Threat Vector – The Billion Dollar Hiring Scam Funding North Korea

Podcast: Threat Vector by Palo Alto Networks
Episode Date: February 26, 2026
Host: David Moulton (Senior Director of Thought Leadership, Unit 42)
Guest: Evan Goreaker (Consulting Director—AI & DPRK Cyber Operations Expert)

Episode Overview

This episode dives deep into the massive, covert operations by North Korean IT worker networks that fund the DPRK's regime and weapons programs. Senior threat researcher Evan Goreaker brings frontline insights into:

• The scale, evolution, and tradecraft of North Korean IT worker schemes
• How generative AI supercharges deception tactics and interview deepfakes
• The critical role of insider accomplices and “laptop farmers”
• Why even non-remote and international organizations are at risk
• Evolving strategies for detection and defense

Key Discussion Points & Insights

1. The Scope and Human Impact of the DPRK IT Worker Scheme

(02:35–04:55)

• North Korea has developed a "mechanized operation" to place IT workers around the globe, where the majority of their wages—up to 80%—are funneled back to the regime.
• Many of these individuals are selected based on talent at a young age and coerced into these roles; the cycle is "victim, victim, victim" with the regime as chief beneficiary.
• The scheme's resilience: Despite years of disruption efforts, including by the FBI and security industry, it's "just as successful as ever".

Notable Quote:

"They pass a math test when they're in about middle school age... It's like they're being coerced into this work as well."
— Evan Goreaker (03:52)

2. From Remote to In-Person: A Growing and Sophisticated Threat

(06:41–09:44)

• Initial focus was on remote jobs, but North Korea increasingly exploits contracting surges and hybrid/in-person jobs (e.g., engineering, IT admin) globally.
• Accomplices are paid to physically enter offices, fire up remote sessions, and bypass in-person security measures.

Notable Quote:

“We have seen real instances... you’re surging in talent for engineering work, and, you know, maybe seven out of those ten people could well be North Koreans.”
— Evan Goreaker (07:18)

3. Revenue, Espionage, and the Business Case for Hiring Fraud

(09:44–11:13)

• This operation generates hundreds of millions—when combined with other cybercrime, the total can exceed a billion dollars annually.
• The key is "volume and consistency": thousands of individuals generating small but steady flows of foreign currency.

Notable Quote:

“If you are a global organization, then you probably have North Koreans applying to your jobs—I can almost guarantee it.”
— Evan Goreaker (11:14)

4. Deception Tactics: Deepfakes and Synthetic Identities

(12:49–15:29)

• Use of fake identities is now industrialized: hundreds of synthetic identities complete with resumes and AI-generated headshots.
• Real-time video/audio deepfakes are used to alter appearance and accent during interviews, sometimes even impersonating celebrities.
• Multiple “runs” at a job (reapplying with new identities) are routine.

Notable Quote:

“We’ve noticed on individual North Korean computers... there are spreadsheets for hundreds of different identities that this person is managing.”
— Evan Goreaker (13:32)

5. Defensive Capabilities: Are We Keeping Up?

(15:29–17:36)

• Current commercial hiring systems aren't built to detect these kinds of sophisticated deception at scale.
• Some deepfake detection tools are emerging, but identity verification (validating official IDs) remains one of the most effective countermeasures.
• Programmatic and machine-speed analysis of hiring pipeline metadata is increasingly critical.

Notable Quote:

“This is not a threat that the commercial hiring scheme has ever been equipped to handle.”
— Evan Goreaker (15:35)

6. Critical Role of Insider Accomplices (“Laptop Farmers”)

(17:36–20:32)

• The scam can’t function without local accomplices who handle hardware, set up remote access, or act as identity mules.
• Specialized companies and freelancers (especially in South Asia) are paid to conduct interviews, rent identities, or onboard friends into the fraud network.
• The system is resilient: when one facilitator is caught, another quickly steps in.

Notable Quote:

“There are now companies, real companies in South Asia especially, that specialize in showing up to interviews for you...”
— Evan Goreaker (18:52)

7. Extortion and Espionage—The New Wave

(20:32–22:54)

• Beyond wage theft, North Korean IT workers are increasingly engaged in extortion: threatening to leak stolen data/code unless paid after being fired.
• Espionage and theft were always present, but aggressive ransom tactics surged from 2022 and “really accelerated in 2025”.

