
Loading summary
Nicole Prolorath
A new breed of worker is quietly clocking in across the United States. They're writing code, managing your passwords, training the next generation of AI models. They're gaining trust and access. They've turned up at Fortune 500 companies in entertainment, ag, tech, cybersecurity companies. We found them at defense contractors and U.S. government agencies. One even popped up at a nuclear utility. On paper, they're the dream hire. Skilled, low maintenance, always remote, and often affordable. And by most accounts, they're doing the work. But strange things are happening.
Cliff (Cybersecurity Staffing Agency Executive)
As far back as 2023, we had a couple odd incidents, and we just didn' understand what was happening. The person not wanting to be on
Nicole Prolorath
camera, that person didn't really look right on screen. That person took a lot of time to answer questions. You see them looking off screen where they're using some sort of chatbot to answer questions. Employers are waking up to a deeply unsettling realization. The person they hired is not who they thought they were.
Cliff (Cybersecurity Staffing Agency Executive)
We have an individual that didn't seem to know what they were supposed to know. Person's resumes say they got 15 years as a senior developer, yet the ID shows it must have been 10 years old when he went to college.
Nicole Prolorath
These mystery workers, they're applying by the thousands. They're making it past HR screenings and background checks. And once they're in, they know how we work. In some cases, even better than we do ourselves.
Michael Barnhart (Barney)
Some of these guys are funny. I wouldn't say it's innovative as much as it is how well they understand our system. Like, how do they understand our society so well? They know that HR can't talk to a certain person if they're on med leave, if they're sick. So I've seen an IT worker that started smelling the heat, and they knew that they were coming for him. So he immediately. He went on med leave, and, hey, I'm sick.
Cliff (Cybersecurity Staffing Agency Executive)
Who knows what they're capable of? Nicole, when this first came up, I remember putting my head in my hand and saying this was my worst nightmare.
Nicole Prolorath
By now, you're probably thinking these workers are part of a scam ring or a ransomware crew. And that description is not far off. But zoom out, and a different picture emerges. These workers aren't freelance criminals. They're part of a global labor pipeline. Managed, trained, and deliberately planted by a nation state. And not the usual suspects. Not China, not Russia, though both will make a cameo. The actor behind this operation, it's the one we least expect.
Adam Myers (CrowdStrike)
North Korea. North Korea?
Nicole Prolorath
North Korea employs sophisticated computer hackers trained to launch cyber infiltration and cyber attacks against the rok.
Adam Myers (CrowdStrike)
Kim Jong Un, like his father and his grandfather, has played an extremely weak hand brilliantly. There are people who, like, get out there and say this man's crazy. If so, he is crazy, but a pretty brilliant strategist, a pretty brutal player, and pretty savvy at understanding how small technological edges, nuclear and in cyber, enable him to have the power to reach out at the United States and other enemies.
Nicole Prolorath
I'm Nicole Prolorath, and this is To Catch a Thief. I've spent the past 16 years swimming in cyber threats. For a decade, I was the New York Times lead cyber reporter. I wrote a book, this Is How They Tell Me the World, investigating the ins and outs of the cyber arms market. And now I travel the world educating people about cyber threats and partnering with those determined to solve them. Ask any cyber expert which nation continues to blindside us? And one name keeps coming up. Not because it's the biggest or the most technologically advanced, but because no country punches further above its weight than North Korea. Its hackers have crippled a Hollywood movie studio, taken direct aim at free speech, stolen billions in cryptocurrency, and now they're infiltrating the global workforce at a scale most people have no grasp of, but has quietly become an economic emergency. They've proven remarkably innovative and they're early adopters. North Korea embraced cryptocurrency long before most governments even understood it. And now they're doing the same with AI evolving far beyond the cartoonish caricature we still cling to. Here's Andrew Scott, who spent most of his career inside three letter agencies like the CIA tracking China and North Korean cyber threats from the inside inside government.
Adam Myers (CrowdStrike)
We started looking at the North Korean cyber program as the imagineers of cyber. We discount the level of I hate to use the word but sophistication of the North Korean. We think of them as a hermit kingdom. We think of them as isolated. We think of them as impoverished, when
Nicole Prolorath
in reality, they are incredibly capable.
Adam Myers (CrowdStrike)
And they've spent the time, energy, effort and money into building something that they
Michael Barnhart (Barney)
can use to achieve their aims.
Nicole Prolorath
North Korea has spent decades cleverly evading sanctions through smuggling shell companies and covert trades of coal and weapons for fuel and cash.
Jim Lewis (Former Diplomat)
We continue to see illegal imports of additional refined petroleum using ship to ship transfers, which are clearly prohibited under the UN Resolution.
Adam Myers (CrowdStrike)
We must all be accountable for cutting
Jim Lewis (Former Diplomat)
off North Korea's illegal coal exports, which provide funds that go directly to its WMD programs.
Ben Reisenberg (Nisos Analyst)
The perception that sanctions can bring us
Adam Myers (CrowdStrike)
on Our knees is a pipe dream of the people who are ignorant about us.
Nicole Prolorath
But today, the regime's most powerful sanctions of Asian tools aren't smuggling routes. It's hacking and remote IT work.
Adam Myers (CrowdStrike)
I'll tell you, the most interesting thing
Cliff (Cybersecurity Staffing Agency Executive)
I've ever seen is without a doubt
Nicole Prolorath
the IT worker problem.
Cliff (Cybersecurity Staffing Agency Executive)
Right? This is employment fraud from a state tied to intelligence service.
Nicole Prolorath
That was John Holtquist, chief Analyst at Google Threat Intelligence.
Adam Myers (CrowdStrike)
I remember telling people IT workers in a room and nobody knew what the heck I was talking about. When I talk about IT now, everybody's
Cliff (Cybersecurity Staffing Agency Executive)
already had an experience with it, right?
Nicole Prolorath
To be clear, this is a nuclear armed adversary on our payroll. But this isn't just a story about paycheck fraud, because the insider access they gain, it can be used for something else entirely.
Ryan LaSalle (Nisos CEO)
They are going to turn that insider access from a revenue paid, salaried position into an insider threat position.
Adam Myers (CrowdStrike)
If you're paying them 150k a year
Cliff (Cybersecurity Staffing Agency Executive)
and they see an opportunity to steal
Adam Myers (CrowdStrike)
$2 million, I've seen it happen, they'll do it.
