Transcript of Ep. 1: Strange Things Are Happening New

A new breed of worker is quietly clocking in across the United States. They're writing code, managing your passwords, training the next generation of AI models. They're gaining trust and access. They've turned up at Fortune 500 companies in entertainment, ag, tech, cybersecurity companies. We found them at defense contractors and US government agencies. One even popped up at a nuclear utility. On paper, they're the dream hire: skilled, low maintenance, always remote, and often affordable. And by most accounts, they're doing the work. But strange things are happening.

As far back as 2023, we had a couple odd incidents and we just didn't I didn't understand what was happening. The person not wanting to be on camera.

That person didn't really look right on screen. That person took a lot of time to answer questions. You see them looking off screen where they're using some sort of chatbot to answer questions. Employers are waking up to a deeply unsettling realization. The person they hired is not who they thought they were.

We have an individual that didn't seem to know what they were supposed to know. Person's resume say they got 15 years as a senior developer, yet the ID shows they must have been 10 years old when he went to college.

These mystery workers, they're applying by the thousands. They're making it past HR screenings and background checks. And once they're in, they know how we work. —in some cases, even better than we do ourselves.

Some of these guys are funny. I wouldn't say it's innovative as much as it is how well they understand our system. Like, how do they understand our society so well? They know that HR can't talk to a certain person if they're on med leave, if they're sick. So I've seen an IT worker that started smelling the heat, and they knew that they were coming for him, so he immediately, he went on med leave, and, "Hey, I'm sick." Who knows what they're capable of?

Nicole, when, when this first came up, I remember putting my head in my hand and saying, this was my worst nightmare.

By now you're probably thinking these workers are part of a scam ring or a ransomware crew, and that description is not far off. But zoom out and a different picture emerges. These workers aren't freelance criminals. They're part of a global labor pipeline, managed, trained, and deliberately planted by a nation-state. And not the usual suspects. Not China. Not Russia. Though both will make a cameo. The actor behind this operation? It's the one we least expect.

North Korea.

North Korea. North Korea employs sophisticated computer hackers trained to launch cyber infiltration and cyber attacks against the ROK Kim Jong-un, like his father and his grandfather, has played an extremely weak hand brilliantly.

There are people who, like, get out there and say, "This man's crazy." If so, he is crazy but a pretty brilliant strategist, a pretty brutal player, and pretty savvy at understanding how small technological edges in nuclear and in cyber enable him to have the power to reach out at the United States and other enemies.

I'm Nicole Proloroth, and this is To Catch a Thief. I've spent the past 16 years swimming in cyber threats. For a decade, I was the New York Times' lead cyber reporter. I wrote a book, This Is How They Tell Me the World Ends, investigating the ins and outs of the cyber arms market. And now I travel the world educating people about cyber threats and partnering with those determined to solve them. Ask any cyber expert which nation continues to blindside us and one name keeps coming up. Not because it's the biggest or the most technologically advanced, but because no country punches further above its weight than North Korea. Its hackers have crippled a Hollywood movie studio, taken direct aim at free speech, stolen billions in cryptocurrency, and now they're infiltrating the global workforce at a scale most people have no grasp of. But has quietly become an economic emergency. They've proven remarkably innovative, and they're early adopters. North Korea embraced cryptocurrency long before most governments even understood it. And now they're doing the same with AI, evolving far beyond the cartoonish caricature we still cling to. Here's Andrew Scott, who spent most of his career inside three-letter agencies, like the CIA, tracking China and North Korean cyber threats from the inside.

Inside government, we started looking at the North Korean cyber program as the Imagineers of cyber. We discount the level of— I hate to use the word, but— sophistication of the North Koreans. We think of them as a hermit kingdom. We think of them as isolated. We think of them as impoverished, when in reality, They are incredibly capable and they've spent the time, energy, effort, and money into building something that they can use to achieve their aims.

North Korea has spent decades cleverly evading sanctions through smuggling, shell companies, and covert trades of coal and weapons for fuel and cash.

We continue to see illegal imports of additional refined petroleum using ship-to-ship transfers, which are clearly prohibited under the UN resolution. We must all be accountable for cutting off North Korea's illegal coal exports, which provide funds that go directly to its WMD programs.

The perception that sanctions can bring us on our knees is a pipe dream of the people who are ignorant about us.

But today, the regime's most powerful sanctions evasion tools aren't smuggling routes. It's hacking and remote IT work.

I'll tell you, the most interesting thing I've ever seen is without a doubt the IT worker problem, right?

