Nicole Perlroth

By 2025, the investigators at NISOS had spent three years smoking North Korean IT workers out of American companies. It becomes something of their calling card. They triaged cases for clients across the Fortune 500 and beyond. But all of that work was done from the outside, at a distance. And Berniso CEO Ryan LaSalle, that wasn't enough.

Ben Reisenberg

It was probably not even six months before I was at a bar with a CISO. I was like, what if we could get in and infiltrate one of these groups? What if we could be one of them? What if we could interact with one of them to learn more about how they're evolving their techniques? And his point to me was, it's impossible because you're not in the room. They're all in a command center somewhere. They're in China, they're in North Korea.

Nicole Perlroth

Never once had it crossed their minds that a North Korean mole might apply to them. Hi, I'm Nicole Prolaroth, and this is To Catch a Thief.

Ben Reisenberg

So after almost three years of doing research and helping clients and tipping law enforcement to the threat of North Korean actors trying to find jobs in US Companies, we had some new open roles that we posted for an AI developer. And we got a flood of great resumes coming in.

Nicole Perlroth

Perfect resumes, actually. These candidates flooding in. It was if their entire career had been built for this one AI Security role at nisos. But one person stood out above the rest, a Joseph based in Palm Beach County, Florida. So NISOS arranged an interview. But the minute he came on screen, something was off.

Megan Jacinto

And the hiring manager came to me and said, megan, I like. I don't want to make assumptions, but I don't think this person is who they say they are. Based on some of the issues that happened during the interview, this could potentially be a DPRK candidate. What do you want to do about it?

Nicole Perlroth

While most HR leaders might have flinched, Megan Jacinto, NISOS chief people officer, leaned in. Like many at nisos, she'd come from the CIA. The chance to engage in North Korean directly was just too good to pass up. So she tells him to run it up the chain.

Ben Reisenberg

That Monday, our CTO brought his interview to us and said, look, I think we've got something here. It feels pretty clear that this person's probably a DPRK North Korean IT worker, just like we've been talking about, just like we've been writing about, just like we've been investigating for a couple years now. And he wants a job with us. I think we could run this as an operation. And we sat around the table and we're like, this is crazy. This is crazy. Like, how are we gonna do this?

Nicole Perlroth

If they really wanted to get inside the brains of a North Korea an IT worker, they weren't just going to have to bring him back for another interview. They would have to hire him.

Ben Reisenberg

How do we assemble the right team if we wanted to run an operation? Do we have the technical wherewithal to do it? How are we going to get them a laptop, get them instrumented? How are we going to actually technically pull this off?

Nicole Perlroth

Even if they could solve the technical side, engaging in North Korean risked violating sanctions.

Ben Reisenberg

Our GC was in the room as well. And the question was, how do we do this legally? Can we actually do this in a way that doesn't blow up in our face? And how do we take the steps to really, truly understand this threat group, this very particular fraud and scam, and do it in a way that doesn't come back to bite us in the ass?

Nicole Perlroth

They decided to bring the candidate back for a second interview. But this couldn't feel like a CIA interrogation. They needed to confirm Joe was North Korean without scaring him off.

Ben Reisenberg

We didn't know going into that interview whether we would validate it as North Korean or not. We thought high confidence, it probably was, and if it was, then we would go to the next step. I think generally everyone's nerves were high all through every step of the way. We were anxious about not tipping our hand, not making it feel like we were leading this guy on. We were anxious that we didn't want North Korea to start thinking like, if there are other people watching his interviews, we didn't want them observing our behaviors and trying to figure out who we were, making us a target. There would be a normal interview, but all along the way, we would be trying to figure out the tips and cues, the body language, the signals, and some of the gotcha questions we thought we would use to help understand how this person was trying to misrepresent themselves and. And whether we thought that it was a general workplace fraud or something very specific. With the IT workers in North Korea,

Nicole Perlroth

NISOS made a point to study North Korea's zoom interviews like this one.

Defector (Voice Actor)

I really like AI. So these days, actually, AI make a real impact in our real life.

Ben Reisenberg

Do you think there are big security risks with AI?

Defector (Voice Actor)

So of course you.

Nicole Perlroth

They knew all the screening questions that can quickly weed out a North Korean worker like this one that you might have seen because it went viral.

Defector (Voice Actor)

We get like a lot of imposter

Ben Reisenberg

candidates, particularly North Korean. So one of the tests that we do is trying to get them to say something like, kim Jong Un is a fat, ugly pig. Could you say that for me? Can you say it?

Nicole Perlroth

The interviewer asks him again, but all of a sudden, the candidate's screen conspicuously freezes. There's silence, and then it's clear he's gone.

Chris Wong

Damn.

Ben Reisenberg

He really don't want to say it,

Nicole Perlroth

but for nisos, the goal here wasn't to scare him off. It was to confirm he was who they suspected and pull him in. So the NISOS team studied these interviews, then choreographed their own. It was decided Megan and Ben Reisenberg would work together. Like Megan, Ben had come from the CIA, too. He was trained to spot foreign operatives. But they would have to give Ben the alias Ethan, since anyone could have traced Ben's CIA background on LinkedIn. Together, they figured out who would say what, when to press, and even laid a few traps.

Nisos Technical Team Member

So we got into the interview. Uh, the person was right on time.

Megan Jacinto

My name is Megan, and I have my colleague Ethan here.