Michael Barnhart (Barney)
Have they ever done it? Yeah, they've done destructive attacks, they've done stuff on the inside. So really what we have now is a worldwide chess game. And they've put all their pieces in place. If push comes to shove, you have thousands and thousands of organizations at your disposal that you can start blowing up from the inside.
Nicole Prolorath
But we're getting ahead of ourselves because the story you're about to hear didn't begin with a million dollar breach or a geopolitical standoff. It began somewhere far more ordinary. Just off the Bellway in Arlington, Virginia, where a single employee acting strangely set off a chain of events no one saw coming.
Ryan LaSalle (Nisos CEO)
Yeah, it's a fascinating story. Back in 2022, we were working a threat investigation for one of our clients.
Nicole Prolorath
Meet Ryan LaSalle, the CEO of Nisos, a company that investigates what it calls human risk. Companies hire NESOs to look into insider threats, usually when they suspect a competitor has planted a mole or on rare occasions, a nation state operative. In this case, a client asked NISOS to take a closer look at a former IT worker, someone who'd left a strange impression on leadership. Nesos won't name the client because of confidentiality agreements, but. But suffice to say, it's one of America's most influential media brands.
Ryan LaSalle (Nisos CEO)
They had a weird sense that something was not right with a person who had just left the company. They were a remote worker. They're seldom on camera. When they are, they're pretty occluded. They're backlit. You can't see them, their performance and their skills not matching their resume, their behaviors seeming kind of antisocial. The disconnect from their team. There was a lot of weird things about the quality of their work, and it gave the head of security a weird tingly sense in the back of his neck. The sense was the person wasn't who they said they were. So we kicked off an investigation and found a lot of strange things.
Nicole Prolorath
Nisos hands the case to one of their best, Ben Reisenberg, an analyst who'd come to the firm from the CIA. Ben asks the client to turn over everything they've got on this one worker.
Ben Reisenberg (Nisos Analyst)
We ask our clients to send us basic phone numbers, email addresses, pictures of the person from meetings. And then we dive in and seeing what's out there about this person in the wild. And we quickly found that the photo of the LinkedIn page for the individual was reused on other people's LinkedIn pages. Different names with the same profile photo, which kind of tipped us off that it is probably somebody who is trying to get jobs. Multiple other companies and claim to have different experiences. So that's sort of the tipping point.
Nicole Prolorath
These LinkedIn Personas with the same photo, they all seem to materialize overnight. Despite lengthy resumes and polished work histories, many of these profiles had only recently been created. And they're self referential, they're connected to one another. Several even list the same colleges and former employers. And those former employers, they don't pass the SNF test either.
Ben Reisenberg (Nisos Analyst)
One company, for instance, claimed to be located in Michigan. When I looked to see what the building was, it used to be a frat house back in the day.
Nicole Prolorath
Nobody lived there, and everyone who claimed to have worked at this fake company in a former Michigan frat house hadn't been on LinkedIn for very long. In fact, until recently, these people had very little digital exhaust at all. By now, if you're a real person living in this most interesting century, there's a 99.99% chance you've been the victim of some kind of data breach. Your information's out there. Your usernames, your passwords, they're all splayed out on the dark web. But these employees, somehow they'd managed to evade every known breach.
Ben Reisenberg (Nisos Analyst)
What breach data really is, is a bunch of email addresses or passwords leaked on the dark web for LinkedIn users, for instance. And if somebody is not appearing in those breaches and leaks, that's usually an indication that something was set up as fake or is Brand new. And none of these people have breach data out there on the email addresses, on their phone numbers, on their names.
Nicole Prolorath
These people seem to come out of thin air.
Ben Reisenberg (Nisos Analyst)
Exactly.
Ryan LaSalle (Nisos CEO)
That is probably one of the most ironic things for most security professionals. That usually gets a laugh. Like, wait, you're telling me that the thing that I spend my life trying to protect against a data breach is one of the number one ways you can tell if someone's real or not because everybody who's real has been impacted. That's correct. We've all gotten those notices from our health insurers, from our retailers, from all the different places that we have lost data. And so if you haven't, then you haven't existed in a digital life.
Nicole Prolorath
But it wasn't just this one worker. Everyone in his network had miraculously managed to avoid every known data breach. And when NESSUS dug into their email addresses, it became clear they weren't looking at an isolated case. They were looking at a system.
Ben Reisenberg (Nisos Analyst)
They all use certain numbers. So we see 0317 in all the email addresses. So it might be Mike Myers. 01317. The next email that we see in the application is Michael Jones. 0317. So there's patterns. They usually use.dev in their email address or.engineer so they know what kind of jobs they're applying to. It makes it easier on the back end to remember all this.
Nicole Prolorath
Once it's clear this worker's online presence had been systematically faked, NISOS shifts its focus to his laptop and its physical location.
Ben Reisenberg (Nisos Analyst)
So once we figured out that there's something going on, that this is an employment scheme, we asked the client, can you send us the shipping address for the laptop? What was really interesting in that case, this is the first time we saw this happening, was that the shipping address was changed right before the laptop was supposed to go out.
Nicole Prolorath
This was a big tell and one that will come up again and again.
Ryan LaSalle (Nisos CEO)
We ask where we can send you a laptop from our company, and you change your address at the very last second. You know, I live in Texas, but my mom is really sick, and so I'm visiting her in Atlanta. Can you send it to her house in Atlanta? It's very understandable to an HR team, be like, of course we want you to be with your mom when she's sick. We'll send you the laptop right there. But it's also a classic redirection, and that's exactly what happened with this one.
Nicole Prolorath
So in this case, the employee had actually told this client he lived in Atlanta. But then at the last minute, he told them his mom was sick and he asked them to ship the laptop to Nashville. So NISOS looks into this address, and what they find was no worker, no one who even looked like the guy the company had interviewed on camera. No sick mother, no one who matched the story at all. Okay, if your privacy hackles are going up right now, it's worth reminding everyone that your corporate laptop is not a personal device. You have no expectation of privacy there. Your location, your emails, and browsing activity, it's all fair game the moment you do anything to trigger a security alert. But I should also mention that these investigators investigations aren't meant to be arbitrary. They're driven by risk signals. Signals that are defined and often constrained by HR and legal frameworks. But, yeah, I've covered cases where these investigations have gone way off the rails. But not here. Because in this case, there were more than enough red flags.