This is employment fraud from a, a state tied to an intelligence service. That was John Holtquist, Chief Analyst at Google Threat Intelligence. I remember telling people IT workers in a room and nobody knew what the heck I was talking about. When I talk about it now, everybody's already had an experience with it.

Right. To be clear, this is a nuclear-armed adversary on our payroll. But this isn't just a story about paycheck fraud, because the insider access they gain, it can be used for something else entirely.

They are going to turn that insider access from a revenue-paid salary position into an insider threat position.

If you're paying them $150K a year and they see an opportunity to steal $2 million, I've seen it happen. They'll do it. Have they ever done it? Yeah, they've done destructive attacks. They've done stuff on the inside. So really what we have now is a worldwide chess game, and they've put all their pieces in place. If push comes to shove, you have thousands and thousands of organizations at your disposal that you can start blowing up from the inside.

But we're getting ahead of ourselves because the story you're about to hear didn't begin with a million-dollar breach or a geopolitical standoff. It began somewhere far more ordinary, just off the Beltway in Arlington, Virginia. Where a single employee acting strangely set off a chain of events no one saw coming.

Yeah, it's a fascinating story. Back in 2022, we were working a threat investigation for one of our clients.

Meet Ryan LaSalle, the CEO of Nisus, a company that investigates what it calls human risk. Companies hire Nisos to look into insider threats, usually when they suspect a competitor's planted a mole or on rare occasions, a nation-state operative. In this case, the client asked Nisos to take a closer look at a former IT worker, someone who'd left a strange impression on leadership. Nisos won't name the client because of confidentiality agreements, But suffice to say, it's one of America's most influential media brands.

They had a weird sense that something was not right with a person who had just left the company. They were a remote worker. They're seldom on camera. When they are, they're pretty occluded, they're backlit. You can't see them. And their performance and their skills not matching their resume, their behaviors seeming kind of antisocial. The disconnect from their team. There was a lot of weird things about the quality of their work, and it gave the head of security a weird tingly sense in the back of his neck. The sense was the person wasn't who they said they were. So we kicked off an investigation and found a lot of strange things.

Nisos hands the case to one of their best, Ben Reisenberg, an analyst who'd come to the firm from the CIA. Ben asks the client to turn over everything they've got on this one worker.

We ask our clients to send us basic phone numbers, email addresses, pictures of the person from meetings, and then we dive in and seeing what's out there about this person in the wild. And we quickly found that the photo of the LinkedIn page for the individual was reused on other people's LinkedIn pages, different names with the same profile photo, which kind of tipped us off that it is probably somebody who is trying to get jobs in multiple other companies and claim to have different experiences. So that's sort of the tipping point.

These LinkedIn personas with the same photo, they all seem to materialize overnight. Despite lengthy resumes and polished work histories, many of these profiles had only recently been created. And they're self-referential. They're connected to one another. Several even list the same colleges and former employers. And those former employers, they don't pass the sniff test either.

One company, for instance, claimed to be located in Michigan. When I looked to see what the building was, it used to be a frat house back in the day. Nobody lived there.

And everyone who claimed to have worked at this fake company in a former Michigan frat house hadn't been on LinkedIn for very long. In fact, until recently, these people had very little digital exhaust at all. By now, if you're a real person living in this most interesting century, there's a 99.99% chance you've been the victim of some kind of data breach. Your information's out there—your usernames, your passwords, They're all splayed out on the dark web. But these employees, somehow they've managed to evade every known breach.

What breach data really is, is a bunch of email addresses or passwords leaked on the dark web for LinkedIn users, for instance. And if somebody is not appearing in those breaches and leaks, that's usually an indication that something was set up that's fake or is brand new. And none of these people have breach data out there on their email addresses, on their phone numbers, on their names.

These people seem to come out of thin air.

Exactly. That is probably one of the most ironic things for most security professionals that usually gets a laugh. Like, wait, you're telling me that the thing that I spend my life trying to protect against, a data breach, is one of the number one ways you can tell if someone's real or not? Because everybody who's real has been impacted? That's correct. We've all gotten those notices from our health insurers, from our retailers, from all the different places that we have lost data. And so if you haven't, then you haven't existed in a digital life.

But it wasn't just this one worker. Everyone in his network had miraculously managed to avoid every known data breach. And when Nises dug into their email addresses, it became clear they weren't looking at an isolated case. They were looking at a system.

They all use certain numbers. So we see 0317 in all the email addresses. So it might be Mike Myers 01317. The next email that we see in the application is Michael Jones 0317. So there's patterns. They usually use .dev in their email address or .engineer. So they know what kind of jobs they're applying to. It makes it easier on the backend to remember all this.

Once it's clear this worker's online presence had been systematically faked, Nissos shifts its focus to his laptop and its physical location.