Nisos Technical Team Member

Hey, how's it going?

Megan Jacinto

And he looked very, very young, especially given the amount of experience that he had listed on his resume. So think teenager young. In fact, I thought, gosh, I want his skincare routine if he is supposedly, you know, in his 30s. And so one of the first questions we asked him was where he was from. And he said, florida. And I said, oh, you know, my dad lives in Florida. And I said, you know, my. They just had a hurricane. You know, Hurricane George. How did you do? How was your house? How is your family? And he really stumbled around that question.

Joseph (North Korean Candidate)

Yeah. How can I say? The winds were strong, and we got a lot of rain, but luckily my place was fine. Some branches down, a bit of cleanup, but no real damage.

Nicole Perlroth

Just one thing. There was no Hurricane George. They'd made it up.

Megan Jacinto

And you could see him kind of looking off on a screen to try to get information about a hurricane and certainly Hurricane George, which there wouldn't have been any information because there was no Hurricane George in 2025. And so that was a really good indicator that he was using, one, a chatbot to answer questions. And two, didn't likely didn't live in Florida.

Nicole Perlroth

It wasn't just the hurricane. Every question, no matter how trivial, was followed by a pause and filler words.

Megan Jacinto

It was a little uncomfortable. And, you know, at first you kind of think, okay, English is the second language for him. So. So he's formulating the translation in his head and then responding. But some of our questions Were like, what do you like to do for fun?

Joseph (North Korean Candidate)

Yep. So as I work, I like to keep things pretty simple. So I enjoy exploring new tech on the side, but when I'm not in front of a screen, I like going forward of works, reading and just spending time outside.

Megan Jacinto

And it became apparent that he was listening to an answer.

Nicole Perlroth

Someone or maybe something was feeding him each answer. Megan and Ben moved the conversation to his work experience and asked Joseph to walk them through his portfolio. Then Ben said, you know, while we have you here, we can make it

Nisos Technical Team Member

even easier if you want to share something. Now, if you can just pull up your screen, we can try.

Joseph (North Korean Candidate)

Yep, sure.

Nisos Technical Team Member

Do you want to share your screen and show me a little bit of

Michael Barnhart (Barney)

the work

Joseph (North Korean Candidate)

right now?

Nisos Technical Team Member

Yeah, why not? And he paused and he got visibly started shaking a little bit and started looking around. And then I saw him closing windows on his screen and he said, yeah, yeah, I can share. Just give me a second.

Joseph (North Korean Candidate)

And can I rejoin?

Nisos Technical Team Member

You want to rejoin?

Joseph (North Korean Candidate)

Yeah, yeah, yeah. Thirty seconds.

Megan Jacinto

And he just ended the interview. And we thought, okay, we'll just hang a bit. Hang around a bit to see if he comes back on. Pretty sure he was not coming back on. And sure enough, he did not. We waited a good 15 minutes and he did not return.

Ben Reisenberg

We were all waiting on slack to see what they said when they were done, but as soon as they got off, the channel was like, and. And. And they're like, no, this is. It's exactly what we thought. And now we need to figure out what to do next.

Nicole Perlroth

This was the intel gathering chance of a lifetime, but it also carried real risk.

Ben Reisenberg

We weren't quite sure how active that cell might be in terms of retribution or in terms of getting upset about what we were doing. The last thing we need as a small business is to break a law and suddenly have to pay fines for OFAC sanctions or something crazy like that. So we need to keep a very clean nose on this stuff.

Nicole Perlroth

But ultimately, everyone agreed they had to try.

Ben Reisenberg

We did call a contact of the FBI that had helped us in some of our other investigations and talked them through what we were planning and helping make sure that the things we were doing on our machines, with our equipment, with our software, weren't running to follow the law.

Nicole Perlroth

And then they hired him.

Megan Jacinto

So what we decided was to offer him a contracting assignment. So, hey, we have this AI project. We really enjoyed the interview. Sorry you couldn't rejoin. Hope there weren't too many technical difficulties, but we'd like to offer you an upfront retainer if you will work on this project for us. Immediately responded to me.

Nicole Perlroth

Just to be clear, NISOS could never actually pay this retainer, but they knew if they could string him along even just a little longer, they might just get a glimpse into how this guy worked, where else he worked, and if they were lucky, pry open a window into the world's most sealed off regime. So NISO sends this guy a contract of sorts.

Megan Jacinto

We sent a fake document that contained a canary token.

Nicole Perlroth

That canary token could cut through his VPN to reveal his true whereabouts. Joseph asked that they send his laptop to Florida just to be sure it didn't get shipped off from there. And Nisos planted a tracker inside the package which confirmed the machine was in fact in Florida. And last but not least, they laced the laptop with spyware.

Nisos Technical Team Member

We're able to track logins on the network. And also the most important piece was we're able to turn on the camera so we're able to see what's going on around the computer.

Nicole Perlroth

This is where things get wild.

Nisos Technical Team Member

We saw a bunch of other laptops all in the closet with us.

Ben Reisenberg

We were sitting in a walk in closet. I mean, you could see it was container store type of wire shelves in the closet. And you can see our laptop sitting facing the opposite wall with other laptops on another shelf. From an IT perspective, I was very offended because the cables were super messy. Any nerd worth their salt has better cable management than these guys. So that was the first offense.

Nicole Perlroth

So you're seeing a bunch of other laptops and are they literally putting the laptop in with the camera open as it would be on my MacBook right now, or.