Ben Reisenberg (Nisos Analyst)
There was two individuals who lifted that address who were just finishing their college education. On the social media, we saw that they had congratulate themselves on just finishing the degree. And we noticed that those people were not the person that applied or that even looked like the person that applied. So we determined that there was probably either somebody housing it there or somebody subletting a room or something like that was happening in that regard.
Nicole Prolorath
As NISO starts investigating the traffic from this one laptop, they discover this employee's been using a vpn, a virtual private network, to bounce their Internet connection around the globe. Now, the use of a VPN isn't suspicious. VPNs are common. Often required, they allow employees to securely access corporate systems from anywhere. But this VPN stood out. Astral, an offshore VPN registered in Liechtenstein, one of the few VPNs that reliably evades China's great firewall. Okay, so at this point, are you thinking someone's outsourcing their work to China or that this is some nation state level Chinese spy network?
Ben Reisenberg (Nisos Analyst)
We didn't know if it was nation state focused or not. We just said here all the data points that we have. We do think that there's something that's shady going on, but in the beginning, we had no idea. We just thought it was weird.
Nicole Prolorath
It gets weirder. When they look closer, they realize this wasn't just one connection. The same VPN infrastructure appeared to be routing activity from dozens of laptops tied to dozens of different companies.
Ben Reisenberg (Nisos Analyst)
When we peeled back the onion a little bit more and got more into the network. This individual, for instance, was working for Fortune 500 companies. We found all different sectors. It was across the board. It wasn't just one sort of targeted industry per se. So we had technology, we had social
Ryan LaSalle (Nisos CEO)
media, media companies, healthcare, fintech.
Ben Reisenberg (Nisos Analyst)
And then it just got bigger and bigger to the point where we then were able to figure out IP addresses matched up with what the FBI provided for known VPN addresses for dprk.
Nicole Prolorath
Dprk, the Democratic People's Republic of Korea, shorthand for North Korea. Turns out as NISOS was heads down in its investigation in 2022, they'd missed an urgent government advisory from the FBI, State and Treasury. Earlier that year, the agencies had warned companies that North Korea was dispatching thousands of skilled IT workers overseas to get remote work and generate revenue for the regime. You'd think that advisory would have been big news. But like most cyber threats, it barely registered. Even within the cybersecurity industry, most people missed it. NISOS only found the advisory mid investigation. But when they cross matched their technical findings with the accounts listed in the advisory. Bingo. A match.
Ben Reisenberg (Nisos Analyst)
Oh my God. I cannot believe we tied it to something. That's fantastic. We all jumped around. We're like, this is unbelievable. This is amazing. We need to go back to our client immediately and tell. Because now it's not just an employment scheme. It is something that's way bigger. We said, I think we have a link to North Korea. They got on the phone immediately. So we had a meeting and they said, wow, this is unbelievable. But I think it was shock that this is North Korea. The next question that came was, why are they targeting us? And this is something that we still get asked by clients and prospective clients is why us? Why now?
Nicole Prolorath
And that's the million dollar question. Why are North Koreans taking remote jobs at US companies? Are they stealing trade secrets? Setting footholds for future ransomware attacks or extortion? Or worst case scenario, are these sleeper cells for crippling attacks? The truth is we can't rule anything out. But strangely, most of this comes down to something far the paycheck. And that's because, well, they need the money.
Jim Lewis (Former Diplomat)
The North Koreans will do anything for money, especially hard currency.
Nicole Prolorath
Season one listeners may recognize that last voice as Jim Lewis, former diplomat and veteran thinker on how cyber is reshaping global conflict.
Jim Lewis (Former Diplomat)
We have put every sanction known to man on the dprk largely because of their proliferation related activities, missiles and nukes. North Korea has successfully tested a hydrogen
Adam Myers (CrowdStrike)
bomb, many times more powerful than devices used in previous tests. We are getting more reaction from North Korea regarding those recent UN sanctions Against the regime. The sanctions relief cannot take place until such time as we have demonstrated that
Jim Lewis (Former Diplomat)
North Korea has been completely denuclearized.
Nicole Prolorath
The US has sanctioned North Korea in various forms for over 70 years. But North Korea's first nuclear test in 2006 really sent things into overdrive. Since then, the UN has only tightened the chokehold, hoping to force Pyongyang to give up its nuclear ambitions. Instead, the regime has adapted. The DPRK started inventing new, startlingly innovative ways to bring in cash. Now, for those of us who are completely ignorant to the Korean War, can we ask you to give us kind of a two minute history lesson on the region and how this current dynamic came to be?
Jim Lewis (Former Diplomat)
So everyone, I hope, watches Korean television. And if you don't, you probably listen to K Pop. It's called K Drama. It's great. And they have a lot of historical dramas. The angst for the Koreans is that they had an independent kingdom and it became a Chinese protectorate. And the Japanese invaded Korea and took it over and made it a colony. That was about 1910. It was a very unhappy moment for the Koreans. So you had a Chinese vassal state for a couple centuries. You had a Japanese colony, a very tough Japanese colony.
Nicole Prolorath
During World War II, an estimated 200,000 women, mostly Koreans, were kidnapped and forced to become sex slaves for Japanese troops.
Jim Lewis (Former Diplomat)
And then of course, at the end of World War II, unfortunately, the US drew a map that had a line. Our side and their side. The north held by the Soviets, the South held by the Americans.
Nicole Prolorath
That line, the 38th parallel, was actually drawn in the span of 40 minutes by a couple of exhausted US colonels. Late at night, consulting a National Geographic map. They divided the Korean peninsula into two roughly equal pieces. But this line didn't follow a river or a mountain range or any natural feature. They just indifferently drew it through villages and families. And it was meant to be temporary, but instead it hardened into a permanent fault line, a single line that still dictates everything that came after.
Jim Lewis (Former Diplomat)
And so the current leader's grandfather Kim said, hey, this is my big moment. I always wanted to rule the whole peninsula. And so he invaded. A very messy invasion.
Nicole Prolorath
In June 1950, under the direction of Kim Il Sung, North Korean forces crossed the 38th parallel.