So once we figured out that there's something going on, that this is an employment scheme, we asked the client, "Can you send us the shipping address for the laptop?" What was really interesting in that case, this is the first time we saw this happening, was that the shipping address was changed right before the laptop was supposed to go out.

This was a big tell and one that will come up again and again.

We ask where we can send you a laptop from our company and you change your address at the very last second. You know, "I live in Texas, but my mom is really sick and so I'm visiting her." in Atlanta, can you send it to her house in Atlanta? It's very understandable to an HR team. Be like, of course we want you to be with your mom when she's sick. We'll send you the laptop right there. But it's also a classic redirection. And that's exactly what happened with, with this one.

So in this case, the employee had actually told this client he lived in Atlanta, but then at the last minute he told them his mom was sick and he asked them to ship the laptop to Nashville. So Nisus looks into this address. And what they find was no worker, no one who even looked like the guy the company had interviewed on camera, no sick mother, no one who matched the story at all. Okay, if your privacy hackles are going up right now, it's worth reminding everyone that your corporate laptop is not a personal device. You have no expectation of privacy there. Your location, your emails and browsing activity, it's all fair game the moment you do anything to trigger a security alert. But I should also mention that these investigations aren't meant to be arbitrary. They're driven by risk signals, signals that are defined and often constrained by HR and legal frameworks. But yeah, I've covered cases where these investigations have gone way off the rails, but not here, because in this case there were more than enough red flags.

There was two individuals who lifted that address who were just finishing their college education on the social media we saw that they had, congratulate themselves on just finishing the degree. And we noticed that those people were not the person that applied or that even looked like the person that applied. So we determined that that was probably either somebody housing it there or somebody subletting a room or something like that was happening in that regard.

As Nisoo starts investigating the traffic from this one laptop, they discover this employee's been using a VPN, a virtual private network, to bounce their internet connection around the globe. Now, the use of a VPN isn't suspicious. VPNs are common, often required. They allow employees to securely access corporate systems from anywhere. But this VPN stood out: Astral, an offshore VPN registered in Liechtenstein, one of the few VPNs that reliably evades China's Great Firewall. Okay, so at this point, are you thinking someone's outsourcing their work to China, or that this is some nation-state-level Chinese spy network?

We didn't know if it was nation-state-focused or not. We just said, here are all the data points that we have. We do think that there's something that's shady going on. But in the beginning, we had no idea. We just thought it was weird.

It gets weirder. When they look closer, they realize this wasn't just one connection. The same VPN infrastructure appeared to be routing activity from dozens of laptops. Tied to dozens of different companies.

When we peeled back the onion a little bit more and got more into the network, this individual, for instance, was working for Fortune 500 companies. We found all different sectors. It was across the board. It wasn't just one sort of targeted industry per se. So we had technology, we had social media.

Media companies, healthcare, fintech.

And then it just got bigger and bigger to the point where we then were able to figure out IP addresses matched up with what the FBI provided for known VPN addresses for DPRK.

DPRK, the Democratic People's Republic of Korea, shorthand for North Korea. Turns out, as NISOS was heads down in its investigation in 2022, they'd missed an urgent government advisory from the FBI, State, and Treasury earlier that year. The agencies had warned companies that North Korea was dispatching thousands of skilled IT workers overseas to get remote work and generate revenue for the regime. You'd think that advisory would have been big news, but like most cyber threats, it barely registered. Even within the cybersecurity industry, most people missed it. NISOS only found the advisory mid-investigation, but when they cross-matched their technical findings with the accounts listed in the advisory, Bingo. A match.

Oh my God, I cannot believe we tied it to something that's fantastic. We all jumped around. We're like, this is unbelievable. This is amazing. We need to go back to our client immediately and tell them because now it's not just an employment scheme. It is something that's way bigger. We said, I think we have a link to North Korea. They got on the phone immediately. So we had a meeting and they said, wow, this is unbelievable. But I think it was shock that this is North Korea. The next question that came was, why are they targeting us? And this is something that we still get asked by clients and prospective clients is, why us? Why now?

And that's the million-dollar question. Why are North Koreans taking remote jobs at US companies? Are they stealing trade secrets, setting footholds for future ransomware attacks or extortion? Or worst-case scenario, are these sleeper cells for crippling attacks? The truth is we can't rule anything out. But strangely, most of this comes down to something far simpler: the paycheck. And that's because, well, they need the money. The North Koreans will do anything for money, especially hard currency. Season 1 listeners may recognize that last voice as Jim Lewis. Former diplomat and veteran thinker on how cyber is reshaping global conflict.