Ben Reisenberg

Yeah, it's just sitting open on a shelf.

Nicole Perlroth

But try as they might, NISOS never sees a person come on screen. But on the back end, Nisos could see its laptop and every other laptop connecting back to a hidden mesh of remote tools that allowed operators overseas to control them. Keyboard, mouse, everything. From their employer's perspective, any activity off these Florida laptops looked completely legitimate, when in fact they were all being remote controlled from abroad as to where exactly. That's where the canary token came in.

Megan Jacinto

And so we were able to see that the IP address pinged somewhere in China.

Ben Reisenberg

In intelligence, you're always thinking about probabilities. Every step of the way, our probability and our certainty about this being a North Korean threat actor kept going up and up and up. That canary token from that first onboarding document, that beacon back from China, was probably the thing that was the most movement to certainty that we had. We're like, nope, this is it. This is not a kid from California. This is definitely a North Korean actor operating out of China trying to get a job at our company. We're sure of it now.

Nicole Perlroth

The moment it all clicked came courtesy of the spyware Nisos had installed on his laptop. It let them see everything he typed.

Megan Jacinto

He Googled, is Florida in North America? So again, if you live in Florida, you probably know that you live in North America. It was questions about, like, what sports are played in the United States. So, you know, a pretty good indicator that this person did not live anywhere in the United States.

Nicole Perlroth

And then came the real break. Joseph logs into his Personas Google account from their laptop.

Nisos Technical Team Member

Without that, we wouldn't have had passwords for all of his accounts. We wouldn't be able to see all the companies he's constantly applying to, how many hundreds of emails he sends out or applications he fills out every single day to get jobs and schedule interviews with companies.

Ben Reisenberg

I think it was hundreds of interviews, several job offers. I think at some point in time he was working four jobs.

Nicole Perlroth

But incredibly, this IT worker had made a rookie mistake. He stored the passwords to all his accounts in Gmail.

Nisos Technical Team Member

We got lucky in that we got email addresses and passwords for Discord, which we in the beginning didn't think that why would they be using Discord for anything? But we decided, let's go see what's on Discord. He might be using it for Discord,

Nicole Perlroth

a chat platform used by a lot of gamers, hardly seemed relevant. Nisos wasn't super interested in whatever video games Joe was playing on the side, but they double clicked anyway. What they found next wasn't downtime. It was a clear view into the complete inner workings of an entire cell.

Nisos Technical Team Member

What we learned is that this network is using Discord to figure out what jobs they're applying to and really coordinate all of their activities across 22 individuals.

Ben Reisenberg

On Discord, the leaderboard is on there. Their rewards and measurements are all on there. They get tracked by activity and outcome, how many jobs they apply to, how many jobs do they get and actually get measured On a leaderboard, almost all of his screen was interview confirmations or progress on interviews or feedback on a job offer, or that's what the whole thing was. All job boards from multiple companies, multiple recruiters, multiple freelance sites, and all day long, that's what he spent his life doing.

Nicole Perlroth

This cell tracked their entire operation like a sales dashboard. Every application, every interview, every rejection, every offer letter was posted to this one Discord channel. It also functioned like a Group chat. They traded tactics, shared scripts, compared notes.

Ben Reisenberg

We were like, this is crazy. This is next level. This is much bigger than we thought we had. And I think that that was where it started getting really exciting. The amount of slacks going across our business every day, all night long. Like the new things we were finding, the crazy stories we were seeing. And I still think the funniest thing were the fail channels.

Nicole Perlroth

Every time a North Korean operative got caught, they posted it to a Discord channel labeled Horror so other cell members could learn from their mistakes. A playbook built in real time.

Nisos Technical Team Member

So if they get fired, it says on there, this is the reason that I lost the job. So that way they can keep that from metrics as well. Or if something worked out really well. Here are tips that how you can be better at getting jobs.

Nicole Perlroth

A North Korean IT worker best practices channel.

Nisos Technical Team Member

In essence, yes.

Ben Reisenberg

One of the things I thought was hysterical was every time they got a job and every time they lost a job, the chat would fill up with, pju just got his dream job. And there would be the offer letter from whatever company it was. And then like three days later, there'd be a frowny face. Pju just lost his dream job. And everyone was like, oh, so sorry. It was almost like an automated alert like you'd have in like a slack bot. And it was just like the way they were sharing their wins and losses that they had every day of what to them was a game and to us is massive fraud.

Nicole Perlroth

As North Korean IT workers became more of a known entity, interviewers started screening for them. The niso's team could see the confusion that unfurled on Discord with some of these questions.

Nisos Technical Team Member

Yeah, one of the big things that they kept getting caught up early on was when the interviewer asked about what the mascot of the university was. So we had a lot of screenshots of what exactly is a mascot? Why would a university have a mascot? What's the mascot of X University? So that way they can able to answer questions and they warned each other of those things.

Ben Reisenberg

They use a lot of virtual backgrounds. And then every once in a while, somebody else in the same room as them would come through the virtual background and show up on camera. And you could see the interviewer's face being like, what's that? And then the person who came through being like, oh. And then, you know, a shocked face and then run off camera. The screenshots of those things being like, ah, we got outed again.

