A cybersecurity investigation involving a remote job applicant known as “Jo” revealed the inner workings of a North Korean remote employment operation that U.S. officials say generates hundreds of millions of dollars each year for Pyongyang.
The case began with a routine interview for an artificial intelligence role at the Virginia-based security firm Nisos and expanded into a three-month investigation that uncovered suspected North Korean operatives, a laptop farm operating from Florida homes, technical connections to China, and a network that authorities say funnels money toward the country’s weapons programs.
Jo initially appeared to be a highly motivated software professional. His typical workday started between 1 a.m. and 5 a.m. Eastern Time and could run as long as 10 hours, according to analysis by Nisos. He worked six days a week, usually taking Saturdays off, and maintained three jobs at the same time while continuing to pursue additional positions. His job search activity was intense, with as many as 50 applications submitted daily, and his email inbox was regularly filled with interview requests and automated job recommendations.
One of those applications led to a video interview in June for a difficult-to-fill artificial intelligence role at Nisos, a corporate investigations and cybersecurity company headquartered in Virginia. When the meeting began, Jo appeared on camera wearing an orange T-shirt in a beige room and stated that he was located in Palm Beach Gardens, Florida.
During the conversation, Nisos’ chief people officer, Magen Gicinto, asked about weather conditions in the area.
“I heard you guys had, I think, Hurricane George recently. How was your house? How was Palm Beach?”
Jo paused before answering and looked away from the screen.
“Luckily my place was fine.”
The problem was that there had been no such hurricane. Moments later, when asked to share his computer screen, Jo disconnected from the call.
By that point, the company already suspected that the applicant’s identity might be fabricated. Although Nisos did have a real opening for the position, the company chose not to hire him conventionally. Instead, investigators continued the process in order to observe his activity.
For roughly ten years, North Korea has operated programs designed to place remote technology workers inside foreign companies. According to U.S. government agencies, the wages those workers earn are partially transferred back to Pyongyang to circumvent sanctions and help fund programs connected to weapons of mass destruction and ballistic missiles. Authorities have warned that the practice is expanding. The FBI stated last year that the schemes were becoming “increasingly malicious,” and the Department of Justice described the situation as a “code red.”
Executives at Nisos believed Jo might be part of such a network. They decided to send him a company laptop equipped with monitoring software and track how he used it.
Over approximately three months, analysts identified what appeared to be a group of at least 20 suspected North Korean operatives connected through the same system. According to Nisos, those individuals collectively submitted at least 160,000 job applications. During the period investigators were monitoring the network, members held positions at five U.S.-based companies. Evidence indicated that the workers were likely operating from China while receiving logistical support from an American citizen working from two suburban houses in Florida.
Access to the laptop allowed investigators to monitor communications between the workers almost continuously. Analysts concluded that the group functioned as an organized IT unit linked to the Democratic People’s Republic of Korea (DPRK). Job applications were coordinated internally, references were exchanged within the group, and interview schedules were shared among members.
Despite the structured system, communications among the workers often resembled casual workplace conversations. Messages included Minion-themed GIFs, discussions about meeting for drinks, references to smoking cigarettes, and invitations to play the online drawing game skribbl.io. Most exchanges took place in English.
Jared Hudson, the chief technology officer at Nisos, said the monitoring provided a rare view of how these cells function.
“We could see the coordination. We could see the facilitators. We could see the hierarchy of their cell.”
Before the laptop was shipped, Nisos said it coordinated with the Federal Bureau of Investigation and later informed law enforcement about the American identity that had been stolen and used by Jo. An FBI spokesperson told NBC News that the agency does not confirm or deny individual investigations.
Government officials have increasingly warned companies about infiltration attempts involving North Korean technology workers. In July, Jeanine Pirro, the U.S. attorney for the District of Columbia, addressed the issue during a press conference following a criminal case connected to the scheme.
Her remarks came after Christina Chapman, a resident of Arizona, was sentenced to more than eight years in federal prison for assisting North Korean IT workers. Prosecutors said the operation she helped manage generated over $17 million in illegal revenue and infiltrated more than 300 organizations, including government agencies, by using 68 stolen American identities. The Justice Department described the case as the largest identity-theft scheme of its kind.
Authorities say the risks go beyond payroll fraud. According to the Justice Department, one North Korean worker obtained sensitive information linked to U.S. military technology. In another instance, an American collaborator obtained credentials that allowed access to government facilities, networks, and systems. At least three organizations have been subjected to extortion attempts after proprietary data was published online by IT workers, resulting in hundreds of thousands of dollars in losses. Last summer, prosecutors charged a North Korean IT worker with stealing more than $700,000 in cryptocurrency assets from a company based in Georgia.