Adam Myers (CrowdStrike)
South Korean villages awoke to a world suddenly filled with noise. And the communists, made full by months of small scale raiding across the 38th parallel, had finally launched their undeclared, all out war of conquest. This attack has made it.
Jim Lewis (Former Diplomat)
We were completely unprepared. And it went back and forth For a few years. Very messy war.
Nicole Prolorath
The war seesawed for three years until it froze unresolved. To this day, the scene is set.
Adam Myers (CrowdStrike)
The formalities remain.
Jim Lewis (Former Diplomat)
A set of documents is signed by General Harrison. The Red delegates watch their representative put
Adam Myers (CrowdStrike)
his signature to the treaty.
Jim Lewis (Former Diplomat)
The armistice is signed and cameras record the moment of history. And finally they ended up with this DMZ demilitarized zone where they're on one side, we're on the other. We still have a big presence in Korea, military presence in Korea. For a long time, Granddaddy Kim was still hopeful that he could become the ruler of Korea. At one point, he even sent a team into South Korea to assassinate the Korean president to take it over. So a complicated history, that's kind of where we are. And it's been stuck ever since. There's actually no peace agreement between the US and Korea. We're still technically at war. There's just a pause while we sort things out. The difference is, of course, is that in 1953, the Soviet style economic model and the Western style economic model seem to be about the same. North Korea might have been even a little richer in the 1950s. And over the intervening 60 years or so, South Korea pulled way ahead. North Korea is still a dump, Soviet style dump. And South Korea's wealthy developed country with some great stuff.
Nicole Prolorath
This is really the crux of it. South Korea surged into a global economic powerhouse. North Korea collapsed inward, isolated, sanctioned, and desperate for cash. And that desperation needed an outlet.
Jim Lewis (Former Diplomat)
Let's say you're the leader of a country that has a 1956 Soviet style economy. You're not going to make a lot of money. So the Koreans got into smuggling and forging. One of the reasons why the $100 bill looks different is because the North Koreans were able to make a hundred dollar bill that was indistinguishable from the real thing and just pumped them out. Right. I still think they try and do that.
Nicole Prolorath
These North Korean hundred dollar counterfeits were so convincing that they even earned a nickname from law enforcement supernotes. And in 2013, supernotes actually forced the US treasury to redesign the $100 bill. That's why you now see that blue 3D security ribbon woven into the paper. But their counterfeits are still legendary.
Adam Myers (CrowdStrike)
My name is Adam Myers and I am the head of counter adversary operations
Nicole Prolorath
at CrowdStrike, which is my favorite title in the cybersecurity industry. Welcome, Adam.
Adam Myers (CrowdStrike)
I remember hearing stories about the Secret Service agent had met some North Korean individual in the US who was selling $100 bills for half off. And the agent did was they sent it to the Secret Service. And the lab came back and said, these are real. And the agent said, well, then I'm quitting and going into a different line of work because I'm buying these for 50 cents on the dollar. And the lab looked at it again and said, oh, actually, yeah, these are counterfeit. What that North Korean was doing was taking large amounts of cash, going to Las Vegas, putting it into a slot machine, pulling the handle once. That's effectively how they laundered the counterfeit money. Which, you know, you think about Vegas doesn't lose money, right? They don't. They're not in the business of getting fooled or duped by counterfeits. So the fact that this currency was so real looking that it could bypass all of those countermeasures really spoke to the capabilities of what the North Koreans were able to do from a counterfeit perspective. And as they started looking for alternative revenue sources, they realized that there's things that they can do in order to generate cash that would be less observable. A lot of the early North Korean activity targeted massive multiplayer online games in South Korea and Japan. So they would go steal things from people in the game and then sell it on the black market for that game. A lot of gaming people probably aren't going to go complain if their stuff got stolen. And even if they do complain, there's not a lot of recourse, right, because it's not a tangible item. It's gone. So if there was a rare item, they would go steal it and then sell it to generate revenue as well. So there was kind of always this cybercrime edge to what they were doing.
Nicole Prolorath
What Adam is describing here is a pattern of innovation. North Korea moved from counterfeiting to low level virtual video game theft and eventually to hacking.
Jim Lewis (Former Diplomat)
So smuggling and counterfeiting, those were the big money makers before hacking. And in some ways, hacking's taken their place because hacking, it's safer, it's easier, and it pays as well as not better.
Nicole Prolorath
When we talk about tier one cyberpowers, we're usually talking about the U.S. israel, China, Russia. North Korea rarely makes the cut. But if you ask the people who track these hackers for a living, they'll tell you it should. Here's Nick Carlson, a former FBI analyst who specialized in North Korean hacking.
Adam Myers (CrowdStrike)
The FBI is largely focused on a
Ryan LaSalle (Nisos CEO)
couple of issues, right?
Adam Myers (CrowdStrike)
Especially with cyber and national security. That's Russia and China. So, yeah, North Korea, it's always this redheaded Stepchild that nobody wanted to own, nobody wanted to deal with it. It's this lackluster target for anybody in the government, certainly not like a top priority. And these North Korean hackers, they are extremely successful, right?
Amy Herzog (Amazon CISO)
This is.
Adam Myers (CrowdStrike)
In its heart, it's a tech venture. This is a criminal cyber startup, and these guys are crushing it. They are the best in the world at this point. And so it's kind of like a perverse success story, right, of the talent and skill and creativity of these people. And it's a tragedy, right, that they're doing this for this awful regime.
Nicole Prolorath
In fact, if there's any consistency to North Korea's cyber operations, it's only that they've consistently caught us off guard. When Americans hear North Korea, what comes to mind isn't strategy, it's spectacle.
Adam Myers (CrowdStrike)
North Korea flying hundreds of balloons carrying trash and feces towards South Korea Wednesday, calling them, quote, gifts of sincerity, a
Nicole Prolorath
rogue state, a cartoon villain, a madman with missiles and questionable haircuts.
Adam Myers (CrowdStrike)
What do you actually talk about with, and I don't mean this insultingly, a madman, murderous dictator.
Nicole Prolorath
This is called Friendly Father. It's gone viral on TikTok with I
Amy Herzog (Amazon CISO)
imagine some oblivious to the Korean lyrics,
Nicole Prolorath
which include let's sing Kim Jong Un, the great leader.