We have put every sanction known to man on the DPRK, largely because of their proliferation-related activities, missiles and nukes.

North Korea has successfully tested a hydrogen bomb many times more powerful than devices used in previous tests. We are getting more reaction from North Korea regarding those recent UN sanctions against the regime. The sanctions relief cannot take place until such time as we have demonstrated that North Korea has been completely denuclearized.

The US has sanctioned North Korea in various forms for over 70 years. But North Korea's first nuclear test in 2006 really sent things into overdrive. Since then, the UN has only tightened the chokehold. Hoping to force Pyongyang to give up its nuclear ambitions. Instead, the regime has adapted. The DPRK started inventing new, startlingly innovative ways to bring in cash. Now, for those of us who are completely ignorant to the Korean War, can we ask you to give us kind of a 2-minute history lesson on the region and how this current dynamic came to be?

So, everyone, I hope, watches Korean television. And if you don't, you probably listen to K-pop. It's called K-drama. It's great. And they have a lot of historical dramas. The angst for the Koreans is that they had an independent kingdom, and it became a Chinese protectorate. And the Japanese invaded Korea and took it over and made it a colony. Right? That was about 1910. It was a very unhappy moment for the Koreans. So you had a Chinese vassal state for a couple centuries, and you had a Japanese colony, a very tough Japanese colony.

During World War II, an estimated 200,000 women, mostly Koreans, were kidnapped and forced to become sex slaves for Japanese troops.

And then, of course, at the end of World War II, unfortunately, the US drew a map that had a line, our side and their side. The north held by the Soviets, the south held by the Americans.

That line, the 38th parallel, was actually drawn in the span of 40 minutes by a couple of exhausted US colonels late at night. Consulting a National Geographic map, they divided the Korean Peninsula into two roughly equal pieces. But this line didn't follow a river or a mountain range or any natural feature. They just indifferently drew it through villages and families. And it was meant to be temporary, but instead it hardened into a permanent fault line. A single line that still dictates everything that came after.

And so the current leader's grandfather, Kim, said, "Hey, this is my big moment. I always wanted to rule the whole peninsula." And so he invaded. A very messy invasion.

In June 1950, under the direction of Kim Il-sung, North Korean forces crossed the 38th parallel. South Korean villages awoke to a world suddenly filled with noise and flames.

The Communists, made bold by months of small-scale raiding across the 38th parallel, had finally launched their undeclared all-out war of conquest. This attack has made it—

We were completely unprepared, and it went back and forth for a few years. Very messy war.

The war seesawed for 3 years until it froze, unresolved to this day.

The scene is set, the formalities remain. A set of documents is signed by General Harrison. The Red delegates watch their representative put his signature to the treaty. The armistice is signed and cameras record the moment of history. And finally, they ended up with this DMZ, Demilitarized Zone, where they're on one side, we're on the other. We still have a big presence in Korea, military presence in Korea. For a long time, Granddaddy Kim was still hopeful that he could become the ruler of Korea. At one point, he even sent a team into South Korea to assassinate the Korean president to take it over. So a complicated history. That's kind of where we are, and it's been stuck ever since. There's, there's actually no peace agreement between the US and Korea. We're still technically at war. There's just a, a pause while we sort things out. The difference is, of course, is that In, you know, 1953, the Soviet-style economic model and the Western-style economic model seemed to be about the same. North Korea might have been even a little richer in the 1950s. And over the intervening 60 years or so, South Korea pulled way ahead.

North Korea is still a dump, Soviet-style dump. And South Korea is a wealthy, developed country with some great stuff.

This is really the crux of it. South Korea surged into a global economic powerhouse. North Korea collapsed inward, isolated, sanctioned, and desperate for cash. And that desperation needed an outlet.

Let's say you're the leader of a country that has a 1956 Soviet-style economy. You're not going to make a lot of money. So the Koreans got into smuggling and forging. One of the reasons why The $100 bill looks different is because the North Koreans were able to make a $100 bill that was indistinguishable from the real thing and just pump them out, right? I still think they try and do that.

These North Korean $100 counterfeits were so convincing that they even earned a nickname from law enforcement: supernotes. And in 2013, supernotes actually forced the U.S. Treasury to redesign the $100 bill. That's why you now see that blue 3D security ribbon woven into the paper. But their counterfeits are still legendary.

My name is Adam Myers, and I am the head of Counter Adversary Operations at CrowdStrike.

Which is my favorite title in the cybersecurity industry. Ah. Welcome, Adam.