Nisos Technical Team Member

One of my favorite ones is there was an application where there was A question. Are you from a designated country, like North Korea, Russia, Iran, and Sudan? And the person put yes in the application. And then the HR person followed up and said, I noticed in question eight, you answered yes to this. Was that a mistake? And he screenshotted back that he wrote, yes, mistake. And that was it. And the person said, okay, we're good.

Ben Reisenberg

Like, oops.

Nisos Technical Team Member

Yeah, not even the full sentence. Yes, mistake.

Nicole Perlroth

Niso starts getting a pretty clear idea of where all these workers are getting jobs in the US Both from the Discord chatter, but also from their laptop camera back in the closet in Florida. They could actually zoom in on the screens of the every other laptop in this closet, and on them was their corporate logos.

Ben Reisenberg

We saw four other companies in the same space as us. There was a healthcare company, There was an insurance brokerage company. There was a mortgage company. Some of them were household brands, some of them were not. I started getting on the phone and calling the other companies that were in the same room with us and letting them know that they had been subject to the same kind of scam that we were in the middle of the.

Nicole Perlroth

So you call him up and you say, hey, Ryan here from nisos. Got something for you. Tell me what that conversation sounded like.

Ben Reisenberg

Does this podcast have an explicit rating or do I have to keep my language clean?

Nicole Perlroth

It doesn't have an explicit rating. We enjoy curse words here. On To Catch a Thief, One of

Ben Reisenberg

the heads of security called me and said, this is the worst fucking sales call I've ever received. You better not be extorting me. I was like, whoa, I'm really here to help. Here's what we did, here's what we saw. Here's who the person is. You guys need to do your investigation. And he got real calm. Fast forward four weeks later, he took Ben and I out for a beer, but he didn't appreciate the approach. To start, the other companies were a little bit more cautious, but they came back pretty quickly and said, tell me what you're seeing. How are you seeing this? I don't. Like, are you inside our network right now? And so we had to say, no. These are the things we're seeing in this house in Florida. And we can tell from this house who this person is and that they're purporting to work for you. All of them fired their person. Half of them also contacted the FBI to make sure that the FBI knew that their equipment was in the possession of someone that they did not grant possession to.

Nicole Perlroth

On Discord, North Koreans post their job offer letters as These offer letters pile up. NESOS makes a point to call each company letting them know a North Korean is on their payroll. It becomes almost routine. But then one conversation stops them cold.

Ben Reisenberg

One of the companies was a placement agency and when we let them know that that one of the folks they placed was in fact one of these folks from this operations network, they blanched because the person they had placed they had placed at a nuclear utility.

Nicole Perlroth

They had placed a North Korean in a US nuclear utility. Now he worked on low level IT systems, but given the sector, this was still extremely concerning.

Ben Reisenberg

They were nervous about what that person could have access to and could do.

Nicole Perlroth

NISOS digs deeper into this one worker's activity in the discord. And what they find significantly raises the stakes.

Ben Reisenberg

Some of these folks would post screenshots from their companies proving that they had jobs. And this particular guy posted a picture of what looked like an industrial control system control panel.

Nicole Perlroth

This is as serious as it gets. An industrial control system panel is the interface to the physical world at a nuclear utility. It can mean the controls that regulate the nuclear reactor, its cooling, safety locks, fail safes, not anything you would ever want in North Korea's hands or anyone's for that matter.

Ben Reisenberg

That elevated the intensity of this quite a bit. We all sat down together to brief the end company on what we learned and how we learned it so they could understand that it was a valid and real true threat. And they also validated the screen was something that did not have access to any true control systems. It was a training screen and they had already fired the guy before we had even notified them. So they felt like the risk was pretty well managed. But from a near miss perspective that was a pretty scary one. It was crazy. I mean it was like people were like, oh crap, let's look at the screen. Oh crap. And they looked at like, okay, it's okay, it's not a live system, it's all fine. It's not, it's not, it's not a real thing. I think to me like the bigger concern concern is going to be motivated attackers who want to have access and means and who have a real intention and a target employing the same tactics.

Nicole Perlroth

I want to come back to this leaderboard. So there's 22 people, they're on this leaderboard. I assume it's constantly shifting at the top of this leaderboard. How many jobs was number one holding at any one time?

Ben Reisenberg

The leaderboard is much more business focused. It gives you a sense of how professional this thing really is. So the top person who's applied to the most jobs in this cell is 26,688 jobs. That person has also managed to land 5,781 interviews. However, they are not the most effective at getting jobs. A person who has almost 26,000 and 4,600 interviews has 19 jobs, 19 offers. So I don't think they were working them all at the same time. But over the course of the period, this person was probably the most effective at landing jobs through the process. But that's still a really crazy funnel. 27,000 applications for 19 jobs. If my kid who graduated from college is trying to get a job and that's what it takes for him to get a job, I'm terrified.

Nicole Perlroth

And Joe was part of just one cell. Once NISOs tipped off Discord, Discord was able to use the cell's characteristics to unearth much larger cells of North Korean workers on its platform.

Ben Reisenberg

What they learned from our intel was that the way these guys are showing up on their platform is less like a scam network and more like a startup. And so now as they look for the behavioral signals, they're looking at things that look more like small companies than they are criminal rings.

Nicole Perlroth

No one has published a definitive tally of just how many of these discrete cells exist. But the most recent UN report found North Korea is dispatching thousands of workers through coordinated cells across multiple countries, enough to flood job markets.

