Ep. 2: The Cell

By 2025, the investigators at Nesos had spent three years smoking North Korean IT workers

“out of American companies. It becomes something of their calling card. They triaged cases”

for clients across the Fortune 500 and beyond, but all of that work was done from the outside at a distance. And for Nesos, CEO Ryan Lassel, that wasn't enough. It was probably not even six months before. I was at a bar with a CISO. I was saying, "What if we could get in and infiltrate one of these groups? What if we could be one of them? What if we could interact with one of them to learn more about how they're evolving their

techniques?" And his point to me was, it's impossible because you're not in the room. They're all in a command center somewhere, they're in China, they're in North Korea.

Never once had it crossed their minds that a North Korean mole might apply to them.

I'm Nicole Polarath, and this is to catch a thief. So, after almost three years of doing research and helping clients and to being law enforcement to the threat of North Korean actors trying to find jobs in US companies, we had some new open roles that we posted for an AI developer. And we got a flood of great resumes coming in. Perfect resume is actually these candidates splitting in. It was if their entire career had been built

for this one AI security role at Nesos. But one person stood out above the rest, a Joseph, based in Palm Beach County, Florida. So, Nesos arranged an interview, but the minute he came on screen, something was off. And the hiring manager came to me and said, "Nate, again, I don't want to make assumptions, but I don't think this person is who they say they are based on some of the issues that happened during the interview. This could potentially be a DPRK candidate."

What do you want to do about it? Well, most HR leaders might have flinched Megan Jacinto, Nesos's chief people officer leaned in. Like many at Nesos, she'd come from the CIA. The chance to engage in North Korean directly was just too good to pass up. So, she tells him to run it up the chain.

“That Monday, our CTO brought his interview to us and said, "Look, I think we've got something here.”

It feels pretty clear that this person's probably a DPRK, North Korean IT worker, just like we've been talking about just like we've been writing about. Just like we've been investigating for a couple of years now and he wants to jab with us. I think we could run this as an operation. And we said on the table, we're like, "This is crazy. This is crazy. How are we going to do this?" If they really wanted to get inside the brains of a North Korean IT worker,

they weren't just going to have to bring him back for another interview. They would have to hire him. How do we assemble the right team? If we wanted to run an operation, do we have the technical where we're with all to do it? How are we going to get them allowed to get them instrumented? How are we going to actually technically pull this off? Even if they could solve the technical side, engaging in North Korean risk violating sanctions. RGC was in the room as well

and the other question was, "How do we do this legally?" Can we actually do this in a way that doesn't blow up on our face? And how do we take the steps to really truly understand this threat group, this very particular fraud, and scam, and do it in a way that doesn't

come back to bite us in the ass. They decided to bring the candidate act for a second interview,

but this couldn't feel like a CIA interrogation. They needed to confirm, Joe, was North Korean without scaring him off. We didn't know going into that interview, whether we would validate it as North Korean or not. We thought high confidence it probably was, and if it was,

“then we would go to the next step. I think generally, everyone's nerves are high,”

all through every step of the way. We were anxious about not to be in our hand, not making it feel like we were leading this guy on. We were anxious that we didn't want North Korea to start thinking, like if there are other people watching his interviews, we didn't want them observing our behaviors and trying to figure out who we were making us a target. There would be a normal

the body language, the signals, and some of the gothic questions we thought we would use

to help understand how this person was trying to misrepresent themselves, and whether we thought that it was a general workplace fraud or something very specific with an ICU workers in North Korea. Neces made a point to study North Korea's zoom interviews, like this one. I do it like AI. So these days they'll actually AI, they could view impacting our

“y'all, view life. Do you think there are big security risks with AI, huh?”

So, uh, of course you know, they knew all the screening questions that can quickly weed out a North Korean worker like this one that you might have seen because it went viral. We get like a lot of imposter candidates, particularly North Koreans, so one of the tests that we do is trying to get them to say something like Kim Jong-un is a fat ugly pig. Could you say that for me? Do you say it?

The interviewer asks them again, but all of a sudden the candidate's screen can speck you asleep freezes. There are silence, and then it's clear. He's gone. Damn, he really don't want to say it. But for Neces, the goal here wasn't to scare him off. It was to confirm he was who they suspected and pull him in. So, the Neces team studied these interviews, then choreographed their own. It was decided Megan and Ben Reesonberg would work together.

Like Megan, Ben had come from the CIA, too. He was trained to spot foreign operatives, but they would have to give Ben the earliest Ethan, since anyone could have traced Ben's CIA background on LinkedIn. Together, they figured out who would say what, when to press, and even lead a few traps. So, we got into the interview, uh, the person was right on time. My name is Megan, and I have my colleague Ethan here.