Adam Myers (CrowdStrike)
The latest satellite images show what look like volleyball tournaments happening at the new nuclear test site.
Nicole Prolorath
And yes, some of that reputation is earned.
Adam Myers (CrowdStrike)
North Korea executed its defense chief for sleeping during a meeting and talking back to young leader Kim Jong Un.
Cliff (Cybersecurity Staffing Agency Executive)
Kim Jong Nam was murdered as he
Adam Myers (CrowdStrike)
was about to board a flight at
Cliff (Cybersecurity Staffing Agency Executive)
the Kuala Lumpur airport, reportedly by two women who either sprayed or injected him with poison.
Jim Lewis (Former Diplomat)
Much of the world believes North Korea
Adam Myers (CrowdStrike)
ordered the hit on Kim Jong Nam,
Jim Lewis (Former Diplomat)
half brother of North Korean Supreme Leader Kim Jong Un.
Nicole Prolorath
Here in the States, we like our enemies simple. But North Korea has never been. That caricature has a cost. And the truth is, while we're laughing, North Korea has been rapidly evolving. In fact, when North Korea sets its sights on a target, rarely does it miss. More often, it sets an example, a righteous deed.
Ryan LaSalle (Nisos CEO)
The words of North Korea today over
Adam Myers (CrowdStrike)
that scandalous hacking in Sony Pictures. North Korea apparently liked it, but says it's not behind it. Embarrassing emails and personal documents were made public.
Nicole Prolorath
Millions of dollars lost, and hackers warned
Adam Myers (CrowdStrike)
of terrorist attacks at movie theaters. Hackers successfully stole $81 million from Bangladesh Central bank by sending false payment requests to the New York Federal Reserve.
Nicole Prolorath
North Korean hackers stole 1.5 billion with AB dollars from Bybit, the world's second largest crypto exchange. It happened in just minutes. They have already laundered about 160 million of the stolen loot through accounts linked to North Korean operatives.
Adam Myers (CrowdStrike)
The attack targeted Axios, which is a widely used open source software that underpins a large part of the Internet's operational infrastructure. The hackers reportedly inserted malicious code into a routine software update for Axis,
Nicole Prolorath
though it gets overlooked. Cybercrime is now a core pillar of the North Korean economy. By some estimates, it makes up half the regime's total funding. But it's not steady income. It comes in bursts. Big hacks take time. They require patience, preparation, luck. A regime can't build a budget around a single billion dollar score. It needs steady funding and salaried IT workers. That's recurring revenue.
Adam Myers (CrowdStrike)
It started off with gig economy jobs. We were paying people to do the work. But the thing that really kicked it into high gear, getting full time salaried jobs, really came with the push towards remote work. And that really exasperated during the pandemic because we weren't bringing people into offices, we weren't doing in person interviews. And that created the opportunity for the North Koreans to kind of swoop in and start to take over and start working those jobs. It took a while before people started to figure out what was going on because they showed up for work, they did the job, they did adequate job in many cases. A lot of times they just slipped under the radar for many years. I was like, who the hell would hire a North Korean IT worker? Then I dove into the problem, went, oh crap, we'd hire one.
Nicole Prolorath
Here's Kevin Mandia, founder of Mandiant and now my partner at Ballistic Ventures.
Adam Myers (CrowdStrike)
We're all doing remote interview, remote hiring. And they were actually good engineers. That's what they were. And I walked away going, we don't have a good way to stop this problem right now. We really don't. There's thousands of them, you know, And Covid gave them the perfect environment.
Nicole Prolorath
And here's Charles Carmichael, Mandiant's chief technology officer.
Adam Myers (CrowdStrike)
Honestly, I've yet to find a company that has told me they haven't unintentionally hired a North Korean IT worker. Where I felt confident that they actually had great awareness of whether or not they've actually hired them or not. Most of the organizations that I talk to that are Fortune 500 companies say we've unintentionally hired a North Korean IT worker. It just, it happened. It slipped through the cracks. Because, by the way, people didn't really understand that this was a thing. It was when I first heard about North Korean IT workers. It sounded far fetched. It didn't sound. It didn't sound like it was something that was really happening. And it took me a few cases before I truly understood how real and how significant and serious this was. There have been a few Fortune 500 organization CISOs that have told me they don't believe that they've already North Korean IT workers. My assumption is that they just weren't made aware of it.
Nicole Prolorath
One of the reasons this is so easy to miss is because this scam is unlike anything these Fortune 500s have ever dealt with. Here's Steve Stone, senior vice president of Threat intelligence at Sentinel One, another cybersecurity firm.
Adam Myers (CrowdStrike)
One of the unique aspects is, I mean, they're scamming because they're representing themselves as somebody else, but they're actually doing the work.
Nicole Prolorath
And this is a key, fascinating thing that sets the North Korean IT worker scheme apart. You hear employment fraud and you picture someone phoning it in, scooping an undeserved paycheck. But to be clear, that isn't necessarily what's happening here. The North Korean workers scheme isn't about skating by. They're not conning companies out of cash. They're conning companies into paying a sanctioned adversary.
Adam Myers (CrowdStrike)
They're not just collecting a paycheck and not going to work. These people become actual employees inside of these very large structures. And it's run like we see a lot of other criminal enterprises.
Nicole Prolorath
That last part is key. Run like a criminal enterprise.
Michael Barnhart (Barney)
I think understanding that North Korea is a cyber syndicate and less of an actual government or a nation, then everything will kind of start falling into place.
Nicole Prolorath
Meet Barney, the man who's probably tracked North Korean hackers and more recently, these IT workers, closer than anyone.
Michael Barnhart (Barney)
My name is Michael Barnhart. My nickname is Barney. And the current role is a nation state insider threat investigator over at dtech Systems. I know that what we're talking about here is the IT workers, which, by the way, I don't know if any of them told you about the tattoos, but I did finally get that.
Nicole Prolorath
What is the tattoo?
Michael Barnhart (Barney)
Okay, it's on my foot. So it just says IT workers. But there's something they always say in their resume. They always say they have rich experience. So I put, quote, unquote, rich experience. IT workers.
Nicole Prolorath
My God. Barney is deeply committed to the North Korean IT workers issue, to put it mildly. He's tracked North Korea's hacking units for years. But it's like whack a mole.
