter adversary operations across strike. Which is my favorite title in the cybersecurity industry. Welcome, Adam. I remember hearing stories about the Secret Service agent had met some North Korean individual

in the U.S. who was selling $100 bills for half off, and the agent did was they sent it to the Secret Service, and the lab came back and said these are real. And the agent said, well, then I'm quitting and going into a different one of work, because I'm buying these for $50 on the dollar, and the lab looked at it again and said, oh, actually these are counterfeit.

What that North Korean was doing was taking large amounts of cash, going to Las Vegas, running into a slot machine, pulling the handle once.

“That's effectively how they laundered the counterfeit money, which, you know, you think”

about Vegas doesn't lose money, right? They're not in the business of getting fooled or dupes by counterfeits. So the fact that this currency was so real looking that it could bypass all of those countermeasures really spoke to the capabilities of what the North Koreans were able to do from a counterfeit perspective.

And as they started looking for alternative revenue sources, they realized that there's things that they can do in order to generate cash that would be less observable, a lot of the early North Korean activity targeted massive multiplayer online games in South Korea and Japan. So they would go steal things from people in the game and then sell it on the black market

for that game. So a lot of gaming people probably aren't going to go complain if their stuff got stolen and even if they do complain, there's not a lot of recourse, right, because it's not tangible item. It's gone.

So if there was a rare item, they would go steal it and then sell it to generate revenue as well.

So there was kind of always the cybercrime edge to what they were doing.

What Adam is describing here is a pattern of innovation. North Korea moved from counterfeiting to low level virtual video game theft and eventually to hacking. So smuggling and counterfeiting, those were the big money makers before hacking and in some ways hacking to take in their place because hacking, it's safer, it's easier and it pays

as well as not better. When we talk about tier 1 cyber powers, we're usually talking about the US, Israel, China, and North Korea rarely makes the cut. But if you ask the people who track these hackers for a living, they'll tell you it should. Here's Nick Carlson, a former FBI analyst who specialized in North Korean hacking.

The FBI is largely focused on a couple of issues, right, especially with cyber and national security that's Russia and China.

So yeah, North Korea, it's always this retarded stepchild that nobody wanted to own, nobody

wanted to deal with it, it's this lackluster target. For anybody in the government, certainly not like a top priority, and these North Korean hackers, they are extremely successful, right, this is in its heart as a tech venture. This is a criminal cyber startup, and these guys are crushing it, they are the best in the world at this.

and creativity of these people.

“And it's a tragedy, right, that they're doing this for this awful regime.”

In fact, if there's any consistency to North Korea's cyber operations, it's only that they've consistently caught us off guard. When Americans here in North Korea, what comes to mind isn't strategy, it's spectacle. North Korea flying hundreds of balloons carrying trash and feces toward South Korea Wednesday, calling them quote, "gits of sincerity."

A rogue stayed a cartoon villain, a madman with missiles and questionable haircuts. What are you actually talking about with, and I don't mean this insultingly, a madman murderous dictator? This is called friendly father, it's confile on TikTok, with I imagine some oblivious to the Korean lyrics, which include, let's think, Kim Jong-un, the great leader.

The latest satellite images show what looked like volleyball tournaments happening at the nuclear test site. And guess, some of that reputation is earned. North Korea executed its defense chief for sleeping during a meeting and talking back to a young leader Kim Jong-un.

Kim Jong-un was murdered as he was about to board a flight at the qualilum for airport, reportedly by two women who either sprayed or injected him with poison. Much of the world believes North Korea ordered the hit on Kim Jong-un, half-rother of North Korean Supreme Leader Kim Jong-un.

Here in the states, we like our enemy symbol, but North Korea has never been that.

“The caricature has a cost, and the truth is, well, we're laughing North Korea has been”

rapidly evolving. In fact, when North Korea sets its sights on a target, really does it miss. More often, it sets an example. A righteous deed, the words of North Korea today over that scandalous hacking in Sony pictures, North Korea apparently liked it, but says it's not behind it.

Embarrassing emails and personal documents were made public, millions of dollars lost, and hackers warned of terrorist attacks at movie theaters. Hackers successfully stole $81 million from Bangladesh Central Bank by sending false payment requests to the New York Federal Reserve. North Korean hackers stole $1.5 billion with AB dollars from "Buybit," the world's second

largest crypto exchange.

It happened in just minutes. They have already laundered about $160 million of the stolen

loot through accounts linked to North Korean operas. The attack targeted Axis, which is a widely used open source software that underpins a large part of the Internet's operational infrastructure. The hackers reported the inserted malicious code into a routine software update for Axis. Though it gets overlooked, cybercrime is now a core pillar of the North Korean economy.