I remember hearing stories about the Secret Service agent had met some North Korean individual in the U.S. who was selling $100 bills for half off. And the agent did was they sent it to the Secret Service, and the lab came back and said, these are real. And the agent said, well, then I'm quitting and going into a different line of work because I'm buying these for 50 cents on the dollar. And the lab looked at it again and said, oh, actually, yeah, these are counterfeit. What that North Korean was doing was taking large amounts of cash going to Las Vegas, putting it into a slot machine, pulling the handle once. That's effectively how they laundered the counterfeit money, which, you know, you think about Vegas doesn't lose money, right? They don't— they're not in the business of getting fooled or duped by counterfeits. So the fact that this currency was so real looking that it could bypass all of those countermeasures really spoke to the capabilities of what the North Koreans were able to do from a counterfeit perspective. And as they started looking for alternative revenue sources, they realized that there's things that they can do in order to generate cash that would be less observable.

A lot of the early North Korean activity targeted massive multiplayer online games in South Korea and Japan. So they would go steal things from people in the game and then sell it on the black market for that game. A lot of gaming people probably aren't going to go complain if their stuff got stolen, and even if they do complain, there's not a lot of recourse, right? Because it's not a tangible item, it's gone. So if there was a rare item, they would go steal it and then sell it to generate revenue as well. So there was kind of always this cybercrime edge to what they were doing.

What Adam is describing here is a pattern of innovation. North Korea moved from counterfeiting to low-level virtual video game theft and eventually to hacking.

So smuggling and counterfeiting, those were the big moneymakers before hacking. And in some ways, hacking's taken their place because hacking, it's safer, it's easier, and it pays as well as not better.

When we talk about Tier 1 cyberpowers, we're usually talking about the US, Israel, China, Russia. North Korea rarely makes the cut. But if you ask the people who track these hackers for a living, they'll tell you it should. Here's Nick Carlson, a former FBI analyst who specialized in North Korean hacking.

The FBI is largely focused on a couple of issues, right? Especially with cyber and national security, that's Russia and China. So yeah, North Korea, it's always this redheaded stepchild that nobody wanted to own, nobody wanted to deal with it. It's this, you know, lackluster target for anybody in the government. Certainly not like a top priority. And these North Korean hackers, they are extremely successful, right? This is, in its heart, it's a tech venture. This is a criminal cyber startup, and these guys are crushing it. They are the best in the world at this. And so it's kind of like a perverse, you know, success story, right, of the talent and skill and creativity of these people.

And it's a tragedy, right, that they're doing this for this awful regime.

In fact, if there's any consistency to North Korea's cyber operations, it's only that they've consistently caught us off guard. When Americans hear North Korea, what comes to mind isn't strategy.

It's spectacle. North Korea flying hundreds of balloons carrying trash and feces toward South Korea Wednesday, calling them, quote, Gifts of sincerity.

A rogue state, a cartoon villain, a madman with missiles and questionable haircuts. What do you actually talk about with—

and I don't mean this insultingly— a madman murderous dictator? This is called Friendly Father.

It's gone viral on TikTok with, I imagine, some oblivious to the Korean lyrics, which include, let's sing Kim Jong-un, the great leader.

The latest satellite images show what looked like volleyball tournaments happening at the new nuclear test site.

And yes, some of that reputation is earned.

North Korea executed its defense chief for sleeping during a meeting and talking back to young leader Kim Jong-un.

Kim Jong-nam was murdered as he was about to board a flight at the Kuala Lumpur airport, reportedly by two women who either sprayed or injected him with poison.

Much of the world believes North Korea ordered the hit on Kim Jong-nam. Half-brother of North Korean Supreme Leader Kim Jong-un.

Here in the States, we like our enemies simple, but North Korea has never been that. Caricature has a cost, and the truth is, while we're laughing, North Korea has been rapidly evolving. In fact, when North Korea sets its sights on a target, rarely does it miss. More often, it sets an example.

A righteous deed, the words of North Korea today over that scandalous hacking at Sony Pictures. North Korea apparently liked it but says it's not behind it. Embarrassing emails and personal documents were made public, millions of dollars lost, and hackers warned of terrorist attacks at movie theaters. Hackers successfully stole $81 million from Bangladesh Central Bank by sending false payment requests to the New York Federal Reserve.

North Korean hackers stole $1.5 billion— with a B— dollars from Bybit, the world's second largest crypto exchange. It happened in just minutes. They have already laundered about $160 million of the stolen loot through accounts linked to North Korean operatives.

The attack targeted Axios, which is a widely used open source software that underpins pins a large part of the internet's operational infrastructure. The hackers reportedly inserted malicious code into a routine software update for Axis.