And he looked very, very young, especially given the amount of experience that he had listed on his resume. So, think teenager young. In fact, I thought, gosh, I want his skincare

routine if he is supposedly, you know, in his 30s. And so, one of the first questions we asked him

was where he was from. He said Florida, and I said, oh, you know, my dad lives in Florida,

“and I said, you know, my, they just had a hurricane, you know, hurricane George, how did you do?”

How was your house? How is your family? And he really stumbled around that question. Yeah, how can I say, um, do we into a swirl and we got a lot of rain, but luckily, in my place, it was fun. Uh, some branches down, a bit of cleanup, but I don't know if you like that much. Just one thing, there was no hurricane George. They'd made it up. And you could see him kind of looking off on a screen to try to get information about a hurricane,

and certainly a hurricane George, which there wouldn't have been any information because there was no hurricane George in 2025. And so, that was a really good indicator that he was using one a chatbot to answer questions, and to likely didn't live in Florida. It wasn't just the hurricane. Every question, no matter how trivial was followed by a pause

and filler words. It was a little uncomfortable. And, you know, at first, you kind of think,

okay, English is the second language for him. So he's formulating, you know, the translation

“in his head and then responding. But some of our questions were like, what do you like to do for fun?”

Yep. So, uh, outside of work, uh, I like to keep, uh, I think to praise simply. So, uh, I enjoy exploring new tech on the side, but uh, I mean, I'm not in front of a screen, uh, I like going for works, reading, and uh, just spending time outside. And it became apparent that he was listening to an answer. Someone, or maybe some thing, was feeding him each answer.

Megan and Ben moved the conversation to his work experience and asked Joseph to walk them through his portfolio. Then Ben said, you know, while we have you here, we can make it even easier if you want to share something now if you can just pull up your screen, we can try. Yep. Sure.

Right now. Yeah, what up?

“And he paused and he got visibly started shaking a little bit and started looking around and then I saw”

him closing windows on a screen and he said, yeah, I can share just give me a second.

How are you? You want me to join? Yeah. Yeah. Yeah. I could stick with you. And he just ended the interview. And we thought, okay, we'll just hang a bit and you're out of it to see if he comes back on. Pretty sure he was not coming back on and sure enough he did not. We waited a good 15 minutes and he did not return. We were all waiting and slack to see what they said when they were done.

But as soon as they got off, the channel was like, and and I like, no, this is, it's exactly what we thought. And now we need to figure out what to do next.

“This was the intel-gathering chance of a lifetime. But it also carried real risk.”

We weren't quite sure how active that cell might be in terms of retribution or in terms of getting upset about what we're doing. The last thing we need is a small business is to break a lot and suddenly it has to pay fines for oh fact sanctions or something crazy like that. So we need to keep a very clean nose on this stuff. But ultimately everyone agreed they had to try. We did call a content of the FBI that had helped us

in and so were other investigations and talked them through what we were planning and helping make sure that the things we were doing on our machines with our equipment, with our software, weren't running the fall of the law. And then they hired him. So what we decided was to offer him a contracting assignment. So hey, we have this AI project. We really enjoyed the interview. Sorry you couldn't rejoin. Hope there weren't too many

technical difficulties. But we'd like to offer you an upfront retainer if you will work on this

project for us immediately responded to me. Just to be clear, Nesos could never actually pay

this retainer. But they knew if they could string him along, even just a little longer, they might just get a glimpse into how this guy worked. Where else he worked? And if they were lucky, pry open a window into the world's most sealed off regime. So Nesos sends this guy a contract. Of sorts. We sent a fake document that contained a canary token. That canary token could cut through his VPN to reveal his true whereabouts. Joseph asked that they send his laptop to Florida.

Just to be sure it didn't get shipped off from there, Nesos planted a tracker inside the package, which confirmed the machine was, in fact, in Florida. And last but not least, the least the laptop with spyware. We were able to track logins on the

“network. And also the most important piece was we were able to turn on the camera. So we were able”

to see what's going on around the computer. This is where things get wild. We saw a bunch of other laptops all on the closet with us. But we're sitting in a walking closet. I mean, you could see it was container store type of wire shelves in the closet. And you could see our laptop seen facing the absent wall with other laptops on another shelf. From a IT perspective, I was very offended because the cables were super messy. Any nerd worth their salt has a better cable

management than these guys. So that was the first offense. So you're seeing a bunch of other laptops. And are they literally putting the laptop in with the camera open as it would be on May Mac, but right now, or yeah, it's just a little bit of shelf. But try as they might,

nieces never sees a person come on screen. But on the back end, nieces could see it's laptop

and every other laptop connecting back to a hidden mesh of remote tools that allowed operators overseas to control them. Keyboard, mouse, everything. From their employers perspective, any activity after the slaughtered laptops look completely legitimate. When in fact, they were all being remote controlled from abroad. As to where exactly, that's where the canary token came in. And so we were able to see that the IP address peeing somewhere in China.

