From Deepfakes to Sanctions Violations: The Rise of North Korean Remote IT Worker Schemes

U.S. Government and private sector sources continue to report efforts by Democratic People’s Republic of Korea (DPRK) nationals to infiltrate companies around the world by posing as information technology (IT) professionals, in order to get hired by U.S. and other businesses and gain access to sensitive company systems. Crowdstrike, a U.S. cybersecurity company, has reported a 220% increase in the number of companies infiltrated by North Korean threat actors over the last 12 months. In particular, a DPRK-affiliated group known as “Famous Chollima” has leveraged artificial intelligence and deepfake technology to generate synthetic identities, as well as resumes and CVs, draft communications, and conduct job interviews. Enforcement actions brought by the U.S. Department of Justice identify victims in the cryptocurrency sector, including decentralized finance (“DeFi”) projects. In addition, media reports indicate that North Korean hackers are purportedly offering fake job offers targeting employees in the cryptocurrency sector, with the goal of stealing crypto.

The U.S. Government has noted that DPRK IT workers “provide a critical stream of revenue that helps fund the DPRK regime’s highest economic and security priorities, such as its weapons development program” and provide the DPRK government with “a significant source of foreign currency and revenue.” In addition to collecting salaries to send to the North Korean government, these operatives use their access to steal intellectual property, data, and credentials, and to establish insider access for future cyber attacks. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has said that North Korea is using the money generated by these remote worker schemes to fund its weapons of mass destruction and ballistic missile programs. Other threat actor groups are taking note. For example, Iranian threat actors have begun reportedly mirroring similar fake job offer techniques, demonstrating how such schemes may expand across the threat landscape.

These schemes carry substantial operational, reputational, financial and legal risks for target companies.

1. Clients Most at Risk

Companies most at risk potentially include:

1. 1. 1. Companies with large remote or hybrid workforces, such as startups, where identity verification and access monitoring are more challenging.
         
         
      2. Financial institutions and virtual currency companies, which are targeted because of the potential to steal digital assets.
         
         
      3. Technology, defense, and aerospace contractors, with access to sensitive national security and/or export-controlled information.
         
         
      4. Staffing agencies, human resources placement agencies, and outsourcing vendors, especially those placing remote IT workers.

2. Risk Exposure for Clients

The North Korean IT worker schemes are complex and high-risk, and they carry many potential legal and regulatory ramifications. Among the potential risks to consider are:

1. 1. 1. Sanctions and Export Controls Risks: The Office of Foreign Assets Control (OFAC) implements and enforces U.S. sanctions. The North Korean sanctions regulations prohibit, among other things, the import or export of goods, services, or technology to or from North Korea. Civil liability for OFAC penalties is based on strict liability, meaning that companies may face penalties even when they are unaware that they have transacted with a sanctioned person. Engaging with North Korean workers is likely to result in sanctions violations, requiring internal investigations and potential disclosures to OFAC, as well as the possibility of subpoenas and government-led investigations, and potential civil penalties, from OFAC. Furthermore, the Department of Justice (“DOJ”) prosecutes criminal violations of sanctions and can become involved where there is evidence that a company knew it was dealing with a sanctioned person. Potential export controls violations may also occur from allowing unauthorized access to International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR)-controlled data, even if inadvertent, potentially triggering civil and criminal government investigations and penalties from the Departments of State, Commerce, and Justice.
         
         
      2. Data Privacy Risks: North Korean actors may gain access to sensitive data, including personal data, intellectual property (“IP”) and trade secret information, and use these to engage in IP theft, or in ransomware and other extortion attempts, which in turn can result in civil and criminal liability and enforcement under national security, securities, and data privacy laws (including export controls and sanctions), as well as private litigation and reputational harm.
         
         
      3. Cybersecurity Risks: North Korean IT workers may use their remote access to mimic U.S.-based access, evade certain location controls, and be based in laptop farms, install unauthorized software or otherwise attempt to bypass traditional cybersecurity controls. These workers also may have jobs that provide them with access to company systems and, in many cases, source code, which can be used to harm company operations.
         
         
      4. Employment and Vendor Risks: North Korean IT workers with fraudulent identities used to secure remote positions may highlight vulnerabilities in background checks and third-party risk management. Microsoft, for example, has described steps these workers take to evade background checks and other forms of detection. This presents risk not only directly to the companies that hire them, but potentially also to their downstream customers. Their access to internal systems can lead to employment law issues and may also provide threat actors with the means to compromise vendors or supplier systems, resulting in potential liability and reputational harm.