Though it gets overlooked, cybercrime is now a core pillar of the North Korean economy. By some estimates, it makes up half the regime's total funding. But it's not steady income. It comes in bursts. Big hacks take time. They require patience, preparation, luck. A regime can't build a budget around a single billion-dollar score. It needs steady funding. And salaried IT workers? That's recurring revenue.

It started off with gig economy jobs. We were paying people to do the work. But the thing that really kicked it into high gear, getting full-time salary jobs really came with the push towards remote work. And that really exasperated during the pandemic because we weren't bringing people into offices, we weren't doing in-person interviews, and that created the opportunity for the North Koreans to kind of swoop in and start to take over and start working those jobs. It took a while before people started to figure out what was going on because they showed up for work They did the job. They did adequate job in many cases. A lot of times they just slipped under the radar for many years.

I was like, who the hell would hire a North Korean IT worker? Then I dove into the problem, went, oh crap, we'd hire one.

Here's Kevin Mandia, founder of Mandiant and now my partner at Ballistic Ventures.

We're all doing remote interview, remote hiring. And they were actually good engineers. That's what they were. And I walked away going, we don't have a good way to stop this problem right now. We really don't. There's thousands of them, you know, and COVID gave them the perfect environment.

And here's Charles Carmichael, Mandiant's chief technology officer.

Honestly, I've yet to find a company that has told me they haven't unintentionally hired a North Korean IT worker, where I felt confident that they actually had great awareness of whether or not they've actually hired them or not. Most of the organizations that I talk to that are Fortune 500 companies say, "We've unintentionally hired a North Korean IT worker. It just, it happened. It slipped through the cracks." Because by the way, people didn't really understand that the this was a thing. It was— when I first heard about North Korean IT workers, it sounded far-fetched. It didn't sound— it didn't sound like it was something that was really happening. And it took me a few cases before I truly understood how real and how significant and serious this was. There have been a few Fortune 500 organization CISOs that have told me they don't believe that they've hired any North Korean IT workers. My assumption is that they just weren't made aware of it.

One of the reasons this is so easy to miss is because this scam is unlike anything these Fortune 500s have ever dealt with. Here's Steve Stone, Senior Vice President of Threat Intelligence at SentinelOne, another cybersecurity firm.

One of the unique aspects is, I mean, they're scamming because they're representing themselves as somebody else, but they're actually doing the work.

And this is a key fascinating thing that sets the North Korean IT worker scheme apart. You hear employment fraud and you picture someone phoning it in, scooping an undeserved paycheck. But to be clear, that isn't necessarily what's happening here. The North Korean worker scheme isn't about skating by. They're not conning companies out of cash. They're conning companies into paying a sanctioned adversary.

They're not just collecting a paycheck and not going to work. These people become actual employees inside of these very large structures, and it's, it's run like we see a lot of other criminal enterprises.

That last part is key: run like a criminal enterprise.

I think understanding that North Korea is a cyber syndicate and less of an actual government or a nation, then everything will kind of start falling into place.

Meet Barney, the man who's probably tracked North Korean hackers and more recently these IT workers closer than anyone.

My name is Michael Barnhart. My nickname is Barney, and the current role is a nation-state insider threat investigator over at DTEK Systems. I know that what we're talking about here is the IT workers, which by the way, I don't know if any of them told you about the tattoos, but I did finally get that. What is the tattoo? Okay, it's on my foot. So it just says IT workers, but there's something they always say in their resume. They always say they have rich experience. So I put quote unquote rich experience IT workers.

My God, Barney is deeply committed to the North Korean IT workers issue, to put it mildly. He's tracked North Korea's hacking units for years, but it's like whack-a-mole.

I'd say for every IT worker, there's probably 7 personas attached to it. We've seen multiple IT workers in a company, and they're all the same person.

Which makes it nearly impossible to know how many there really are. Each North Korean operates under multiple aliases, applying to as many jobs as possible, sometimes the same ones over and over again.

They'll lose their job, and then they'll come back to the same job. We saw one the very next day. He had combed his hair the other way, different shirt, different background. It was the same guy. "That was just fired the day before.

Like, we didn't know who you were." He came back to reapply?

Yeah, under a different persona.

Even the largest companies, companies whose security teams resemble nation-state-level intelligence agencies, who insist their vetting is so airtight they could never hire a North Korean operative, are discovering their contractors already have.

I'll go to one of the big names or one of these Fortune 10 companies, they're like, "You don't have anything in our holdings." And I was like, "Okay, now run these same 2,000 email addresses across your contractors," and they light up like a Christmas tree.