And intelligence, you're always thinking about probabilities. And every step of the way, our probability and our certainty about this being the North Korean threat or kept going up and

was probably the thing that was the most movement to certainty that we had for like, nope,

“this is it. This is not a kid from California. This is definitely a North Korean actor offering”

another China trying to get a job at our company. We're sure of it now. The moment it all clicked, came courtesy of the spyware and he says had installed on his laptop. It let them see everything he typed. Key Google is Florida and North America. So again, like, if you live in Florida, you probably know that you live in North America. It was questions about like, what sports are played in the United States. So, you know, a pretty good indicator that this

person did not live anywhere in the United States. And then came the real break.

Joseph logs into his personal Google account from their laptop. Without that, we wouldn't have

had passwords for all of his accounts. We wouldn't be able to see all the companies he's constantly playing to how many hundreds of email he sends out, but applications he feels all every single day

“to get jobs and schedule interviews with companies. I think there's hundreds of interviews,”

several jobs offers. I think at some point in time he was working four jobs. But incredibly, this IT worker had made a rookie mistake. He stored the passwords to all his accounts in Gmail. We got lucky in that we got email addresses and passwords for discord, which we in the beginning didn't think that why would they be using discord for anything,

but we decided let's go see what's on discord he might be using it for. Discord, a chat platform

used by a lot of gamers, hardly seem relevant. Mesa's wasn't super interested in whatever video games Joe was playing on the side, but it double clicked anyway. What they found next wasn't downtime. It was a clear view into the complete inner workings of an entire cell. What we learned is that this network is using discord to figure out what jobs they're playing to and really coordinate all of the activities across 22 individuals on discord.

The leaderboard is on there. Their rewards and measurements are all on there. They get tracked by activity and outcomes. How many jobs do they apply to? How many jobs do they get? And actually get measured on a leaderboard. Almost all of his screen was interview confirmations or

“progress on interviews or feedback on a job offer or that's what the whole thing was all”

job boards from multiple companies, multiple recruiters, multiple freelance sites, and all they learned. That's what he spent his life doing. This cell attract their entire operation like a sales dashboard, every application, every interview, every rejection, every offer letter was posted to this one discord channel. It also functioned like a group chat. They treated tactics, shared scripts, compared notes. We're like, this is crazy. This is next level. This is much bigger than we

thought we had. And I think that was where it started getting really exciting. The amount of slacks going across our business, every day, all that long, like the new things we were finding, the crazy stories we were seeing. And I still think the funniest thing were the failed channels. Every time a North Korean operative got caught, they posted it to a discord channel labeled horror, so other cell members could learn from their mistakes, a playbook built in real time. So if they get fired, it says on

there, this is the reason that I lost the job so that way they can keep that from metrics as well. Or if something worked out really well, here are tips that how you can be better at getting jobs. North Korean IT worker best practices channel. In essence, yes. One of the things I thought was hysterical was every 10 they got a job and every 10 they lost a job. The chat would fill up with P.J.U. just got his dream job. And there would be the offer letter from whatever company it was.

And then like three days later there'd be a frowny face. P.J.U. just lost his dream job. They were like, oh, so sorry. It was almost like an automated alert, like you'd have like a slack bot. And it was just like the way they were sharing their wins and losses that they had every day of what to them was a game. And to us is massive fraud. As North Korean IT workers became more of a known entity, interviewers started screening for them. The nieces team could

see the confusion that unfurled on discord with some of these questions. Yeah, one of the big

mascot of the university was. So we had a lot of screenshots of, what exactly is a mascot?

“Why would a university have a mascot? What's the mascot of X university so that we can”

able to answer questions and they warned each other of those things? These are a lot of virtual backgrounds. And then every once in a while somebody else in their same room was then would come through the virtual background and show up on camera. And you could see the interviewer's face being like, what's that? And then the person came through being like, and then a shocked face and then run off camera. The screenshots of those things would be like, oh, we got out of it again.

One of my favorite ones is that there was an application where there was a question,

are you from a designated country like North Korea, Russia, Iran, Sudan, and the person put yes

in the application? And then the HR person followed up and said, I noticed in question aid, you'd answered yes to this, was that a mistake? And he's screenshot of back that he wrote, yes,

“mistake. And that was it. And the person said, okay, we're good. Like, oops, yeah, not even the full sentence.”