Michael Barnhart (Barney)
I'd say for every IT worker there's probably seven Personas attached to it. We've seen multiple IT workers in a company and they're all the same person,
Nicole Prolorath
which makes it nearly impossible to know how many there really are. Each North Korean operates under multiple aliases, applying to as many jobs as possible. Sometimes the same ones over and over again.
Michael Barnhart (Barney)
They'll lose their job and then they'll come back to the same job. We saw one the very next day. He had combed his hair the other way. Different shirt, different background. It was the same guy that was just fired the day before. Like we didn't know who you were.
Nicole Prolorath
He came back to reapply.
Michael Barnhart (Barney)
Yeah, under a different Persona.
Nicole Prolorath
Even the largest companies, companies whose security teams resemble nation state level intelligence agencies who insist their vetting is so airtight they could never hire a North Korean operative, are discovering their contractors already have.
Michael Barnhart (Barney)
I'll go to one of the big names or one of these Fortune 10 companies. They're like, you don't have anything in our holdings. And I was like, okay, now run these same 2000 email addresses across your contractors and they light up like a Christmas tree.
Nicole Prolorath
Which brings me to Amazon. Late last year, Amazon disclosed that one of its contractors hired a North Korean as an IT systems administrator. Amazon detected the operative not through one indicator, but several. Here's Amazon's Amy Herzog.
Amy Herzog (Amazon CISO)
I'm Amy Herzog. I am the Chief Information Security Officer for aws.
Nicole Prolorath
What exactly did you see that tipped you off that this worker was not who they purported to be or contractor in this case.
Amy Herzog (Amazon CISO)
There's not one indicator or one candidate or one thing that lets you know that you're in this situation. Situation. It's more like a pattern that crystallizes over time. We started noticing anomalies. So a work history that didn't line up geographically with other things on a resume or a degree at a school that didn't offer the major that was listed or a plus one for a phone number when the candidate's resume was for a US person.
Nicole Prolorath
But the dead giveaway was the time lag between whatever this contractor was typing and what Amazon was picking up on their end. It's what's known as keystroke latency.
Amy Herzog (Amazon CISO)
We were able to use the initial set of indicators to look at things including latency data, which is a really interesting signal.
Cliff (Cybersecurity Staffing Agency Executive)
Right.
Amy Herzog (Amazon CISO)
When someone is using a VPN from across the world to kind of digitally hide their location, you would expect someone who's connecting directly to corporate systems to have maybe a 10 millisecond ish round trip time. And this was 10 times higher than that. And so that signal combined with the other signals, combined with the way the person understood their work, the level of depth that they might have, those all added up to, okay, this is a person we need to quickly remove and confirm that they didn't ever have access to something sensitive.
Nicole Prolorath
Amazon starts feeding these signals into AI models that were specifically built to weed out employment fraud. Almost immediately, the models light up with Hundreds and then 1800 attempts by North Koreans to secure remote work. At Amazon, one of the real game
Amy Herzog (Amazon CISO)
changers for us was when we leveraged AI to look at these indicators and investigate.
Nicole Prolorath
Was there one moment where you're looking at this and you're like, oh my God, this is now approaching the thousands of attempts?
Amy Herzog (Amazon CISO)
Yeah. When I first heard the 1800 number, you sort of have a few reactions, right? One, this is not an individual threat actor or a isolated group. This is an organizational scale effort.
Nicole Prolorath
Last year alone, Amazon reported a 27% quarter over quarter jump in suspected North Korean applicants. And it believes the models are catching these people before they're onboarded. But the same can't be said for the vast web of staffing firms feeding contractors into corporate America. Which brings me to a man I'll call Cliff. We changed his name and altered his voice so he can freely discuss what he's seen. Cliff runs cybersecurity for one of the largest staffing agencies in the United States. They place everyone from medical staff to aerospace contractors. But their bread and butter is IT staffing? In 2024, Cliff gets word from the FBI. One of his corporate laptops has been seized in an FBI investigation.
Cliff (Cybersecurity Staffing Agency Executive)
We received a note from the FBI saying they had one of our assets in there from a seizure that they did in Arizona.
Nicole Prolorath
Asset in this context refers to a corporate laptop.
Cliff (Cybersecurity Staffing Agency Executive)
We were very curious what the seizure was, and so we inquired more and they told us what was going on with North Korea and 100% remote workers. And we started gathering more and more information because we were very curious on why we had somebody involved in this.
Nicole Prolorath
The FBI tells them they're holding a call for impacted companies. So Cliff dials in.
Cliff (Cybersecurity Staffing Agency Executive)
I was a little shocked. I said, well, there are a lot of impacted individuals here because we were just one. What floored us even more is when they said, well, we have a lot of people's names and emails and phone numbers if you want them. We'll send you over 300 potentials and you can check to see if you have dealt with any of these other individuals. We have a database as you can Imagine. And we compared these 300 names with everybody in our database, and sure enough, we were aware of 11 other ones.
Nicole Prolorath
Cliff discovers his firm had placed North Koreans at major American corporations.
Cliff (Cybersecurity Staffing Agency Executive)
Some of those are companies you probably never heard of, but some of those are 14, 50.
Nicole Prolorath
But they didn't just staff North Koreans at other companies. They'd hired several of them in house.
Cliff (Cybersecurity Staffing Agency Executive)
This is like the worst of the worst of an insider threat, especially dealing with a nation state that has sanctions against it. And if it's just about money, well, that's bad enough for national security. But if it's deeper than that, we go full scorched earth and check what that person was doing the entire time they were here. You know, look at their access, look at where they had access. Go back into the logs and see what were they doing when they were here. Luckily, both of our internals were only here one week.
Nicole Prolorath
These workers were acting, strangely enough, not wanting to go on camera that they didn't make it a week. But had it not been for the camera issue, they might still be working there today.
Cliff (Cybersecurity Staffing Agency Executive)
The surprises. They were doing nothing out of the ordinary. They were acting like a normal employee, just trying to keep that job.
Nicole Prolorath
And when he told the client, we inadvertently staffed a North Korean at your company, were they flabbergasted?
Cliff (Cybersecurity Staffing Agency Executive)
The client didn't hold it against us. After learning from the FBI that this has been happening apparently for almost 10 years now, and that we are just now becoming aware of it.