Nisos Technical Team Member

The most anybody's held was five or six jobs concurrently. Most people only had two to three jobs. And then there's a couple of people that only had one job. What's interesting about it is, though, is that it didn't seem to matter how many jobs they had. Really what the metric was driven by is how many applications did you fill out today? How many interviews did you go on today? That was what every big question was about from leadership. And then the job stuff was just, okay, now you're getting some sort of salary. There was no concern about how much the job paid. So we had seen offer letters come in anywhere from having a very junior job that paid $25,000 a year until very senior jobs which paid 170 and more. And it didn't matter. There was no negotiating for salary. It was just like your job is to apply and get interviews. And if you have a job, that's great.

Nicole Perlroth

Okay, but how are they actually getting any work done?

Nisos Technical Team Member

So if somebody's double booked for something, they coordinate who will do the actual work meeting for them and who's going to do the interview? So it's a Platform really designed to facilitate all the work that they could be doing at the same time. And then we did also see them if somebody had five or six jobs, outsourcing some of the work because it was getting really busy for them.

Nicole Perlroth

And how are they recruiting them?

Nisos Technical Team Member

Through a variety of job boards. Saw them posting, hey, I have a job. I need somebody who's really good at Azure, which is like a programming language. If you have free time, I would love to talk to you about a job you can do for me. So they try to hire people to just do the job for them.

Nicole Perlroth

Occasionally, employers would learn the hard way that not only had they hired a North Korean, they'd unknowingly hired their subcontractor in India, the Philippines, or Nigeria.

Ben Reisenberg

One of the guys had a job in a company. So I called the CEO of the company. I said, hey, this guy is not who they said they are. He goes, yeah, I know. How do you know? Well, because last week he disappeared and I haven't been able to pay him. And then this week, I got a note from a guy in India saying I owe him $10,000 because he had been hired by this other guy to do all his work for him, and he built my entire app, and I didn't even know about it. So there's a cascading supply chain for the person who gets the job to then figure out how he's going to fulfill the work. And they'll go to India, they go to the Philippines, they go to Nigeria, they'll go to other places to backstop the jobs they've got.

Nicole Perlroth

And were all these people above board, as in they're just there for the paycheck? Or did you see them run ransomware or steal corporate data or just try to extort the companies as they go?

Ben Reisenberg

So I will say that some of the smaller companies we were disclosing to were experiencing extortion already. Their North Korean workers had access to all of their code. And so when they would decide to fire them or not pay them, they would hold that code hostage and say, you know, if you don't pay me, I'm going to release it or I'm going to tamper with it. There was some of that going back and forth. It wasn't as sophisticated as a ransomware attack or IP theft. It was just pure, cold extortion.

Nicole Perlroth

Now, North Korea's IT worker cells are siloed from the regime's specialized hacking teams, but more and more we're seeing handoffs between them. This is especially true for those who get jobs with crypto companies. Last year the Justice Department alleged one DPRK workers access was used to steal nearly a million dollars in crypto from an Atlanta based blockchain firm. In a second case, North Korea allegedly used workers access to steal highly sensitive defense secrets from a Southern California defense contractor. And in several instances when American companies tried to fire these workers, they moved to extortion, threatening to leak what they'd taken or tamper with the company's source code unless their employer upped their severance payout. Here's DTEX's Michael Barnhart, aka Barney.

Michael Barnhart (Barney)

We had one extortion attempt that was pretty unique. They'll either ask for, hey, I want my back pay, you fired me on wrong reasons. I want all my back pay, it's due to me. Or they'll say, hey, I have intellectual property years. You give me XYZ bitcoin and you know, I'll make this problem go away. Or you'll see something.

Nicole Perlroth

How much bitcoin are they asking for?

Michael Barnhart (Barney)

They used to ask for small amounts. They started getting bigger. At one point I saw five Bitcoin.

Nicole Perlroth

That's more than $300,000 at today's price.

Michael Barnhart (Barney)

I mean they want, they want you to pay it out. So they will try to give a attainable amount. But yeah, and that was also in smaller companies. They were really starting to ask for more money and then hitting like the Fortune 500 companies with this type of activity too. But a third one is that they'll go, if you don't give me my money, my back pay or whatever, I'll either give it to a competitor or I will give it to a more qualified threat actor and let them see what they want to do with it. Basically, you know, with the accesses, the problem was that you ask for one of those things and you might get one of those things. We had one extortion tip that had all three of those demands in the same email. So it was like, I don't know brother, give me a chance. Like damn. We saw one one time try to get access to like the main servers and try to destroy those, but didn't have the right permissions. Sending malware laden HR documents back to HR after they were terminated. It seemed like it kind of spiked there for a little bit. But it's also visibility. Unless a company is telling you you're not going to know about it. And a lot of people don't want the embarrassment that they had an IT worker. So a lot of things we'll never know.

Nicole Perlroth

It wasn't until May that I connected with a former North Korean IT worker, now a defector. We were introduced through an NGO Peace Corps People for Successful Korean Reunification. He said his cell was focused entirely on the paycheck, but the quotas were relentless and rising. He never mentioned extortion, but you can start to see the pressure building. For the safety of this source, we've omitted his name and are using a voice actor to read the message messages he shared with us.