By some estimates, it makes up half the regime's total funding. But it's not steady income. It comes in bursts. Big hacks take time. They require patience, preparation, luck.

A regime can't build a budget around a single billion dollar score. It needs steady funding. And salary-dite workers? That's recurring, revenue. It started off with gig economy jobs.

We were paying people to do the work. But the thing that really kicked it into high gear, getting full-time salary jobs really came with the push towards remote work. And that really exasperated during the pandemic, because we weren't putting people into offices, we weren't doing in-person interviews.

And that created the opportunity for the North Korean to kind of swoop in and start to take over and start working those jobs. I took a while before people started to figure out what was going on because they showed up for work. They did the job.

They did adequate job in many cases. A lot of times they just slipped under the radar for many years. I was like, who'd held a higher North Korean IT worker than I'd dove into the problem I'd, oh crap, we'd held a higher one. Here's Kevin Mandia, founder of Mandian, and now my partner at ballistic ventures.

We're all doing remote interview, remote hiring, and they were actually good engineers. That's what they were. And I walked away and going, we don't have a good way to stop this problem right now. We really don't. There's a thousand of them, you know, and COVID gave him the perfect environment.

And here's Charles Carmichael, Mandian's chief technology officer.

“Honestly, I've yet to find a company that has told me they haven't unintentionally hired”

in North Korean IT worker, where I felt confident that they actually had a great awareness

Most of the organizations that I talk to you that are Fortune 500 companies say, we've

“unintentionally hired in North Korean IT worker.”

It just happened, it slipped through the cracks, because by the way, people didn't really understand that this was a thing.

It was what I first heard about North Korean IT workers, it sounded far-fetched.

It didn't sound, it didn't sound like it was something that was really happening. And it took me a few cases before I truly understood how real and how significant and serious this was. There have been a few Fortune 500 organizations, scissors, that have told me they don't believe that they've hired in the North Korean IT workers.

My assumption is that they just weren't made aware of it. One of the reasons this is so easy to miss is because this scam is unlike anything these Fortune 500's have ever dealt with. Here's Steve Stone, Senior Vice President of Threat Intelligence at Sentinel One, another cybersecurity firm.

One of the unique aspects is, I mean, they're scamming because they're representing themselves as somebody else, but they're actually doing the work. And this is a key fascinating thing that sets the North Korean IT workers' scheme apart. You hear employment fraud and you picture someone phony it in, scooping an undeserved paycheck. But to be clear, that isn't necessarily what's happening here.

The North Korean workers' scheme isn't about skating by. They're not counting companies out of cash. They're counting companies into paying a sanctioned adversary. They're not just collecting a paycheck and not going to work. These people become actual employees inside of these very large structures.

And it's run, like we see a lot of other criminal enterprises. That last part is key, run like a criminal enterprise.

“I think understanding that North Korea is a cyber syndicate and less of an actual government”

or a nation, then everything will kind of start falling into place. Meet Barney, the man who's probably track North Korean hackers and more recently these IT workers closer than anyone. My name is Michael Barnhart, my nickname is Barney and the current role is a nation-state insider threat investigator over at Detek Systems.

I know that what we're talking about here is the IT workers, which, by the way, I don't know if any of them told you about the tattoos, but I did finally get that one. What is the tattoo?

Okay, it's on my foot, so it just says IT workers, but there's something they always say

in the resume. They always say they have a rich experience, so I put quote-unquote "rich experience" IT workers. My God. Barney is deeply committed to the North Korean IT workers' issue to put it mildly.

“He's track North Korea's hacking units for years, but it's like whack 'em all.”

I'd say for every IT worker, there's probably seven personas attached to it. We've seen multiple IT workers in a company and they're all the same person. Which makes it nearly impossible to know how many they really are. Each North Korean operates in their multiple aliases, applying to as many jobs as possible. Sometimes the same ones over and over again.

The loser job and then they'll come back to the same job. We saw one the very next day. He had combed his hair the other way, different shirt, different background, it was same guy. That was just fired the day before, like we didn't know you were.

He came back to reapply? Yeah, under a different persona. Even the largest company is companies who security teams resemble nation-state level and

telegencies who insist their vetting is so airtight they could never hire a North Korean

operative or discovering their contractors already have. I'll go to one of the big names or one of these Fortune 10 companies, like you don't have anything in our holdings. And I was like, okay, now run these same 2000 email addresses across your contractors and they light up like a Christmas tree.