Nicole Prolorath
10 years. For 10 years, North Korean agents have evaded every HR filter, every background check, every sanction. This didn't start with COVID but the pandemic definitely made space for the IT worker scheme to spread like, well, a pandemic.
Cliff (Cybersecurity Staffing Agency Executive)
They were getting through not only our onboarding experience, they were also getting through the clients. And the clients often told us that they were very pleased that these individuals interviewed very well, and when they were working, they delivered very well. They were some of their best workers.
Nicole Prolorath
Okay, but how does a North Korean slip past the other HR controls at, like, a Fortune 50 or a staffing agency that specializes.
Ben Reisenberg (Nisos Analyst)
And this kind of thing, they always
Cliff (Cybersecurity Staffing Agency Executive)
would refuse biometric testing and drug testing. So they would ask to have a fully remote job. No, in person testing, which would require biometric and or drug. A lot of our clients, and we internally require background checks, but these individuals are stealing identities, so they're passing background checks through great companies like Starling. You know, the best. The best. So with a legitimate fake identity that has been stolen, the background checks are actually coming through. Plain.
Nicole Prolorath
So Cliff realizes they're using these stolen identities to get clean background checks and slip past every traditional control. So he goes back and watches the recordings of their interviews to see if he can pick up with the naked human eye with these technical controls missed. And it's then he realizes this threat only becomes obvious when you know what you're looking for. Here's a North Korean captured interviewing for an IT job at Starbucks.
Ryan LaSalle (Nisos CEO)
Are you in the Seattle area by any chance?
Adam Myers (CrowdStrike)
No, I'm living in Louisiana. Yeah.
Michael Barnhart (Barney)
Petrology.
Adam Myers (CrowdStrike)
Okay. Yes.
Ryan LaSalle (Nisos CEO)
How's Louisiana?
Ben Reisenberg (Nisos Analyst)
So.
Nicole Prolorath
So called cold.
Adam Myers (CrowdStrike)
Yeah. Really? What. What temperature is it in Louisiana? No. Yeah.
Nicole Prolorath
Let me.
Adam Myers (CrowdStrike)
Let me see.
Nicole Prolorath
Yeah, it's.
Adam Myers (CrowdStrike)
It's 12. It's what, 21 degrees? Yeah, yeah, 21 degrees. I know there's a cold front over in the Midwest area, but I didn't think Louisiana got that cold.
Ryan LaSalle (Nisos CEO)
That's crazy.
Nicole Prolorath
Once Cliff and his team have a better sense of what to look for, they go back to their recruiting database. And that's when it hit them. Those 300 names the FBI flagged, they were just the tip of the iceberg.
Cliff (Cybersecurity Staffing Agency Executive)
I've got a team of folks that scourge all the full stack. Developers, certain job codes, certain red flags that we know. And unfortunately, we're getting about 25 to 30 a day.
Nicole Prolorath
These are new profiles being created in your database, correct?
Cliff (Cybersecurity Staffing Agency Executive)
These are absolutely DPRK operatives trying to get a remote staffing gig, usually in one of those senior IT roles. We have a database now, almost 12,000 candidates with unique names, unique VoIP phone numbers associated with those. We mark these individuals with do not use them. And recruiters at times will still want to use them because they claim they fit the bill so well. It's like the perfect candidate. And we have to tell them, yeah, I know they are. They. They wrote it that way. It's all fake.
Nicole Prolorath
What's incredible to me is that these North Korean workers were applying to cybersecurity companies. Here's Steve Stone again at sentinel 1.
Adam Myers (CrowdStrike)
We talk very openly about the level of effort we are seeing in just the first six months of 2025, at just our company. We have seen more than 300 Personas submit more than a thousand applications. That's just one company in two.
Nicole Prolorath
That's at Sentinel One.
Adam Myers (CrowdStrike)
That is just at Sentinel One.
Nicole Prolorath
And that's just at one company that knows what to look for. Run the math, and the numbers climb fast. A Treasury report found that the regime withholds 90% of each worker's salary. Most of these jobs are six figures. Multiply that across hundreds of workers, thousands of Personas, and you start to see the scale of this.
Adam Myers (CrowdStrike)
In 2025, CrowdStrike identified 700 instances of remote IT workers getting jobs at organizations. If you estimate a developer getting $150,000 salary, let's say times 700, you're looking at like $105 million in revenue. And that goes to the weapons program.
Nicole Prolorath
But even that figure grossly understates it. Last October, a UN panel released a sweeping report. They tracked IT worker salaries from fake identities and cutouts through the regime and all the way up to the munitions industry department, the heart of North Korea's weapons program. Their estimate, roughly half a billion dollars a year.
Ryan LaSalle (Nisos CEO)
I have to put into perspective that the North Korean economy is the size of like, Vermont's economy. And here they are establishing a nuclear weapons program and have created intercontinental ballistic missiles that most nations don't have.
Nicole Prolorath
Here is Rob Joyce, who used to run hacking divisions and later cybersecurity for the nsa.
Ryan LaSalle (Nisos CEO)
Cyber theft punctures the sanctions. Sanctions assume you can restrict the revenue. And this cyber channel creates revenue that's borderless, deniable, and renewable. They've been able to continue to generate cyber revenues year on year. So I think North Korea is more dangerous because they're disconnected. Deterrence is harder. What more are you going to heap on me if I'm North Korean? If you sanction me more, I'm already sanctioned. If you name and shame, they may shrug or even see it as a badge of honor. They can behave like a cornered regime and they've got this digital crowbar that's asymmetric. They can reach out and whack us with.
Nicole Prolorath
If sanctions don't work and deterrence doesn't work, then the only real way to prevent this threat is to study it from the inside out. Which brings me back to nisos because last year, after three years of tipping off law enforcement and alerting companies to North Korean IT workers and their systems, Misos came face to face with one at their own company. My name is Megan and I have
Ben Reisenberg (Nisos Analyst)
my colleague Ethan here.
Michael Barnhart (Barney)
Oh yeah, I'm doing great, Ethan.
Ryan LaSalle (Nisos CEO)
And at the end of that interview, we all got together and said, I think one of the North Koreans has interviewed for a job with us.
Nicole Prolorath
So they hired him. And what followed? That's next on To Catch a Thief. Follow To Catch a Thief to make sure you don't miss the next episode. And if you like what you hear, rate and review the show. To Catch a Thief is co produced by me, Nicole Prolorath, and rubric in partnership with Pod People, with special thanks to Julia Lee.