Yes, it's a mistake. Nisa starts getting a pretty clear idea of where all these workers are getting jobs in the US, both from the Discord chatter, but also from their laptop camera back in the closet in Florida. They could actually zoom in on the screens of every other laptop in this closet, and on them was their corporate logos. We saw four other companies in the same space as us. There was a

healthcare company, there was an insurance brokerage company, there was a mortgage company. Some of them were household brands, some of them were not. I started getting on the phone and calling the other companies that were in the same room with us and laying them know that they had been subjected to the same kind of scam that we were in the middle of. So you call him up and you say, hey, Ryan here from Nisos, got something for you, tell me what that conversation sounded like.

“Does this podcast have an explicit rating or do I have to keep my language clean?”

It doesn't have an explicit rating. We enjoy curse words here on to catch a thief. One of the head of security call me and said, this is the worst fucking sales call I've ever received.

You better not be extorting me. I'm really here to help. Here's what we did. Here's what we saw.

He used to the person is, you guys needed to do your investigation and he got real calm, fast forward four weeks later. He took bed of that for a beer, but he didn't appreciate the approach to start. The other companies were a little bit more cautious, but they came back pretty quickly and said, tell me what you're seeing, how are you seeing this? I don't like, are you inside our network right now? And so we had to say, no, these are the things we're seeing in this house in Florida.

And we can tell from this house, who this person is and that they're reporting to work for you, all of them fired their person. Half of them also contacted the FBI to make sure that the FBI knew that their equipment was in the possession of someone and then they did not grant possession, too. On Discord North Koreans post their job offer letters. As these offer letters pile up, Nesos makes a point to call each company, letting them know when North Korean is on their payroll.

It becomes almost routine, but then one conversation stops them cold. One of the companies was a placement agency and when we let them know that one of the folks they placed was in fact one of these folks from this operations network, they blanched because the person they had placed, they had placed at a nuclear utility. They had placed a North Korean in a U.S. nuclear utility.

Now, he worked on low-level IT systems, but given the sector, this was still extremely concerning. They were nervous about what that person could have access to and could do. Nesos digs deeper into this one worker's activity in the Discord and what they find significantly raises the stakes. Some of these folks have placed screenshots from their companies proving that they had jobs and this particular guy posted a picture of what looked like

in industrial control system control panel. This is as serious as it gets. An industrial control system panel is the interface to the physical world. At a nuclear utility, it can mean the controls that regulate the nuclear reactor. It's cooling, safety locks, bail safe, not anything you would ever want in North Korea's hands, or anyone's for that matter.

That elevated the intensity of this quite a bit. We all sat down together to brief the end

and real true threat. They also validated the screen was something that did not have access to any

“true control systems. It was a training screen and they had already fired the guy before we”

even notified them. They felt that the risk was pretty well managed, but from a near-miss perspective, that was a pretty scary one. It was crazy. It was like, people were like, oh crap, let's look at the screen, oh crap, and they looked at like, okay, it's okay. It's not a live system, it's all fine, it's not a real thing. To me, the bigger concern is going to be motivated attackers who want to have access in means and who have a real intention in a target.

I'm playing the same tactics. I want to come back to this leaderboard, so there's 22 people,

they're on this leaderboard. I assume it's constantly shifting. At the top of this leaderboard,

how many jobs was number one holding at any one time? The leaderboard is much more business focused. It gives you a sense of how professional this thing really is. So the top person who has applied to the most jobs in the cell is 26,688 jobs. That person's also managed to land 5,781 interviews. However, they are not the most effective at getting jobs. A person who has almost 26,000 and 4600 interviews has 19 jobs. 19 offers. So I don't think they were working all at the same time,

but over the course of the period, this person was probably the most effective at landing jobs through the process, but that's still a really crazy funnel. 27,000 applications for 19 jobs.

“If my kid who's graduated from college is trying to get a job and that's what it takes for him”

to get a job, I'm terrified.

And Joe was part of just one cell. One sneezes tipped off discord. Discord was able to use the cell's characteristics to unearth much larger cells of North Korean workers on its platform. What they learned from our intel was that the way these guys are showing up on their platform is less like a scam network and more like a startup. And so now as they look for the behavioral signals, they're looking at things that look more like small companies than they are criminal rings.