Which brings me to Amazon. Late last year, Amazon disclosed that one of its contractors hired a North Korean as an IT systems administrator. Amazon detected the operative, not through one indicator, but several. Here's Amazon's Amy Herzog.

I'm Amy Herzog. I am the Chief Information Security Officer for AWS. What exactly did you see that tiptooth that this worker was not who they purported to be your contractor in this case? There's not one indicator or one candidate or one thing that lets you know that you're

in this situation. It's more like a pattern that crystallizes over time. We started noticing anomalies, so a work history that didn't line up geographically with other things on a resume or a degree at a school that didn't offer the major that was

But the dead giveaway was the time lag between whatever this contractor was typing and what

Amazon was picking up on their end. It's what's known as keystroke latency. We were able to use the initial set of indicators to look at things including latency data, which is a really interesting signal, right, when someone is using a VPN from across the world to kind of digitally hide their location, you would expect someone who's connecting

directly to corporate systems to have maybe a 10 millisecond-ish round trip time and this was 10 times higher than that. So that signal combined with the other signals combined with the way the person understood

“their work, the level of depth, that they might have, that was all added up to, okay?”

This is a person we need to quickly remove and confirm that they didn't ever have access to something sensitive. Amazon starts speeding these signals into AI models that were specifically built to weed out employment fraud, almost immediately the models laid up with hundreds and then 1,800 attempts by North Koreans to secure remote work at Amazon.

One of the real game changers for us was when we leveraged AI to look at these indicators and investigate. Was there one moment where you're looking at this and you're like, "Oh my God, this is now approaching the thousands of attempts."

Yeah, when I first heard the 1,800 number, you sort of have a few reactions, right?

“One, this is not an individual threat actor or a isolated group.”

This is an organizational scale effort. Last year alone, Amazon reported a 27% quarter-over-quarter jump in suspected North Korean applicants and it believes the models are catching these people before they're onboarded, but the same can't be said for the vast web of staffing firms, feeding contractors into corporate America, which brings me to a man I'll call Clif, which changed his name and altered

his voice so he can freely discuss what he's seen. Clif friends cybersecurity for one of the largest staffing agencies in the United States. We place everyone from medical staff to aerospace contractors, but their bread and butter is IT staffing. In 2024, Clif gets word from the FBI.

“One of his corporate laptops has been seized in an FBI investigation.”

We received a note from the FBI saying they had one of our assets from a seizure that they did in Arizona. Asset and this context refers to a corporate laptop. We're very curious what the seizure was and so we inquired more and they told us what was going on with North Korea and a hot-up-percent remote workers and we started gathering

more and more information because we were very curious on why we had somebody involved in this. The FBI tells them they're holding a call for impacted companies, so Clif dials in. I was a little shocked at so there are a lot of impacted individuals here because we were just one.

What fluid us even more is when they said, "Well we have a lot of people's names and emails and phone numbers if you want them will send you ever 300 potentials and you can check to see if you have dealt with any of these other individuals. We have a database that you can imagine." We compared these 300 names with everybody in our database and sure enough, we were aware

of 11 other ones. Clif discovers this firm had police North Koreans at major American corporations.

Some of those are companies you probably never heard of, but some of those are 1450.

But they didn't just staff North Koreans at other companies, they'd hired several of them in Hollis. This is like the worst of an insider thread, especially dealing with the nation state that has sanctions against it and if it's just about money, that's bad enough for national security put if it's deeper than that, we go full scorched earth and check what that person was

doing the entire time they were here, look at their access, look at where they had access, go back into logs and see what were they doing when they were here, luckily both of our

These workers were acting strangely enough, not wanting to go on camera, but they didn't

“make it a week, but had it not been for the camera issue, they might still be working there”

today. They surprises, they were doing nothing at the ordinary, they were acting like a normal employee, just trying to keep that job. And when you told the client we inadvertently staffed a North Korean at your company where they flabbergasted, the client didn't hold it against us after learning from the FBI that

this has been happening apparently for almost 10 years now and that we're just now becoming aware of it. 10 years, for 10 years North Korean agents have evaded every HR filter, every background check, every sanction, this didn't start with COVID, but the pandemic definitely made space for the IT workers came to spread like, well, a pandemic.

They were getting through not only our onboarding experience, they were also getting through the clients and the clients often told us that they were very pleased that these individuals interview very well and when they were working, they delivered very well, there were some of their best workers. Okay, but how does a North Korean slip past the other HR controls, like a Fortune 50 or

“a staffing agency that specializes in this kind of thing?”

