Nisos Exposes North Korean Cell Behind 167,000 Fake Job Applications to U.S. Companies

News provided by

Nisos

Jun 16, 2026, 09:00 ET

New Research Reveals North Korean Operatives Submitted More Than 166,000 Applications, Secured 76 Job Offers, and Used AI, Stolen Identities, and U.S.-Based Facilitators to Infiltrate Organizations

ARLINGTON, Va., June 16, 2026 /PRNewswire/ -- Nisos, the human risk management company, today released new research exposing the inner workings of a Democratic People's Republic of Korea (DPRK)-linked employment fraud operation that conducted industrial-scale job application campaigns against U.S. companies. The report, entitled "People, Process, Personas: Nisos Exposes the Human Risk in DPRK Employment Fraud Schemes," provides a rare inside look at how North Korean operatives use stolen identities, artificial intelligence tools, remote access technology, and U.S.-based facilitators to obtain employment and generate revenue for the regime.

The research is based on an investigation that began after a suspected DPRK operative applied for a remote AI architect position at Nisos. Working with law enforcement, and leveraging insights gathered through its investigation, Nisos uncovered a coordinated cell that operated between late 2024 and 2025, and primarily targeted technology organizations with large-scale employment fraud.

Highlighted in Season Two of the "To Catch A Thief" podcast, Nisos' investigation revealed a mature operation capable of generating thousands of applications and interviews for remote U.S. IT jobs per operative, all while simultaneously managing multiple employment personas. With an estimated 22 operatives in the cell, each was roughly responsible for 7,586 applications and 984 interviews, and received 3.5 job offers.

Key findings from the research include:

  • A DPRK-linked cell consisting of up to 22 operatives submitted at least 166,893 job applications and participated in more than 21,645 interviews with U.S. companies.

  • The operation secured at least 76 job offers from U.S. companies between December 2024 and September 2025.

  • Operatives used appropriated identities, fraudulent documentation, AI-assisted interviewing techniques, and U.S.-based facilitators to obtain employment.

  • The cell maintained a formal organizational structure with administrators, managers, team leads, operatives, and external facilitators.

  • Technology companies accounted for 42.6% of organizations that extended job offers to the operation, followed by consulting, healthcare, and financial services firms.

  • Operatives leveraged AI tools, accent-training applications, remote access technologies, and laptop farms to evade detection during hiring processes.

  • Operatives used 3-letter initials to protect identities, compartmentalized communications across platforms (Discord, Telegram, WhatsApp), and exclusively used English to avoid native language detection.

  • The cell recruited U.S.-based facilitators (or "natives") to attend interviews, complete onboarding activities, manage employer-issued devices, facilitate drug tests, and support ongoing operations. Natives were often compensated via ERC20 cryptocurrency.

"DPRK employment fraud has evolved into a highly organized and scalable operation that blends human deception, technical tradecraft, and AI-enabled tactics," said Ryan LaSalle, CEO of Nisos. "What makes this threat particularly concerning is that these actors are no longer relying solely on traditional cybercrime. They are embedding themselves within organizations, collecting salaries, gaining access to systems and data, and generating revenue for the regime through seemingly legitimate employment."

A Mature Organization
According to the new report, the operation maintained a sophisticated infrastructure that included a Discord-based communications environment, performance-tracking dashboards, identity brokers, and networks of U.S.-based facilitators. Operatives managed multiple employment personas simultaneously, and tracked metrics such as applications submitted, interviews completed, and offers received.

The research also highlights how AI is reshaping employment fraud. Operatives used AI-generated resumes, AI-assisted interview coaching, real-time response generation during interviews, and voice-training applications to improve their chances of securing employment while maintaining fraudulent identities.

The operation primarily targeted software engineering, development, and data-related roles, which accounted for more than 70% of the pursued positions. Researchers observed salaries ranging from approximately $55,000 to $230,000 per role.

"Many organizations still view employment fraud primarily as an HR challenge, but it has become a significant human risk and security issue," added LaSalle. "Security, HR, legal, and executive leadership teams must all work together to identify suspicious indicators earlier in the hiring process. With coordinated efforts they can reduce the likelihood that fraudulent actors gain access to company systems, intellectual property, and sensitive data, or takeaway job opportunities from legitimate candidates."

Expertise in Uncovering DPRK Fraud
The new report builds on Nisos' ongoing investigation into DPRK-linked employment fraud operations. In 2025, after identifying a suspicious applicant for a remote AI architect role, Nisos conducted a controlled investigation that exposed a U.S.-based laptop farm supporting fraudulent remote workers. That investigation revealed the use of AI-generated resumes, appropriated identities, VPN services, remote access technologies, and other tactics now examined at scale in the company's latest research.

Nisos' earlier findings were also featured in a national NBC News report examining North Korea's use of remote employment schemes to generate revenue and gain access to corporate environments.

The latest report expands on this work by providing a detailed examination of the structure, processes, technologies, and operational tradecraft used by the larger DPRK employment fraud cell. The report provides detailed insight into how these actors create personas, navigate hiring processes, leverage AI tools, and maintain ongoing employment within targeted organizations.

For a copy of the full research report, please click here. To access all of Nisos' DPRK employment fraud research, please visit: https://nisos.com/dprk-it-worker-fraud/.

About Nisos
Nisos is the human risk management company specializing in unmasking threats before they escalate. The company is a trusted advisor, operating as an extension of security, intelligence, legal, and human resource teams to protect their people and business. Nisos' intelligence-led solutions help enterprises make critical decisions, manage human risk, and drive real world consequences for digital threats. For more information, please visit: https://www.nisos.com or follow us on LinkedIn.

Media Contact:
Jeff Drew
Guyer Group for Nisos
P: 617.233.5109
E: [email protected]

SOURCE Nisos

21%

more press release views with 
Request a Demo

Also from this source

Nisos Announces Formation of Board of Advisors

Nisos, the human risk management company, today announced the formation of its Board of Advisors. The board includes security market luminaries with...

Nisos Expands Ascend™ Platform with New Insider Threat Intelligence Module to Help Organizations Build a Trusted Workforce

Nisos, the human risk management company, today announced the launch of the Insider Threat Intelligence module for its Ascend™ platform. Ascend...
More Releases From This Source

Explore

Computer & Electronics

Computer & Electronics

High Tech Security

High Tech Security

Computer Software

Computer Software

Computer Software

Computer Software

News Releases in Similar Topics