Which brings me to Amazon. Late last year, Amazon disclosed that one of its contractors hired a North Korean as an IT systems administrator. Amazon detected the operative not through one indicator, but several. Here's Amazon's Amy Herzog.

I'm Amy Herzog. I am the Chief Information Security Officer for AWS.

What exactly did you see that tipped you off that this worker was not who they purported to be, or contractor in this case?

There's not one indicator or one candidate or one thing that lets you know that you're in this situation. Situation. It's more like a pattern that crystallizes over time. We started noticing anomalies. So a work history that didn't line up geographically with other things on a resume, or a degree at a school that didn't offer the major that was listed, or a +1 for a phone number when the candidate's resume was for a US person.

But the dead giveaway was the time lag between whatever this contractor was typing and what Amazon was picking up on their end. It's what's known as keystroke latency.

We were able to use the initial set of indicators to look at things including latency data, which is a, a really interesting signal, right? When someone is using a VPN from across the world to kind of digitally hide their location, you would expect someone who's connecting directly to corporate systems to have maybe a 10-millisecond ish round trip time, and this was 10 times higher than that. And so that signal combined with the other signals, combined with the way the person understood their work, the level of depth that they might have, those all added up to, okay, this is a person we need to quickly remove and confirm that they didn't ever have access to something sensitive.

Amazon starts feeding these signals into AI models models that were specifically built to weed out employment fraud. Almost immediately, the models light up with hundreds and then 1,800 attempts by North Koreans to secure remote work at Amazon.

One of the real game changers for us was when we leveraged AI to look at these indicators and investigate.

Was there one moment where you're looking at this and you're like, oh my God, this is now approaching the thousands of attempts.

Yeah. When I first heard the 1,800 number, you sort of have a few reactions, right? One, this is not an individual threat actor or an isolated group. This is an organizational-scale effort.

Last year alone, Amazon reported a 27% quarter-over-quarter jump in suspected North Korean applicants. And it believes the models are catching these people before they're onboarded. But the same can't be said for the vast web of staffing firms feeding contractors into corporate America. Which brings me to a man I'll call Cliff. We changed his name and altered his voice so he can freely discuss what he's seen. Cliff runs cybersecurity for one of the largest staffing agencies in the United States. They place everyone from medical staff to aerospace contractors, but their bread and butter is IT staffing. In 2024, Cliff gets word from the FBI. One of his corporate laptops has been seized in an FBI investigation.

We received a note from the FBI saying they had one of our assets in there from a seizure that they did in Arizona.

Asset in this context refers to a corporate laptop.

We were very curious what the seizure was. And so we inquired more and they told us what was going on with North Korea and 100% remote workers. And we started gathering more and more information because we were very curious on why we had somebody involved in this.

The FBI tells them they're holding a call for impacted companies. So Cliff dials in. I was a little shocked.

I said, "Wow, there are a lot of impacted individuals here," because we were just one. What floored us even more is when they said, "Well, we have a lot of people's names and emails and phone numbers. If you want them, we'll send you over 300 potentials and you can check to see if you have dealt with any of these other individuals. We have a database, as you can imagine." And we compared these 300 names with everybody in our database, and sure enough, we were aware of 11 other ones.

Cliff discovers his firm had placed North Koreans at major American corporations.

Some of those are companies you've probably never heard of, but some of those are Fortune 50.

But they didn't just staff North Koreans at other companies. They'd hired several of them in-house.

This is like the worst of the worst of an insider threat, especially dealing with a nation state that has sanctions against it. And if it's just about money, well, that's bad enough for national security. But if it's deeper than that, we go full scorched earth and check what that person was doing the entire time they were here. You know, look at their access, look at where they had access, go back into the logs and see what were they doing when they were here. Luckily, both of our internals were only here one week.

These workers were acting strangely enough, not wanting to go on camera, that they didn't make it a week. But had it not been for the camera issue, they might still be working there today.

The surprises They were doing nothing out of the ordinary. They were acting like a normal employee, just trying to keep that job.

And when you told the client, "We inadvertently staffed a North Korean at your company," were they flabbergasted?

The client didn't hold it against us after learning from the FBI that this has been happening, apparently, for almost 10 years now. And that we are just now becoming aware of it.

10 years. For 10 years, North Korean agents have evaded every HR filter, every background check, every sanction. This didn't start with COVID but the pandemic definitely made space for the IT worker scheme to spread like, well, a pandemic.

They were getting through not only our onboarding experience, they were also getting through the clients. And the clients often told us that they were very pleased that these individuals interviewed very well. And when they were working, they delivered very well. They were some of their best workers.

Okay, but how does a North Korean slip past the other HR controls at, like, a Fortune 50 or a staffing agency that specializes and this kind of thing.