Security researchers have also identified new tactics used in hiring operations. Analysts found fake job platforms impersonating well-known U.S. companies, including the artificial intelligence firm Anthropic, with the goal of infecting applicants’ computers with malware.
The cybersecurity company CrowdStrike reported a 220% increase in 2025 in cases where North Korean developers secured remote jobs at Western companies through fraudulent identities.
Jenny Jun, an assistant professor at the Georgia Institute of Technology who has testified before Congress on North Korea’s cyber activities, described the structure of these operations as combining state resources with criminal techniques.
Some North Korean IT workers reportedly earn more than $300,000 annually, according to congressional testimony from Bruce Klinger, a former CIA deputy division chief for Korea. As much as 90% of those wages can be redirected to the regime.
International estimates suggest the scale is large. The United Nations has calculated that the schemes generate up to $600 million each year, while a U.S. State Department sanctions monitoring assessment estimated revenue as high as $800 million in 2024. Authorities say the funds are used in part to support weapons programs.
The rise of remote employment after the COVID pandemic created conditions that made such operations easier. Roman Rozhavsky, assistant director of the FBI’s Counterintelligence Division, said the shift toward online work expanded opportunities for infiltration.
The Nisos investigation began with Hudson’s suspicion during the initial interview. After the call ended, he sent a message to Gicinto indicating that the applicant’s responses appeared scripted. Hudson believed Jo might have been reading answers generated by artificial intelligence due to the long pauses between responses.
Further examination of Jo’s résumé revealed inconsistencies. During a second interview, Jo disconnected again when asked to share his screen and did not provide a portfolio, which is typically expected from an engineer claiming more than 15 years of experience.
About two weeks later, Gicinto contacted him again with a proposal: a $5,000 retainer payment for help with what the company described as urgent artificial intelligence tasks. Jo replied quickly and confirmed he was ready to begin work. He provided a mailing address in Florida and bank account information connected to Missouri.
In early August, after informing the FBI, Nisos shipped a laptop with monitoring tools to a single-story house in Palm Bay, Florida. When investigators activated the webcam, they observed 40 devices connected to the same home network. Analysts determined that about 20 of them were likely part of a laptop farm.
Laptop farms are locations where computers from different companies are physically stored so that remote workers overseas can log into them through specialized software. The setup provides both a U.S. mailing address and a domestic internet connection, which helps convince employers that a worker is located inside the country.
When Jo accessed the laptop, investigators gained entry to the messaging platform used by the group coordinating job searches. Members tracked interview schedules, shared references, and monitored application totals. At one point, Jo also searched online for cultural information about the United States, including the question “What sports do Americans usually play?”
Investigators attempted to determine the location of the users by sending two documents containing tools capable of capturing IP information. When Jo opened them, the system detected access through a virtual private network commonly associated with North Korean IT workers operating from China. Additional activity from the associated email account showed connections from an IP address near Shanghai.
Jo’s email inbox contained a large number of recruitment messages. Screenshots reviewed by NBC News included subject lines such as “let’s meet!” and “thanks for your interest.” Analysts estimated that Jo had applied for about 5,000 jobs over roughly a year.
The internal structure of the group appeared to involve four teams managed by captains. According to Nisos, those supervisors deducted $1 from workers’ wages for each mistake made on job applications or for applying to incorrect roles.
Investigators also discovered that multiple workers sometimes shared both laptops and job responsibilities. According to Hudson, interviews were conducted throughout the day, and employment often lasted until companies identified the fraud and terminated the worker.
Through the monitoring system, Nisos could also see which companies employed members of the network. Ryan LaSalle, the company’s chief executive officer, contacted those organizations to warn their security teams.
Many companies had not detected the activity.
In September, Jo returned the laptop without having received payment or assignments from Nisos. The device was mailed from a different rental property in Melbourne, Florida. By that stage, investigators believed they had collected enough technical evidence to associate the activity with North Korea.
The infrastructure supporting such operations often relies on intermediaries. North Korean IT teams depend on individuals in other countries to host laptop farms, manage bank accounts, and route payments. In at least one case described in court records, a facilitator was recruited through a mobile video game application.
The process typically begins with building digital identities, frequently using stolen American identities. Workers apply to large numbers of remote jobs. When a persona becomes compromised or employment ends, another identity is created, and the process resumes.
Once a job is secured, employers send laptops to addresses controlled by facilitators. Remote-access software then allows workers outside the United States to perform tasks from those machines.