Defector (Voice Actor)

The biggest pressure was meeting the required payment quota to superiors. We weren't assigned work. We had to find our own projects, bid on them, develop them, collect payment, and submit earnings. That meant handling everything ourselves, from marketing to execution. If we failed to meet quotas, even sleep and rest could be restricted. If we met them, we could earn higher pay and occasionally get perks like shopping, dining, or supervised outings. Because most clients were in the US And Western Europe, our schedule was flipped. We would usually go to sleep around 4 to 5am and wake up around 11 or noon, then have lunch, depending on the project. We would either rest for another one to two hours or start work immediately. We worked continuously until dinner, with short breaks after work. From around 9pm where the US workday begins, we would work straight through until 4 to 5am we could take short breaks of 30 minutes to an hour, but overall we worked at least 12 hours a day. All computers had monitoring software installed, and a supervisor lived on site with us while continuously observing activity.

Nicole Perlroth

As for the paychecks, most went back to the regime.

Defector (Voice Actor)

We typically earned about $5,000 per month. We personally kept about 15 to 25%, depending on how much we earned. Around 2,000 to 3,000 went to the government, and then the rest was split with local partners or used for expenses.

Nicole Perlroth

Their IT work and their work for the regime could blur.

Ben Reisenberg

There was a post where one of the guys was sharing news from the company that he had gotten a job at, and it was like, pretty big news. They had a major business event that was covered by all the papers, and he was like, hey, it's my company. And he got reminded by his boss, you work for us. That is not your company. You work for us.

Nicole Perlroth

But the defector made clear that compared to what his countrymen are forced to do, this work is as good as it gets.

Defector (Voice Actor)

Earning at that level could support a family in North Korea and even allow you to buy a home in Pyongyang. After a few years after defecting, I felt most guilt toward my family, who could face punishment because of me. Most workers are trying to Build a better life, even while being exploited under harsh conditions. Yes, the work is illegal, but the persistence and effort of these workers should be recognized. And most are not simply hackers or spies. They're also victims of forced labor and systematic exploitation.

Nicole Perlroth

The defector rarely questioned the ethics of his work.

Defector (Voice Actor)

I didn't initially think the work was illegal. The pressure to meet quotas was much stronger than any ethical concern. Over time, especially after going abroad, I began to realize that much of what I had been told was false.

Nicole Perlroth

Just like Zhou, this defector had been sent to China.

Defector (Voice Actor)

We had no choice in where we were sent. Living abroad as a North Korean felt like a privilege. Access to money, the Internet, and communication with foreigners. But we were socially isolated, offline. I can't disclose the exact location in China, but we rented a normal Chinese residence where we lived, ate, and worked. The conditions were relatively good, but compared to ordinary Chinese residents, it was cramped. Sleeping areas were especially tight, so we kept personal belongings to a minimum. We mostly ate local food, but sometimes cooked North Korean dishes ourselves, using local ingredients. Grocery shopping was one of the few opportunities to go outside.

Nicole Perlroth

As for how he managed to escape, that was the one thing he wouldn't discuss.

Defector (Voice Actor)

I can't discuss the details. Sensitive, but many people risk their lives to escape, and success rates are below 50%. I was fortunate.

Nicole Perlroth

Like many North Korean IT workers and hackers, this defector was identified young. Others have described the pipeline. Students singled out as early as grade school, funneled into elite technical universities. And those with a talent for hacking are sent to Pyongyang's Automation University, essentially a West Point for hackers, where they're trained to write malware, exploit vulnerabilities, and hack. The best graduates become part of North Korea's elite. In a country where the state assigns your housing, hackers get the best apartments, the best food, and some of the regime's most prized privileges. Then they're forward deployed. Here's Chris Wong, who spent years tracking North Korean hackers and IT workers at the FBI.

Chris Wong

You know, they're probably working 18 hours at least. So it's not like it's short. But at the same time, IT workers are in a privileged position. So compared to the rest of society in North Korea, they're earning more money, they're able to work outside of North Korea, and then their families get more benefits than your average North Korean. So from that perspective, they are in a privileged position.

Nicole Perlroth

Where have you seen them? Laos has come up a number of times. Russia, sometimes Vietnam. Where else have you seen them operate?

Chris Wong

Laos rings A bell. Seen them operate in Africa, I've seen them operate in Dubai. But I would say China and Russia by far are the biggest ones.

Nicole Perlroth

It's critical to understand China's role in aiding North Korea. It's not so much a friendship as it is an uneasy alliance. China backed the north in the Korean War and it's been Pyongyang's lifeline ever since. Just this month, Xi Jinping visited Kim Jong Un on a two day state visit to North Korea.

Black Big Swan (BBS)

Now, the two leaders kept a very busy schedule on Tuesday, paying respects to Chinese soldiers who were killed on the battlefields of the Korean War, then visiting a school and planting a tree there together to mark the two countries friendship before.

Nicole Perlroth

For years, North Korea's entire Internet access ran through China. Unicom Russia offered up a second line in 2000 2017. But for more than a decade, China controlled the Switch. There are 1024 IP addresses in all of North Korea. I think I've got more than that in this room right now.

Ben Reisenberg

Yes, I bet you do.

Megan Jacinto

The U.S. for example, has about 150,000 routes for Internet. South Korea has 17,000. North Korea has four.