Notable Quote:

“They do—they really do leak it online... Now they’re being much more aggressive.”
— Evan Goreaker (21:29)

8. Detection and Response: HR/SOC Collaboration

(22:54–26:35)

• Primary detection starts with HR data and the hiring process; effective programs rely on close HR-SOC (security operations center) collaboration.
• Common mistakes after detection: shock, delay, and focusing on the “who” instead of what the insider accessed or stole.
• HR and SOC should focus on cutting off access and analyzing exfiltrated data, rather than initially confirming North Korean origin.

Notable Quote:

“All the primary defenses will come before the person is hired.”
— Evan Goreaker (23:51)

9. AI as Both Attack and Defense Enabler

(26:35–29:21)

• Generative AI helps North Korean operators (and other scammers) scale up—resumes and correspondence are “picture perfect and polished,” with application volumes soaring.
• AI-powered defensive measures are essential: AI can help collate hiring data and flag suspicious patterns, deepfakes, or synthetic identities.

Notable Quote:

“What AI is doing is it’s enabling anyone to sound like an expert... HR teams are unable to keep up with this volume.”
— Evan Goreaker (27:12)

10. Solutions at Scale: The Need for Systems and International Collaboration

(29:21–32:16)

• Individual organizations can’t keep up alone; systemic, cross-industry and international collaboration is necessary.
• Governments and entities like the UN play a critical role, especially in working with banks and financial systems to choke off illicit flows.
• Empowering incident reporting and rapid triage, and building relationships for international info-sharing, are key elements.

Notable Quote:

“A lot of this stuff still starts in the traditional banking system… If you can empower victims to come to you and quickly triage things, I think there’s a better chance that you can stop money from flowing into North Korea.”
— Evan Goreaker (31:00)

11. The Road Ahead—Threat Predictions and the Call to Collaborate

(32:16–34:00)

• Expect an ongoing, accelerated, and more targeted threat as North Korea and others adapt.
• AI’s role will only grow, making HR systems an increasingly vulnerable point.
• Building “the muscle” for proactive, cross-team and cross-border info sharing is crucial for slowing the scam’s pace and impact.

Notable Quote:

“There’s an opportunity for us to just improve our baseline detections, especially in the HR space, because frankly, it’s going to be a space that is increasingly targeted as AI proves out that our hiring model… is just fundamentally vulnerable.”
— Evan Goreaker (33:32)

Actionable Takeaways for Security Pros

• Establish a strong HR-security bridge: HR and SOC collaboration is the most effective source of detection and mitigation.
• Implement robust identity verification: Don’t rely on interviews or resumes alone—validate real, official IDs.
• Be alert for accomplices and “laptop farmers”: Investigate access patterns and remote control activity even for "in-person" staff.
• Monitor for deepfakes and synthetic profiles: Leverage emerging AI tools to check for facial and audio manipulation.
• Share intelligence: Collaborate with peers, governments, and multi-national organizations to track, investigate, and disrupt these networks.

Notable Quotes (with Timestamps)

• “It's like they're being coerced into this work as well... victim, victim, victim, victim. And along the way, there are a few people that profit. But most of all, the people that profit are... the leaders of the North Korean regime.” — Evan Goreaker (03:52)
• “If you are a global organization, then you probably have North Koreans applying to your jobs—I can almost guarantee it.” — Evan Goreaker (11:14)
• “There are now companies, real companies in South Asia especially, that specialize in showing up to interviews for you...” — Evan Goreaker (18:52)
• “They do—they really do leak it online... Now they’re being much more aggressive.” — Evan Goreaker (21:29)
• “What AI is doing is it’s enabling anyone to sound like an expert... HR teams are unable to keep up with this volume.” — Evan Goreaker (27:12)

Essential Timestamps

• 00:24: Call for HR/Security collaboration
• 02:35: Evan’s background and initial radar on DPRK threat
• 06:41: Evolving from remote to in-person/hybrid attacks
• 12:49: AI-deepfakes, synthetic identities, detection challenges
• 17:36: Accomplice/facilitator networks (“laptop farmers”)
• 20:32: Extortion and pivot to ransom
• 22:54: HR/SOC detection strategies
• 26:35: The AI arms race—attackers and defenders
• 29:21: International policy/collaboration recommendations
• 32:16: Threat predictions and closing advice

Final Thought

This episode brings a compelling, research-driven call-to-action: The North Korean IT worker scam is now a billion-dollar, global challenge, set to escalate as AI automates both the offense and—potentially—the defense. The front line is not just technical but organizational and international: bridges between HR and SOC, between companies and governments, will be the difference between disruption and unchecked growth.

“Please build that bridge.” — David Moulton (00:24)