Companies with global IT talent should expect enhanced scrutiny from regulators and law enforcement. Early threat assessments and strengthening of controls and compliance procedures can help protect against these threats. In cases where companies identify incursions by these threat actors, robust internal investigations, voluntary self-disclosures, and proactive remediation measures may help mitigate such enforcement risk. For these reasons, companies at risk for such attacks, in particular those with remote IT workers, may wish to consider taking immediate steps to assess and address these threats, supported by expert guidance, and where needed to act swiftly and under privilege to investigate and address identified issues.

3. Recent OFAC and DOJ Enforcement Actions

In actions on July 8, July 24, and August 27, 2025, OFAC imposed sanctions on individuals and entities facilitating North Korea’s remote IT worker schemes. The sanctioned actors include citizens of Russia, China, India, and Burma, and companies in Russia, China, and Hong Kong , showing the scope of North Korea’s effort.

Alongside OFAC sanctions, the U.S. Department of Justice (DOJ) announced on June 30, 2025, sweeping law enforcement actions targeting North Korea’s remote IT worker scheme, including “two indictments, an information and related plea agreement, an arrest, searches of 29 known or suspected ‘laptop farms’ across 16 states, and the seizure of 29 financial accounts used to launder illicit funds and 21 fraudulent websites.” Together, these actions highlight the urgent compliance and enforcement risks facing U.S. companies that rely on remote IT workers.

Specifically, DOJ alleged that North Korean IT workers used stolen or fraudulent identities to obtain employment with more than 100 U.S. companies as IT workers, aided by individuals in the U.S., China, United Arab Emirates, and Taiwan, as part of an organized campaign to evade sanctions and fund the North Korean government’s illegal activities, including its weapons programs. DOJ further alleged that “U.S.-based individuals enabled one of the schemes by creating front companies and fraudulent websites to promote the bona fides of the remote IT workers, and hosted laptop farms where the remote North Korean IT workers could remote access into U.S. victim company-provided laptop computers.”

After being hired, the North Korean IT workers began to receive their regular salary payments, while managing to access to, and occasionally stealing, sensitive data from their employers, including U.S. military technology under export control, and, in at least one case, virtual currency. These actions follow public reporting of such schemes and their evolving tactics by technology vendors such as Mandiant and Okta, as well as media reporting from The Wall Street Journal and Politico, in addition to previous indictments relating to such schemes on July 24, 2025, January 23, 2025, and December 12, 2024.

4. Steps Companies Can Take to Mitigate These Risks

As companies grapple with the reality of these North Korean IT worker schemes and their potential impacts, companies should begin to consider their own comprehensive and cross-functional internal procedures focused on identifying fraud, assessing exposure, and mitigating risks. Investigations should be organizational, as the schemes put the whole company at risk of infiltration. For example, while cyber-attacks may be reported to cybersecurity teams, human resources departments and third-party vendors also serve as a critical line of defense. Organizations that develop open communication streams and work together cross-functionally to confirm identities of potential remote workers will be better positioned to protect against such schemes.

Conducting training on social engineering risks, red flags in recruiting, and tactics used by fraudulent IT workers is a key step in sanctions compliance and can significantly reduce exposure to the list of key risks above.

There are additional practical steps that companies can take to address these risks. For example, one initial step is to conduct a risk assessment to identify a company’s potential vulnerability to these attacks based on its business activities, structure, and existing controls, and to propose any needed improvements to the company’s controls and policies to address these risks. These may include technological, operational, and policy changes to a company’s threat detection systems, IT asset management, operational security, background checks and employment procedures, and sanctions and export control screening systems.

Such reviews also may include:

1. 1. 1. Recent Hires Review: Identifying all current and recent remote IT workers, particularly those hired through recruiting firms or third-party vendors, as well as reviewing onboarding records, resumes, and identification documents.
         
         
      2. Vendor and Payment Review: Conducting sanctions screening and reviews on vendors and third parties to identify the use of aliases, suspicious parent or subsidiary companies, and to map payments to confirm payment destination.
         
         
      3. Identity and Access Analysis: Examining IP addresses, device logs, and VPN records and, to interrupt deepfake technologies, considering video-based calls near windows or ask suspicious users to pick up items in their background.
         
         
      4. Data Privacy and Export Controls Review: Conducting forensic analysis on systems accessed by suspicious users and assessing whether ITAR or EAR-controlled information was exposed, along with potential trade secrets or other financial assets.

5. Conclusion

Crowell & Moring LLP (Crowell) is well positioned to serve clients who may be at risk and/or concerned with such schemes. Our team includes attorneys with deep experience in cybersecurity, privacy, government investigations, sanctions, and export controls, based on combined decades of experience in senior roles at relevant federal government agencies and companies, and from assisting private clients. We provide coordinated, informed approaches to these problems and can help mitigate legal exposure while maintaining privilege. We are experienced at assisting companies in all stages of such matters, from risk assessments through internal investigations and remediation, disclosures to regulators, and civil and criminal defense.