Nicole Perlroth

As for China, North Korea forms a critical buffer between itself and South Korea and the tens of thousands of US troops stationed there. As long as Pyongyang holds, the buffer holds. So China props it up because the alternative, a collapse, is far more dangerous. Jim Lewis describes China's relationship with North Korea like the Chinese are the ones

Jim Lewis

who saved the North Koreans in the Korean War by coming and invading. The Chinese make movies about how wonderful they were in Korea, but it's a difficult relationship for them because it's like an unmanageable pet. It's frustrating to the Chinese. I had one experience where I had a Chinese friend who works for the Ministry of State Security. We were having dinner and he actually sort of was really annoyed. He's like, those Koreans, they're uncontrollable. I never expected to begin a lecture on how North Korea is a pain in the neck from mss, but it is one of China's only allies. So most of the North Korean hacking activity, the cryptocurrency, laundering, the hacking schools, the technology they use for hacking, all comes from China.

Nicole Perlroth

China offers something North Korea, fast, reliable Internet, a requirement for North Korea's hacking operations and its remote IT work.

Jim Lewis

They had a restaurant chain for a while that was called Pyongyang, that was in Europe, was in the Middle east, was in other Asian countries, serving North

Defector (Voice Actor)

Korean food and liquor and featuring live music.

Nisos Technical Team Member

The chain offers visitors a rare glimpse into the reclusive nation's culture.

Jim Lewis

You could go work at the restaurant and live like a Westerner, right? What a deal. And you could also hack.

Nicole Perlroth

It wasn't just restaurant chains. North Korea ran hotels abroad, too, AKA the hacker hotels, he said.

Ben Reisenberg

Pyongyang's cyber warfare agency, which goes under the name Bureau121, is based at a

Nisos Technical Team Member

hotel in northeast China, very close to

Ben Reisenberg

the border with North Korea. And North Korea's nearly 2000 member elite

Nisos Technical Team Member

cyber hacking team are actually trained in China.

Nicole Perlroth

Back in 2014, researchers at HP discovered one of North Korea's elite hacking units was operating out of a hotel in Shenyang, China, the Chilbo San Hotel.

Michael Barnhart (Barney)

They're going to places like China, setting up shop in hotels where there is access to broadband Internet. And that is where law enforcement officials and top administration officials believe they're launching these attacks from.

Nicole Perlroth

In online reviews, Cholbosan Hotel guests praised the warm hospitality, the food. Some even noted the surprisingly strong Internet access. Recently, we've seen more North Korean outposts pop up just over the Chinese border in places like Vietnam and Laos. And when I say just over the border, I'm talking an evening stroll from China. What these countries give Beijing is a bit more distance from its DPRK dependents, but they also offer easier visa access for North Korean operatives.

Michael Barnhart (Barney)

Vietnam was a big one for a while, so it's not like a complete alarm. Like Vietnam, they were able to abuse the restaurant visas there. Basically, you come in on a restaurant visa, but no one will ever check it. So you can stay there for as long as you like.

Nicole Perlroth

In March, both Vietnam and Laos were mentioned in a fresh round of U.S. sanctions. The treasury sanctioned one North Korean front company for managing IT workers in Boten, Laos, a border town that sits virtually on top of China. They also sanctioned a Vietnamese company and its CEO for allegedly laundering $2.5 million in workers earnings and into crypto back to Pyongyang and its weapons programs. If their photos are any indication, North Korean IT workers seem to especially enjoy their time in Laos. Not too long ago, security researchers uncovered a cache of their photos on an unsecured Dropbox folder. Inside were photos of these North Korean IT workers living the life, dining out at steakhouses, throwing pool parties at their rental. In Laos, they also love minions. There's photos of them posing with large promotional displays of minions in Laos. For whatever reason, North Korean IT workers are obsessed with minions, as in the small, yellow, gibberish speaking henchmen from Despicable me. They use minions in their profile photos. In leaked chats, they greet one another with hey, Minion. And refer to their boss as gru. Some say it's just their innocent love of minions, because who doesn't love minions? But Ben from Nisos articulated an alternate theory.

Nisos Technical Team Member

The reason it is believed that they use the minions is because the leader of the minions is gru. And as we all know, and this goes back to the question you had earlier is how are they related to Russia and China? GRU is the Russian service. So there's the belief that they're using GRU is the accounts that the Russians are using to kind of show the North Koreans how to do this kind of work. And hence they're using all these Minion characters. And we've seen that they make fun of each other. And when they send gifts to each other, everything usually has minions of either clapping or pointing at each other and laughing because a mistake was made. So that's the Minion angle.

Nicole Perlroth

Whether it's a sly nod to the GRU or just their love of Minions. Russia's becoming a growing hub for North Korean IT workers. Some of the photos from their stash show them sitting wrapped at taekwondo matches and figure skating events in Russia. Taking in the culture, or at least the COVID It almost looks like they're on a chaperone field trip. A consistent presence in these photos is what appears to be their Russian handler. Here's a Poland based researcher who's been actively tracking these North Korean workers. He's asked to go by his alias, Black Big Swan or BBS to protect his identity.

Black Big Swan (BBS)

Some of those pictures we have from Russia with DPRK workers, you can see there is definitely a person who is sort of a handler to them.

Nicole Perlroth

Who are they?

Black Big Swan (BBS)

I don't know whether this is like a government agency or just somebody hired from Russia to take care of them. I have no proofs one way or another. But yeah, it's not a North Korean, so they wouldn't try to escape escape, because obviously some of them could try to escape from North Korea through Russia or other places they are in. So there is definitely a person who is supposed to guard them, and that person is not North Korean.