Federal prosecutors have charged at least 10 U.S.-based facilitators, including an active-duty member of the U.S. Army, with involvement in hosting laptop farms, moving money, and operating shell companies. Court filings also mention six additional alleged facilitators whose names have not been publicly disclosed.
One example involved Kejia “Tony” Wang, an American citizen who traveled to China in 2023 to meet co-conspirators and IT workers in Shenyang and Dandong. According to court documents, laptops from more than 100 U.S. companies, including a California defense contractor, were sent to Wang. He established shell companies used to transfer wages earned overseas. Wang pleaded guilty to wire fraud, money laundering and identity theft and is scheduled to be sentenced next month.
Investigators say international financial networks are used to move the proceeds. Nick Carlsen, a senior investigator at the blockchain analytics company TRM Labs and a former FBI intelligence analyst focused on North Korea, explained that Chinese financial intermediaries frequently handle these transactions.
Since Kim Jong Un assumed power in 2011, North Korea has expanded cybercrime activity, including large cryptocurrency thefts. According to the FBI, the country was linked to a record $1.5 billion cryptocurrency theft last year.
Financial intermediaries connected to Chinese networks operate across southern China and Southeast Asia, including Myanmar, Hong Kong, Macao and China’s Fujian province. They use cryptocurrency “mixers,” which divide digital assets into smaller segments in order to obscure their origin.
Andrew Fierman, head of national security intelligence at Chainalysis, said the money earned through IT worker schemes usually moves through shorter laundering chains than the proceeds from major cryptocurrency theft operations.
The United States has taken steps to disrupt the operation through sanctions and criminal cases. On Thursday, the U.S. Treasury Department announced sanctions against six individuals and two entities linked to government-directed IT worker schemes tied to North Korea.
The sanctions, issued through the Office of Foreign Assets Control and first reported by CBS News, targeted networks operating in North Korea, Vietnam, Laos, and Spain.
Among those designated was Amnokgang Technology Development Company, a North Korean technology firm accused of sending workers abroad and obtaining military and commercial technology through foreign networks.
The Treasury Department also sanctioned Nguyen Quang Viet, the chief executive of Quangvietdnbg International Services Company Limited in Vietnam. Authorities allege the company converted approximately $2.5 million into cryptocurrency between mid-2023 and mid-2025, including funds connected to the IT worker scheme.
Another individual identified in the sanctions, Yun Song Guk, supervised freelance IT workers operating from Boten, Laos, coordinating payments and service contracts tied to foreign partners.
Under U.S. sanctions law, any property or financial assets belonging to the designated individuals within U.S. jurisdiction are blocked. American citizens and companies are generally prohibited from conducting transactions with them.
North Korea has rejected accusations connected to cyber operations. Following earlier indictments by the U.S. Department of Justice, the country’s foreign minister described the allegations as “an absurd smear campaign” targeting what it called the “non-existent ‘cyber threat’ from the DPRK,” according to the Korean Central News Agency.
China also rejected claims that its nationals were involved. Chinese Embassy spokesperson Liu Pengyu said the accusations lacked a factual basis.
Security researchers say the employment schemes continue to expand into new sectors. North Korean IT teams have begun subcontracting work to developers in Pakistan, Nigeria, and India, and are pursuing positions in customer service, financial processing, insurance, and translation services.
Michael Barnhart, who leads nation-state threat intelligence at DTEX, said the strategy complicates detection because these positions often receive less scrutiny than software development roles.
Barnhart previously assisted the FBI during a 2021 ransomware attack against a Kansas hospital, which occurred during a wave of cyberattacks targeting NASA and military bases. In that incident, a North Korean hacking group infected hospital systems and demanded about $100,000 in bitcoin to restore operations. The hospital paid.
Investigators later observed that the operator responsible for the attack also participated in the placement of IT workers in remote jobs. Income generated from those jobs supported the group’s hacking operations against U.S., South Korean, and Chinese government and technology targets.
Roman Rozhavsky of the FBI warned that removing a worker from a company may not eliminate the risk if unauthorized access points remain in the system.
Members of the U.S. Senate have proposed legislative responses. Sen. Gary Peters of Michigan and Sen. Mike Rounds of South Dakota introduced the Protecting America from Cyber Threats Act, a proposal that would extend cybersecurity authorities for another decade and encourage companies to share threat intelligence with federal agencies.
Investigators say thousands of workers connected to the remote IT programs remain outside the reach of U.S. law enforcement, and many operate from China.
Nick Carlsen summarized the background of those workers by describing them as individuals selected from North Korea’s most capable students in mathematics and science.