No one has published a definitive tally of just how many of these discrete cells exist, but the most recently when report found North Korea is dispatching thousands of workers through court and needed cells across multiple countries, enough to flood job markets. The most anybody's hell is five or six jobs concurrently. Most people only had two to three jobs, and then there's a couple of people that only had one job. What's interesting about it is though,

is that it didn't seem to matter how many jobs they had. Really what the metric was driven by is how many applications did you fill out today? How many interviews did you go on today? That was whatever big question was about from leadership. And then the job stuff was just okay, now you're getting some sort of salary that was no concern about how much the job paid. So we had seen awful letters come in anywhere from having a very junior job that paid $25,000 a year

until very senior jobs, which paid 170 and more. And it didn't matter. There was no negotiating for salary. It was just like, you a job is to apply and get interviews. And if you have a job, that's great. Okay, but how are they actually getting any work done? So if somebody's doubled booked for something, they coordinate who will do the actual work meeting for them, and who's going to do the interview. So it's a platform really designed to facilitate all the work they

could be doing at the same time. And then we did also see them if somebody had five or six jobs outsourcing some of the work because it was getting really busy for them. And how are they recruiting them? Through a variety of job boards. So all them posting, hey, I have a job. I need somebody who's really good at Azure, which is like a programming language. If you have free time, I would love to talk to you about a job you can do for me. So they

think try to hire people to just do the job for them. Occasionally employers would learn the hard way that not only had they hired a North Korean, they'd unknowingly hired their subcontractor in India, the Philippines, or Nigeria. One of the guys had a job in a company. It's like called the CEO of the company and I said,

“"Hey, this guy is not who they said they are." And he goes, "Yeah, I know. How do you know?”

Well, because last week, he disappeared. They haven't been able to pay him." And then this week, I got a note from a guy in India saying, "I owe him $10,000." Because he'd been hired by this

So there's like cascading supply chain from the person who gets the job to then figuring

“out how he's going to fulfill the work. And then they go to India, they go to the Philippines,”

they go to Nigeria, they'll go to other places to backstop the jobs they've got. And we're all these people above board as in there just there for the paycheck. Or did you see him run ransomware or steal corporate data or just try to extort the company as as they go? So I will say that some of the smaller companies we were just closing to were experiencing extortion already. There, North Korean workers had access to all of their code.

And so when they would decide to fire them or not pay them, they would hold that code hostage. And say, if you don't pay me, I'm going to release it or I'm going to tamper with it. There was some of that going back and forth. It wasn't as sophisticated as a ransomware attack or IP theft. It was just pure cold extortion.

“Now North Korea's IT worker cells are siloed from the regime specialized hacking teams,”

but more and more we're seeing hand-offs between them. This is especially true for those who get jobs with crypto companies. Last year, the Justice Department alleged one DPRK workers' access was

used to steal nearly a million dollars in crypto from an Atlanta based blockchain firm.

In a second case, North Korea allegedly used a workers' access to steal highly sensitive defense secrets from a Southern California defense contractor. And in several instances, when American companies tried to fire these workers, they moved to extortion. Threatening to leak with the taken or tamper with the company's source code, unless they're employer up to their severance payout.

Here's Detox's Michael Barnhart aka Barney. We had one extortion attempt that was

“pretty unique. They'll either ask for, "Hey, I want my back pay. You fired me on wrong reasons.”

I want all my back pay is due to me." Or they'll say, "Hey, I have intellectual property ears. You give me XYZ Bitcoin, and I'll make this problem go away." Or you'll see something like, "How much Bitcoin are they asking for?" They used to ask for small amounts. They started getting bigger. At one point, I saw a five-bit coin. That's more than $300,000 that today's price.

I mean, they want you to pay it out, so they'll try to give a attainable amount. But yeah, that was also in smaller companies. They were really starting to ask for more money

than hitting like the Fortune 500 companies with this type of activity too. But the third one is

that they'll go, "If you don't give me my money, my back pay or whatever, I'll either give it to a competitor, or I will give it to a more qualified threat actor and let them see what they want to do." Basically, you know, the accesses. The problem was that you ask for one of those things and you might get one of those things. We had one extortion attempt that had all three of those demands in the same email. So it was like, "I don't know, Brother gave me a chance." Like, damn, we saw one one time

trying to get access to like the main servers and try to destroy those but didn't have the right permissions. Sending malware, late in HR documents back to HR after they were terminated. Just it seemed like it kind of spiked there for a little bit, but it's also visibility. Unless a company is telling you, you're not going to know about it. And a lot of people don't

want the embarrassment that they had at an IT worker, so a lot of things will never know.

It wasn't until May that I connected with a former North Korean IT worker, now a defector. We were introduced through an NGO, P-Score, people for successful Korean reunification. He said his cello was focused entirely on the paycheck, but the quotas were relentless and rising. He never mentioned extortion, but you can start to see the pressure building. For the safety of the source, we both admitted his name and are using a voice actor to read the messages he shared with us.