Nicole Perlroth

There's some evidence that the very best remote IT workers travel as a unit from outpost to outpost. BBS followed one DPRK operative who went by the alias Kasane Takeda, who held 10 jobs simultaneously.

Black Big Swan (BBS)

He was calling himself Kazune Takeda. That was like a Japanese name of his. And that's actually a guy who had 10 jobs in 2025. He was everywhere. I first spotted him in December 2024 and just spent another two or three months constantly discovering his new identity, new job. It was endless. You expect him to maybe have like one or two jobs, but then there's another and another and it never seems to end. He was constantly popping on our radar. We also have a lot of pictures of him outside of the context of his IT work. For some reason, regime was constantly taking selected few IT workers to different events. One of those events was in Russia, Vladivostok, and they were taken ice skating. Because there are certain sports activity IT workers dprk, I guess it's extremely into. And one of those things is ice skating. And yeah, we have pictures of that guy from one of those ice skating skating events. And he was also in Laos. He's also in pool party pictures. Like we have a lot on this guy. That was my favorite one. But now he's completely gone.

Nicole Perlroth

The Russia connection is strong and getting stronger.

Jim Lewis

So as we all know, the North Koreans sent troops to Ukraine to help the Russians fight. Didn't do very well, but it was a good lesson for the North Koreans. So the Russian relationship is probably closer now than the relationship with China. North Korea will never escape China. They're right next door. China is the 800 pound gorilla. But the Russians are more likely to be considered friends.

Nicole Perlroth

Russian President Putin travels to North Korea today. The dictatorship of Kim Jong Un is one of the key suppliers of weapons and munitions to Russia after the Ukraine war turned the country into a pariah. It's a budding friendship built on mutual isolation. And for IT workers, Russia is becoming a major outpost that can accommodate their ambitions and scale. Which brings me back to Nisos. If you'll recall, Nisos had hired Joe, the alleged Florida based AI developer, who was really a North Carolina Korean living in China on a contract. But remember, this was all a ruse to infiltrate North Korea's IT network and spy on the spies. They couldn't actually pay Joe. That would be illegal. Which meant their operation had a clock. At some point, he'd realize a paycheck was never coming.

Megan Jacinto

We just really kind of made up excuses. One excuse was I was on vacation and then the hiring manager was on vacation. And then, hey, sorry the project is getting delayed, but we're still very interested in you. We just kind of kept stringing him along till he said, I'm done, you know, no, thank you. I've moved on, you know, to other employment.

Nicole Perlroth

But in that narrow window, they saw something Extraordinary.

Ben Reisenberg

Over the course of the summer, just from June until our operations wrapped up at the end of September, we saw this cell apply to 160,000 jobs in

Nicole Perlroth

the US one cell, one summer, 160,000 job applications just in the US which would make this one of the most ambitious workforce infiltration campaigns ever uncovered. And as this picks up, employers say their job portals are getting crushed with illegitimate candidates. And it's not just individual companies, it's platforms like LinkedIn and Upwork who are left to figure out who's North Korean, who's not, who's an American loaning out their identity to a North Korean. It's not just overwhelming, it's creating a job freeze. American job seekers are now competing with a fire hose of fake North Korean perfectly AI ridden resumes. And all of this is unfolding at precisely the moment AI replaces the first wave of IT workers.

Ben Reisenberg

I met with a company and they were talking about how they had to turn off their external job postings because they couldn't get any legitimate candidates through. It made me think of the kind of cyber attack, a denial of service attack, where companies websites are flooded with requests from an attacker who essentially brings down the website. No legitimate traffic can get through, no real customers can get through. And that's kind of what these folks are experiencing. But it's with resumes instead of cyber attacks. They're getting flooded by North Korean illegitimate resumes, so much so that legitimate candidates can't get through. It's committing a denial of the service against their recruiting pipeline. The scale of this is overwhelming.

Nicole Perlroth

As for North Korea, it's paying off. North Korea began the 9th Congress of the ruling Workers Party of Korea on Thursday. In his opening address, North Korean leader Kim Jong Un said he is filled with optimism and confidence about the future.

Megan Jacinto

We have made significant accomplishments in overcoming economic stagnation, Kim continued, pointing to what he called progress across multiple sectors of state life.

Nicole Perlroth

In March, the Treasury Department revised its estimates. They said North Korea made $800 million from its remote worker scheme in 2024 alone, far beyond earlier estimates in the mere millions. This exploits how we hire, how we trust, how modern companies actually function. But there's something else. These North Korean IT workers have exposed our part in this, an ugly version of America we don't want to see.

Ben Reisenberg

I think if we go back to what's the big thing that people need to take away here? The first takeaway is there are thousands of people who are trying to rob US Companies of payroll. And the second thing is there are hundreds of Americans who are happy to help them.

Nicole Perlroth

Because to pull this off at this scale, North Korea can't do it alone. They need our help. Americans witting or not, willing to do their dirty work. So we have. I haven't been able to find a ton about her on social media. She has a LinkedIn profile with no picture on. Looks like she did have a Facebook profile. And she's young. She's 21. So here we go.

Chris Wong

Hello.

Nicole Perlroth

That's next on To Catch A Th. Follow To Catch a Thief to make sure you don't miss the next episode and if you like what you hear, rate and review the show. To Catch a Thief is co produced by me, Nicole Perleroth and Rubric in partnership with Pod People, with special thanks to Julia Lee.