They always would refuse biometric testing and drug testing, so they would ask to have a fully remote job, no in-person testing, which would require biometric and/or drug. A lot of our clients, and we internally, require background checks, but these individuals are stealing identities, so they're passing background checks through great companies like Starling, you know, the best of the best. So with a legitimate fake identity that has been stolen, the background checks are actually coming through clean.

So Cliff realizes they're using these stolen identities to get clean background checks and slip past every traditional control. So he goes back and watches the recordings of their interviews to see if he can pick up with the naked human eye what these technical controls missed. And it's then he realizes this threat only becomes obvious when you know what you're looking for. Here's a North Korean captured interviewing for an IT job at Starbucks.

Are you in the Seattle area by any chance? No, I'm living in Louisiana. Yeah, better. Okay. Yes, Louisiana. So, so cold. Cold? Yeah, really? What temperature is it in Louisiana? Uh, now, yeah, uh, let me, let me see. Yeah, it's, it's true. Yeah, it's true. What? It's what, 21 degrees? Yeah, yeah, 21 degrees. I know there's a cold front over in the Midwest area, but I didn't think Louisiana got that cold.

That's crazy. Once Cliff and his team have a better sense of what to look for, they go back to their recruiting database. And that's when it hit them. Those 300 names the FBI flagged, they were just the tip of the iceberg.

I've got a team of folks that scour all the full-stack developers, certain job codes, certain red flags that we know. And unfortunately, we're getting about 25 to 30 a day.

These are new profiles being created in your database?

Correct. These are absolutely DPRK operatives trying to get a remote staffing gig, usually in one of those senior IT roles. We have a database now of almost 12,000 candidates with unique names, unique VoIP phone numbers associated with those. We mark these individuals with "do not use them," and recruiters at times will still want to use them because they claim they fit the bill so well. It's like the perfect candidate. And we have to tell them, "Yeah, I know they are. They, they wrote it that way.

It's all fake." What's incredible to me is that these North Korean workers were applying to cybersecurity companies.

Here's Steve Stone again. At SentinelOne, we talk very openly about the level of effort we are seeing in just the first 6 months of 2025. At just our company, we have seen more than 300 personas submit more than 1,000 applications. That's just one company in— that's at Sentinel One. That is just at Sentinel One.

And that's just at one company that knows what to look for. Run the math and the numbers climb fast. A Treasury report found that the regime withholds 90% of each worker's salary. Most of these jobs are six figures. Multiply that across hundreds of workers. Thousands of personas, and you start to see the scale of this.

In 2025, CrowdStrike identified 700 instances of remote IT workers getting jobs at organizations. If you estimate a developer getting $150,000 salary, let's say, times 700, you're looking at like $105 million in revenue. And That goes to the weapons program.

But even that figure grossly understates it. Last October, a UN panel released a sweeping report. They tracked IT worker salaries from fake identities and cutouts through the regime and all the way up to the munitions industry department, the heart of North Korea's weapons program. Their estimate? Roughly half a billion dollars a year.

I have to put into perspective that the North Korean economy is the size of like Vermont's economy, and here they are establishing a nuclear weapons program and have created intercontinental ballistic missiles that most nations don't have.

Here's Rob Joyce, who used to run hacking divisions and later cybersecurity for the NSA.

Cyber theft punctures the sanctions. Sanctions assume you can restrict the revenue, and this cyber channel creates revenue that's borderless, deniable, and renewable. They've been able to continue to generate cyber revenues year on year. So I think, uh, North Korea is more dangerous because they're disconnected. Deterrence is harder. What more are you going to heap on me if I'm North Korean? If you sanction me more, I'm already sanctioned. If you name and shame, they may shrug or even see it as a badge of honor. They can behave like a cornered regime, and they've got this digital crowbar that's asymmetric they can reach out and whack us with.

If sanctions don't work and deterrence doesn't work, then the only real way to prevent to prevent this threat is to study it from the inside out. Which brings me back to NISOS, because last year, after 3 years of tipping off law enforcement and alerting companies to North Korean IT workers in their systems, NISOS came face to face with one at their own company. My name is Megan, and I have my colleague Ethan here.

Oh yeah, I'm doing great. Ethan.

And at the end of that interview, we all got together and said, "I think one of the North Koreans has interviewed for a job with us." So they hired him.

And what followed? That's next on To Catch a Thief. Follow To Catch a Thief to make sure you don't miss the next episode. And if you like what you hear, rate and review the show. To Catch a Thief is co-produced by me, Nicole Priller Roth, and Rubrik in partnership with Pod People, with special thanks to Julia Lee.