We could earn higher pay and occasionally get perks like shopping, dining, or supervise doubtings. Because most clients were in the US and Western Europe, our schedule was flipped. We would usually go to sleep around 4 to 5 a.m., and wake up around 11 or noon. Then F-Lunch. Depending on the project, we would either rest for another one to two hours or start work immediately. We worked continuously until dinner with short breaks afterward. From around 9 p.m., where the US work they

begins. We would work straight through until 4 to 5 a.m., we could take short breaks of 30 minutes to an hour,

and a supervisor lived on site with us while continuously observing activity.

“As for the paychecks, most went back to the regime.”

Cockta-projected shinings, how long it thought I was, but typically earned about $5,000 per month.

We personally kept about 15 to 25 percent, depending on how much we earned, around 2000 to 3000

went to the government, and then the rest was split with local partners or used for expenses. They're a teamwork and they're worked for the regime, could blur. There was a post where one of the guys was sharing news from the company that he had gotten a job at, and it was like pretty big news. They had a major business event that was covered by all the papers. And he was like, "As my company?" And he got reminded by his boss, "You work for us."

That is not your company. You work for us.

“Good to make you man. Irning at that level to support a family in North Korea, and even allow”

you to buy a home in Pyeongyang after a few years. After defecting, I felt most gild toward my family,

who could face punishment because of me. Most workers are trying to build a better life, even while being exploited under harsh conditions. Yes, the work is illegal, but the persistence and effort of these workers should be recognized. And most are not simply hackers or spies. They're also victims of forced labor, and systematic exploitation. The defector really questioned the ethics of this work.

I didn't initially think the work was illegal. The pressure to meet quotas was much stronger than any ethical concern. Over time, especially after going abroad, I began to realize that much of what I had been told was false. We had no choice in where we were sent. Living abroad as a North Korean felt like a privilege access to money, the internet, and communication with foreigners, but we were socially isolated offline. I can't disclose the exact location in China, but we rented a normal Chinese residence where we lived,

ate, and worked. The conditions were relatively good, but compared to ordinary Chinese residents it was cramped, sleeping areas were especially tight, so we kept personal belongings to a minimum. We mostly ate local food, but sometimes cooked in North Korean dishes ourselves using local ingredients. Grocery shopping was one of the few opportunities to go outside. As for how he managed to escape, that was the one thing he wouldn't discuss.

I can't discuss the details and sensitive, but many people risk their lives to escape and success rates are below 50%. I was fortunate to go to school. Like many North Korean IT workers and hackers, this defector was identified young. Others have described the pipeline. Students singled out as early as grade school, funneled into elite technical universities, and those with a talent for hacking are sent to

Pyeongyang's automation university, essentially a West Point for hackers, where they're trained to write malware, exploit vulnerabilities, and hack. The best graduates become part of North Korea's elite. In a country where the state assigns your housing, hackers get the best apartments, the best food, and some of the regime's most prized privileges. Then, they're forward deployed. Here's Chris Wong who spent years tracking North Korean hackers and IT workers at the FBI.

You know, they're probably working 18 hours, at least. So it's not like it's that's short, but at the same time, IT workers are in a privileged position. So compared to the rest of society in North Korea, they're earning more money. They're able to work outside of North Korea, and then their families get more benefits than your average North Korean. So from that perspective, they are in a privileged position. Where have you seen them last this come up? A number of times,

“Russia, sometimes Vietnam, where else have you seen them operate?”

Laos rings a bell, seeing them operate in Africa, so I've seen them operate in Dubai, but I would say China and Russia by far are the biggest ones.

It's critical to understand China's role in eating North Korea. It's not so much a friendship

as it is an uneasy alliance. China backed the North in the Korean War, and it's been

state visit to North Korea. Now, the two leaders kept a very busy schedule on Tuesday, paying respects to Chinese soldiers who were killed on the battlefields of the Korean War, then visiting a school and planting a tree there together to mark the two countries' friendship before. For years, North Korea's entire internet access ran through China in a calm. Russia offered up a second line in 2017, but for more than a decade, China controlled the switch.

“There are 1,024 IP addresses in North Korea. I think I've gotten more than that in this room right now.”

Yes, I bet you. The US, for example, has about 150,000 routes for internet. South Korea has 17,000.

North Korea has 4. As for China, North Korea forms a critical buffer between itself and South

Korea, and the tens of thousands of US troops stationed there, as long as Pyongyang holds the buffer holds. So China props it up, because the alternative, a collapse, is far more dangerous. Jim Lewis describes China's relationship with North Korea like this. The Chinese are the ones who saved the North Koreans in the Korean War. By coming and invading, the Chinese make movies about how wonderful they were in Korea.

But it's a difficult relationship for them, because it's like an unmanageable pat.

