C (14:23)

Hi, I'm David Moulton, host of the Threat Vector podcast where we break down cybersecurity threats, resilience and the industry trends that matter most. What you're about to hear is a snapshot of my conversation with Evan Gordiker, consulting director at Unit 42, who focuses on AI security and disrupting North Korean state sponsored operations. Here's something that should get your attention. North Korea is running a billion dollar hiring scam and your organization is probably being targeted Right now. Thousands of North Korean Workers are landing legitimate remote jobs at global companies, funneling 80% of their wages directly back to the regime to fund weapons programs. This isn't theoretical. Evans team has caught North Korean operators juggling three or four jobs simultaneously. Armed with hundreds of fake identities, AI generated headshots, and real time deepfake technology that can mask their appearance or even change their accents during video interviews. So before we started the podcast, you and I were talking about how this focus for you with the North Koreans and especially the IT workers was a passion project. Is that time that you spent in Japan something that influences the fact that you decided to assign extra work? You know, in addition to the proactive security consulting that you do with our clients, you also pick this up. It's too important to ignore. What is it that drew to you?

B (16:06)

I think it's a very human threat, that there are humans in the cycle that are affected by this, starting with the North Koreans themselves. These are people that realize they're good at technology. They pass a math test when they're in about middle school age, and if they're good, they get trained up on English, they get trained up on computer science. And to me, it's really fascinating that it's. They're being coerced into this work as well. And there have been some defectors that have talked about this, where there's just this chain of victims that follow straight from the top of the North Korean regime, and then just victim, victim, victim, victim. And along the way, there are a few people that profit, but most of all, the people that profit are the leaders of the North Korean regime. I think it's fascinating how they stack up all of these victims, and yet the program is so successful that even though we've been talking about it for years, even though the FBI has been trying to disrupt it for years, it's still just as successful as ever.

C (17:09)

So you talked about this as something that's been going on for years. I'm curious if you can give us a snapshot of how this has shifted in scope and sophistication over the years. And has generative AI helped accelerate the program? Has it changed it remarkably? You know, just give us a picture of what you're seeing there.

B (17:32)

Yeah, the North Koreans have really made this a mechanized operation insofar as there are people who are dedicated to doing interviews, for instance, who are dedicated to finding accomplices on the ground, who are dedicated to doing the actual job. And they vary in quality. But what you'll find across the whole spectrum here is that they all are very, very reliant on generative AI. And it's getting to a point where they're using it in very clever ways. But from the very beginning, they've been very reliant on using it to write their emails, to write their code to. Now they're using it to do deep fakes. Real time video deep fakes, real time audio deep fakes. Just the other day, there was reports that people are using it to change their accents. The North Korean accent is fairly distinctive. And now they're using it in real time to change their accent. And so I expect this to continue in perpetuity. It's not a vulnerability that is going away, and it's a huge place where money is being made for the regime.

C (18:39)

Evan, DPRK IT worker threat has evolved quite a bit since security community first began talking about it. And we need to talk about how the DPRK IT workers are moving past some old assumptions, embracing new tactics to embed themselves within organizations.

B (18:55)

So when we think about how the DPRK IT worker threat has evolved, we're seeing a focus towards more use of accomplices. They're using accomplices during the interview stage, they're using accomplices during the application stage. They're using accomplices to even get people into offices. So there's this assumption that I come across a lot where it's like, hey, we don't really hire remote workers, so we're safe. And what we found is that that's not necessarily true. For one, the North Koreans love to get in through the contracting angle. And sometimes business is such that you do need to hire like 10 people to work on a front end app because leadership tells you, we want this in two weeks from now. And so often big companies have the muscle to be able to surge in talent. And that's really where they get you, is like you're surging in talent for engineering work. And, you know, maybe seven out of those 10 people could well be North Koreans. We have seen real instances of that exact count. The other thing is they're able to pay people now to go sit in an office and fire up a zoom, give that zoom remote control and just have somebody work on their laptop on someone else's behalf. And what the North Koreans are doing is they're hiring people in the United States and around the world to just go, go into offices and pass verifications. But then once they're there, they're enabling remote access. And that's where the exfiltration happens. That's where some of the wage theft occurs.

C (20:25)

So let's look ahead a little bit. How do you see this IT worker threat evolving in the next few years?

B (20:31)

Yeah, I'd expect more of the same. It's going to be higher pace, it's going to be higher volume. They're going to still go after more jobs now. They'll be going after we've seen them expand out of just remote jobs, for instance, to proliferate into hybrid jobs in person jobs. I'd expect that to continue because for them this is a necessity. They make their money, they're surviving off of this. And for the individuals that are perpetrating the scam, this is they are judged on how much money they're able to bring in and necessarily they will be creative about this. So expect the threat to stick around for a long time and expect it to get more accelerated and more targeted. That doesn't mean that there's nothing to do about it. I think a lot of the collaboration we haven't built the muscle to talk amongst teams, to talk amongst companies, to talk amongst industries, and even to talk amongst countries about this threat. So building that muscle of saying, hey, here are some network indicators that you should watch out for and be able to share that with someone who's able to share it widely in an anonymized context might be really helpful towards preventing one attacker from being able to have six jobs around the country to just keeping them limited to one at a time, for instance, so we can slow down the volume. And really I think there's an opportunity for us to just improve our baseline detections, especially in the HR space because frankly it's going to be a space that is increasingly targeted as AI proves out that our hiring model is in some ways just fundamentally vulnerable.

C (22:24)

If this got your attention, don't wait. Listen to the full episode now in your Threat Vector feed. It's called the Billion Dollar Hiring Scam Funding North Korea and it's live now. Thanks for listening. Stay secure. Goodbye for now.

A (22:52)

Be sure to check out the complete Threat Vector podcast wherever you get your favorite shows. When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com

B (23:50)

foreign.

A (23:55)

Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling, or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire. And finally, your car's tire pressure sensors may be keeping tabs on more than your air pressure, researchers have shown. They can also help track your movements. Academics from Spain, Switzerland, and Luxembourg found that tire pressure monitoring systems, now mandatory worldwide, broadcast a unique identifier in plain text. Using five roadside receivers costing about 100 bucks each, the team collected more than 6 million TPMS messages from roughly 20,000 vehicles over 10 weeks. Because the identifier does not change during a tire's lifetime, researchers could match signals to specific cars and infer movement patterns, vehicle type, and even driving behavior. They warn that low cost equipment and unencrypted transmissions make large scale tracking feasible. In theory, attackers could also spoof flat tire alerts to force vehicles to stop turning a safety feature into a surveillance tool. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. If you only attend one cybersecurity conference this year. Make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26 I'll see you in San Francisco. Most security Conferences Talk about Zero Trust Zero Trust World puts you inside this is a hands on cybersecurity event designed for practitioners who want real skills, not just theory. You'll take part in Live Hacking labs where you'll attack real environments, see how modern threats actually work, and learn how to stop them before they turn into incidents. But Zero Trust World is more than labs. You'll also experience expert LED sessions, practical case studies and technical deep dives focused on real world implementation. Whether your Blue Team, Red Team or responsible for securing an entire organization, the content is built to be immediately useful. You'll earn CPE credits, connect with peers across the industry and leave with strategies you can put into action right away. Join us March 4th through the 6th in Orlando, Florida. Register now at ztw.com and take your zero trust strategy from theory to execution.