Technology
North Korean IT workers infiltrate U.S. companies in new podcast series
North Korean IT workers posing as remote developers inside U.S. companies are the focus of the second season of Nicole Perlroth’s award-winning podcast, To Catch a Thief. Nicole Perlroth is joining to discuss the reporting. Rubrik’s June 9, 2026 launch materials call the series, To Catch a Thief: North Koreans On Our Payroll, an investigation into how operatives infiltrate the global workforce.
The scheme exploits the same hiring channels many employers now rely on for speed and scale. North Korean workers and their facilitators use stolen or false identities, fake job-search accounts, virtual interview cover, U.S.-based laptop farms and front businesses to pass remote screening and keep access once inside. Rubrik’s June 9, 2026 launch materials say the operation has reached Fortune 500 companies, U.S. government agencies and critical infrastructure, while also funneling hundreds of millions of dollars a year back to North Korea’s regime and its nuclear weapons program.
On May 16, 2024, the FBI warned that North Korea was evading U.S. and U.N. sanctions by using IT workers to generate revenue, often with help from U.S.-based individuals who may be witting or unwitting. On January 23, 2025, the FBI warned that some North Korean IT workers had escalated to data extortion and theft of proprietary code. On July 23, 2025, the FBI called the activity a threat to U.S.-based businesses and urged continued vigilance.

On June 30, 2025, the Justice Department’s coordinated nationwide actions included two indictments, an information and related plea agreement, one arrest, searches of 29 laptop farms across 16 states, seizures of 29 financial accounts and seizures of 21 fraudulent websites. The department said the scheme touched more than 100 U.S. companies, including many Fortune 500 firms, and that the defendants compromised the identities of more than 80 U.S. persons. Victims incurred at least $3 million in legal and other fees, and since 2024 Microsoft Threat Intelligence has observed North Korean remote IT workers using AI to make their operations larger and harder to detect.
Common warning signs include mismatched identities, interviewers who never appear in person, U.S.-based device relays, overreliance on contract onboarding and newly created accounts that cannot withstand basic verification. Some workers also use unlawful access to exfiltrate data, hold stolen code hostage for ransom and publicly release proprietary code once they are inside.
Sources
- [1]cbsnews.com
- [2]rubrik.com
- [3]ic3.gov
- [4]fbi.gov
- [5]justice.gov
- [6]microsoft.com