“It's frustrating to the Chinese. I had one experience where I had a Chinese friend who works”

for the Ministry of State Security. We're having dinner, and he actually was really annoyed.

He saw either of those Koreans. They're uncontrollable. I never expected to be going to

lecture on how North Korea is a pain in the neck for MMSS. But it is one of China's only allies. So most of the North Korean hacking activity, the cryptocurrency laundering, the hacking schools, the technology they use for hacking all comes from China. China offers something North Korea can't. Fast reliable internet, a requirement for North Korea's hacking operations, and it's remote IT work. They had a restaurant chain for a while.

That was scumb piongang. That was in Europe. It was in the Middle East. It was in other Asian

“countries, serving North Korean food and liquor and featuring live music. The chain offers visitors”

a rare glimpse into the reclusive nation's culture. You could go work at the restaurant and live like a Westerner, right? What a deal. And you could also hack. It wasn't just restaurant chains, North Korea ran hotels abroad too. A.K.A. the hacker who tells. He said piongang, cyber, warfare, agency, which goes under the name bureau one two one, is based at a hotel in North East China. Very close to the border with North Korea. A North Korea's nearly 2,000 member elite cyber hacking

team are actually trained in China. Back in 2014, researchers at H.P. discovered one of North Korea's elite hacking units was operating out of a hotel in Shangyang China, the Chilbo San Hotel. They're going to places like China setting up shop in hotels where there's access to broadband internet. And that is where law enforcement officials and top administration officials believe they're launching these attacks from. In online reviews, Chilbo San hotel gas praised the warm

hospitality, the food. Some even noted the surprisingly strong internet access. Recently we've seen more North Korean outpost pop up just over the Chinese border and places like Vietnam and Laos. And when I say just over the border, I'm talking an evening stroll from China. What these countries give Beijing is a bit more distance from its DPRK dependence, but they also offer easier visa access for North Korean operatives. Vietnam was a big one for a while, so it's not

like a complete alarm. Like Vietnam, they were able to abuse the restaurant visas there. Basically you can come in on a restaurant visa, but no one will ever check it. So you can stay there for as long as you like. In March, both Vietnam and Laos were mentioned in a fresh round of US sanctions. The Treasury sanctioned one North Korean front company for managing IT workers in Bo10 Laos, a border town that sits virtually on top of China. They also sanctioned a Vietnamese company

and its CEO for allegedly laundering $2.5 million in workers earnings into crypto,

back to Pyongyang, and its weapons programs.

in Laos. Not too long ago, security researchers uncovered a cache of their photos on an

“unsecured Dropbox folder. Inside were photos of these North Korean IT workers living the life,”

dining at a stake houses, throwing cool parties at their rental in Laos. They also love minions. Their photos of them posing with large promotional displays of minions and Laos. For whatever reason, North Korean IT workers are obsessed with minions, as in the small yellow gibberish speaking henchmen from Despicable Me. They use minions in their profile photos, and leak shots they greet one another with

"Hey, minion and refer to their boss as grew." Some say it's just their innocent love of minions,

because who doesn't love minions, but Ben from Nesos articulated an alternate theory. The reason it is believed that they use the minions is because the leader of the minions is grew,

“and as we all know, when this goes back to the question yet earlier, is how they're related”

to Russia and China? GRU is the Russian service, so there's to believe that they're using grew is the accounts that the Russians are using to kind of show the North Koreans, how to do this kind of work, and hence they're using all these minion characters. And we've seen that they make fun of each other, and when they send gifts to each other, everything usually has minions of either clapping or pointing each other in laughing,

because the mistake was made, so that's the minion angle. Whether it's a sli nod to the GRU, or just their love of minions, Russia's becoming a growing hub for North Korean IT workers, some of the photos from their stash show them sitting wrapped at Taekwondo matches and figures gaining events in Russia, taking in the culture, or at least the cover. It almost looks like they're on a shop or own field trip, but consistent presence in these photos

is what appears to be their Russian handler. Here's a Poland-based researcher who's been actively tracking these North Korean workers. He's asked to go by his alias, black, big swan, or BBS, to protect his identity. Some of those pictures we have from Russia with DPRK workers,

“you can see there's definitely a person who is sort of a handler to them. Who are they?”