They always would refuse by metric testing and drug testing, so they would ask to have a

fully remote job, no in-person testing which would require by metric under drug, a lot of our clients and we internally require background checks, but these individuals are stealing identities, so they're passing background checks through great companies like Sterling, you know the best, so with a legitimate fake identity that has been stolen, the background checks are actually coming through clean.

So Cliff realizes they're using these stolen identities to get clean background checks and slip past every traditional control, so he goes back and watches the recordings of their interviews to see if he can pick up with the naked human eye with these technical controls missed. And it's then he realizes this threat only becomes obvious when you know what you're looking

for. Here's a North Korean captured interviewing for an IT job at Starbucks. Are you in the Seattle area? Any chance? No, I'm deepening, yeah, Louisiana.

Yeah. It's original. Okay. How do we see in it?

“So, so colored cool, yeah, really what temperature is in Louisiana?”

No, yes, let me, let me see, yeah, it's, it's, it's true, yeah, it's true black, it's what? 21 degrees? Yeah, true, true. Yeah, true.

Yeah, true. I know there's a cold front over in the midwest area, but I didn't think Louisiana got that cold, that's crazy. Once Cliff and his team have a better sense of what to look for, they go back to their recruiting database, and that's when it hit them.

Those 300 names, the FBI flagged, they were just the tip of the iceberg. But I've got a team of folks that scour all the full stack developers, certain job codes, certain red flags that we know, and unfortunately, we're getting about 25 to 30 a day. These are new profiles being created in your database. Correct, these are absolutely deeper, okay, operatives.

Trying to get a remote staffing gig, usually in one of those senior IT roles. We have a database now, almost 12,000 candidates with unique names, unique VoIP phone numbers associated with those. We mark these individuals with, do not use them. And recruiters at times will still want to use them because they claim they fit the

bill so well, it's like the perfect candidate, and we have to tell them, yeah, I know they are. They wrote it that way, it's all fake.

But incredible to me is that these North Korean workers were applying to cybersecurity companies.

Here's Steve Stone again. At Sentinel One, we talked very openly about the level of effort we are seeing in just the first six months of 2025, at just our company, we have seen more than 300 personas submit

That's just one company in total.

That's at Sentinel One. That's just at Sentinel One.

“And that's just at one company that knows what to look for.”

Run the math and the numbers climbed fast. A treasury report found that the regime withholds 90% of each worker's salary. Most of these jobs are six figures. Multiply that across hundreds of workers, thousands of personas, and you start to see the scale of this.

In 2025, crowd strike identified 700 instances of remote IT workers getting jobs at organizations. If you estimate a developer getting $150,000 salary, let's say, times 700, you're looking

at like $105 million in revenue.

And that goes to the weapons program. But even that figure grossly understates it. Last October, a UN panel released a sweeping report. We tracked IT worker salaries from fake identities and cutouts through the regime and all the way up to the munitions industry department.

The heart of North Korea's weapons program. They're estimate roughly half a billion dollars a year.

I have to put into perspective that the North Korean economy is the size of like for months

economy and here they are establishing a nuclear weapons program and have created an or a continental ballistic missiles that most nations don't have. Here is Rob Joyce, who used to run hacking divisions and later cyber security for the NSA. Cyber theft punctures the sanctions, sanctions assume you can restrict the revenue and this cyber channel creates revenue that's borderless, deniable and renewable.

They've been able to continue to generate cyber revenues year on year.

“So I think North Korea is more dangerous because they're disconnected, deterrence is harder.”

What more are you going to keep on me if I'm North Korean? If you sanction me more, I'm already sanctioned. If you name and shame, they may shrug or even see it as a badge of honor. They can behave like a cornered regime and they've got this digital crowbar that's a symmetric they can reach out and whack us with.

If sanctions don't work and deterrence doesn't work, then the only real way to prevent this threat is to study it from the inside out, which brings me back to Nesos. Because last year after three years of tipping off law enforcement and alerting companies to North Korean IT workers in their systems, Nesos came face to face with one at their own company.

My name is Megan and I have my colleague Ethan here. Oh, yeah, I'm being great. Ethan. And at the end of that interview, we all got together.

“And so I think one of the most important things is interviewed for a job with us.”

So they hired him and what followed, that's next, on to catch a thief. Follow to catch a thief to make sure you don't miss the next episode. And if you like what you hear, rate and review the show. To catch a thief is co-produced by me, Nicole Preloroth, and Rubrik, in partnership with pod people, with special thanks to Julia Lee.