To Catch a Thief: China’s Rise to Cyber Supremacy
Episode: “Strange Things Are Happening”
Host: Nicole Perlroth
Release Date: June 9, 2026
In this gripping episode of “To Catch a Thief,” host Nicole Perlroth explores the previously untold reality of an unprecedented cyber threat: thousands of North Korean operatives quietly infiltrating the American workforce—particularly in IT and cybersecurity roles. Perlroth interviews victims, investigators, and defenders, unraveling how remote work, pandemic hiring, and clever employment fraud enabled North Korea to bypass sanctions, plunder data, and funnel hundreds of millions of dollars annually into its weapons program. The episode highlights not just the technical and operational means, but the larger economic and geopolitical motives—and the extraordinary scale of the threat.
Remote Workforce Infiltration
Nicole Perlroth introduces “a new breed of worker” who blends seamlessly into the American corporate landscape—skilled, remote, affordable, and, as it turns out, often North Korean operatives.
“They're gaining trust and access... But strange things are happening.” (00:02)
Detection of Anomalies and Early Red Flags
Odd behavior raises suspicions—applicants avoiding cameras, resumes that don’t match reality, long answer times suggestive of chatbot support, and palpable unease among employers.
“The person didn’t really look right on screen... took a lot of time to answer questions.” (01:01 – Nicole Perlroth)
“We have an individual that didn’t seem to know what they were supposed to know. Person’s resume say[s] they got 15 years as a senior developer, yet the ID shows it must have been 10 years old when he went to college.” (01:27 – Cliff, Staffing Exec)
State-Sponsored Deception
Perlroth and guests reveal that this is not ad-hoc criminality, but a “global labor pipeline... managed, trained, and deliberately planted by a nation state”—most surprisingly, North Korea, not China or Russia (03:11).
“This is my worst nightmare.” (02:19 – Cliff, Staffing Exec)
Motivation and Capability
Adam Myers (CrowdStrike) emphasizes North Korea’s brilliance at “playing a weak hand” through technological edges, such as cyber and nuclear capabilities (03:18).
“Kim Jong Un... has played an extremely weak hand brilliantly... [he’s] a pretty brutal player, and pretty savvy at understanding how small technological edges... enable him to have the power to reach out at the United States.” (03:18 – Adam Myers)
Financial Imperative
The core reason: revenue for an isolated, heavily sanctioned regime.
“The North Koreans will do anything for money, especially hard currency.” (20:05 – Jim Lewis, Former Diplomat)
The Investigation Begins
Perlroth recounts a Nisos case from 2022: a strange remote IT worker at a major U.S. media company becomes the trigger for an in-depth probe.
“They had a weird sense that something was not right... The sense was the person wasn’t who they said they were.” (09:40 – Ryan LaSalle, Nisos CEO)
Analytical Red Flags
“If you haven’t, then you haven’t existed in a digital life.” (12:42 – Ryan LaSalle)
Technical Traces
“It is something that’s way bigger. We said, I think we have a link to North Korea.” (18:56 – Ben Reisenberg, Nisos Analyst)
The Recurring Revenue Model
North Korea’s aim is “steady funding and salaried IT workers—recurring revenue.” (33:05)
Insider Risk
Once inside, North Korean operatives can exploit insider access for future attacks, extortion, or destructive operations.
“If push comes to shove, you have thousands and thousands of organizations at your disposal that you can start blowing up from the inside.” (08:05 – Michael Barnhart “Barney”)
Why North Korea Must Innovate
Jim Lewis guides listeners through a fast-paced history of the Korean peninsula, showing how North Korea’s economic stagnation forced it into “smuggling and forging” (25:55), including “supernotes” ($100 bill counterfeits) and now cyber operations as a financial lifeline.
Techniques Evolve Early North Korean cyber forays included in-game thefts in online video games and quickly graduated to complex hacking and fraud (28:54).
How They Evade Detection
“For every IT worker there’s probably seven personas attached.” (38:07 – Barney)
Corporate Realization and Discovery
Sample Detection Story
“When someone is using a VPN from across the world to kind of digitally hide their location... this was 10 times higher than that.” (40:20 – Amy Herzog)
Enormous Scale
The Sanctions Paradox
Sanctions have incentivized North Korea to evolve ever more sophisticated, deniable, and renewable revenue streams through cyber operations.
“Cyber theft punctures the sanctions... this cyber channel creates revenue that’s borderless, deniable, and renewable.” (52:01 – Rob Joyce, former NSA)
Detection as Prevention
With deterrence and sanctions ineffective, Perlroth and guests argue the best defense is to deeply understand these threats and study them from the inside.
“This is employment fraud from a state tied to intelligence service.”
(07:05 – Cliff, Staffing Exec)
“To be clear, this is a nuclear armed adversary on our payroll.”
(07:31 – Nicole Perlroth)
“Have they ever done it? Yeah, they’ve done destructive attacks, they’ve done stuff on the inside. So really what we have now is a worldwide chess game. And they've put all their pieces in place.”
(08:05 – Michael Barnhart “Barney”)
“If you haven’t, then you haven’t existed in a digital life.”
(12:42 – Ryan LaSalle, Nisos CEO)
“The North Koreans will do anything for money, especially hard currency.”
(20:05 – Jim Lewis, Former Diplomat)
“You don’t have anything in our holdings. And I was like, okay, now run these same 2000 email addresses across your contractors and they light up like a Christmas tree.”
(39:07 – Michael Barnhart "Barney")
“At just our company ... more than 300 Personas submit more than a thousand applications. That’s just one company in two [quarters].”
(50:03 – Steve Stone, SentinelOne)
“They can behave like a cornered regime and they’ve got this digital crowbar that’s asymmetric. They can reach out and whack us with.”
(52:01 – Rob Joyce, former NSA)
This episode pulls back the curtain on one of the most underreported but dire threats in cyberspace. Through real investigative accounts and expert testimony, Nicole Perlroth and her guests reveal how North Korea has weaponized Western employment and digital infrastructure, not solely as a means of espionage or mayhem, but as a primary lifeline to prop up its embattled regime. The threat is subtle, persistent, and difficult to root out—an unsettling new reality for corporate America and the global economy.