I don't know whether this is the government agency or just somebody hired from Russia to take care of them, I have no proofs one way or another, but yeah, it's not a North Korean. So they wouldn't try to escape because obviously some of them could try to escape from North Korea for Russia or other places they are in, so there is definitely a person who is supposed to guard them and that there's only not North Korean. There's some evidence that the very best remote IT workers travel

as a unit from outposts to outpost. BBS followed one DPRK operative who went by the alias, Cassani Takeda, who held 10 jobs simultaneously. He was calling himself Kazuneta Keda, that was like a Japanese name of his and that's actually a guy who had 10 jobs in 2025. He was everywhere. I first spotted him in December 2024 and just spent another two or three miles constantly discovering his new identity, new job. It was endless, you expect him to maybe have like

102 jobs but then there's another and another and it never seems to end. He was constantly

popping on our radar. We also have a lot of pictures of him outside of the context of his IT work. For some reason regime was constantly taking selected few IT workers to different events. One of those events was in Russia of Vladivostok and they were taken ice skating because there are certain sports activity IT workers DPRK. I guess it's extremely into and one of those things is ice skating and here we have pictures of that guy from one of those ice skating events and

he was also in the house. He's also in poor part the pictures like we have a lot on this guy. That was my favorite one but now he's that completely gone. The Russia connection is strong and getting stronger. So as we all know the North Korean

for the Russians Koreans. So the Russian relationship is probably closer now than the relationship

with China. The Russians Korea will never escape China. The right next to China is the great

hundred pound gorilla but the Russians are more likely to be considered friends. Russian President Putin

“travels to North Korea today. The dictatorship of Kim Jong-un is one of the key suppliers of weapons”

and munitions to Russia after the Ukraine war turned the country into a pariah. It's a budding friendship built on mutual isolation and for IT workers, Russia's becoming a major outpost that can accommodate their ambitions and scale, which brings me back to nieces. If you'll recall, nieces had hired Joe, the alleged Florida-based AI developer who was really a North Korean living in China on a contract. But remember, this was all arused to infiltrate North

Korea's IT network and spy on the spies. They couldn't actually pay Joe. That would be illegal,

which meant their operation had a clock. At some point, he'd realize that paycheck was never coming.

We just really kind of made up excuses. One excuse was I was on vacation and then the hiring

“manager was on vacation and then hey sorry the project is getting delayed but we're still”

very interested in you. We just kind of kept stringing him along. Till he said, "I'm done." You know, no thank you I've moved on, you know, to other employment. But in that narrow window, these saw something extraordinary. Over the course of the summer, just from June and until our operations wrapped up at the end of September, we saw the cell applied to 160,000 jobs in the U.S. One cell, one summer, 160,000 job applications, just in the U.S., which would make this one of the most

ambitious workforce infiltration campaigns ever uncovered. And as this picks up, employers say their job portals are getting crushed with illegitimate candidates. And it's not just individual companies, it's platforms like LinkedIn and Upwork who are left to figure out who's North Korean, who's not, who's an American loaning out their identity to a North Korean. It's not just overwhelming, it's creating a job phrase. American job seekers are now competing with the fire hose of fake

North Korean, perfectly AI written resumes. And all of this is unfolding at precisely the moment, AI replaces the first wave of IT workers. I met with a company there talking about how they to turn off their external job postings because they couldn't get any legitimate candidates through. It made me think of the kind of cyber attack, a denial of service attack, where companies websites are flooded with requests from an attacker who essentially brings down the website,

no legitimate traffic can get through, no real customers can get through. And that's kind of what these folks are experiencing, but it's with resumes instead of cyber attacks. They're getting flooded by North Korean illegitimate resumes so much so that the legitimate candidates can't get through. It's convenient denial of the service against the recruiting pipeline. The scale of this is is overwhelming. As for North Korea, it's paying off. North Korea began the

ninth Congress of the rural and workers' party of Korea on Thursday. In his opening address, North Korean leader Kim Zolun said he has filled with optimism and confidence about the future. We have made significant accomplishments in overcoming economic stagnation, Kim continued, pointing to what he called progress across multiple sectors of state life. In March, the Treasury Department revised its estimates. They said North Korea made

$800 million from its remote workers' game in 2024 alone. Far beyond earlier estimates in the

mere millions. This exploits how we hire, how we trust, how modern companies actually function. But there's something else these North Korean IT workers have exposed, are part in this.

“An ugly version of America we don't want to see. I think if we go back to what's the big”

thing that people need to take away here, the first takeaway is there are thousands of people who are trying to rob US companies in payroll. And the second thing is there are hundreds of Americans who are happy to help them. Because to pull this off at this scale, North Korea can't do it alone. They need our help. Americans, winning or not, willing to do their dirty work.

with no picture on it. It looks like she did have a Facebook profile and she's young. She's 21.

“Here we go. Hello. That's next on to catch a thief.”

Follow to catch a thief to make sure you don't miss the next episode. And if you like what you

hear, rate and review the show. To catch a thief is co-produced by me, Nicole Perleroth,

and Rubrik, in partnership with pod people, with special thanks to Julia Lee.