When Remote Hiring Becomes an Attack Surface: North Korea’s “Remote IT Workers” Tactics 

When Remote Hiring Becomes an Attack Surface: North Korea’s “Remote IT Workers” tactics 

Remote work didn’t just change how companies hire - it changed what “perimeter” even means. Over the last few years, North Korean remote IT workers used stolen identities, domestic “laptop farms,” remote-access tooling, and VPNs/proxies to blend into Western workforces and quietly turn legitimate access into revenue, data theft, and sometimes extortion. A recent case makes the mechanism painfully clear.

A real case: “the employee” was a front - the access was the prize

On December 4, 2025, the U.S. Department of Justice announced that Minh Phuong Ngoc Vong (Maryland) was sentenced to 15 months for his role in a fraud scheme that helped foreign IT workers pose as U.S. citizens and get remote jobs at over a dozen U.S. companies. According to the DOJ, he conspired with a foreign national living in Shenyang, China (near North Korea) and allowed others to use his computer access credentials to do the work and receive payment - including for a role requiring U.S. citizenship. 

That pattern - someone “in the West” fronts the identity, while the real operator works remotely-  is a recurring theme across many investigations.

What are North Korean remote-IT worker operations?

North Korea employs an army of domestic workers that are conspicuously hired by foreign (mostly US and European) companies for several uses: 

• Sanctions evasion & revenue generation: North Korea deploys/uses thousands of skilled IT workers to earn foreign income, much of which is directed back to the regime and designed to bypass sanctions. The US Treasury department  has described the government withholding up to 90% of wages, generating hundreds of millions of dollars annually for weapons programs. 
• Operational access: Once hired, workers can obtain access to code, cloud consoles, internal tools, credentials, and sensitive data. Microsoft notes this can enable information theft, extortion, and more. 
• Escalation after discovery: The FBI has warned that after being discovered, some workers have extorted companies by holding stolen proprietary data/code hostage, and in some cases publicly leaked it. 

This is why “remote hiring” has become a national security and enterprise security issue - not only an HR/compliance concern.

How big is the problem?

• Between 2020–2022 the U.S. government found 300+ U.S. companies in multiple industries (including Fortune 500) had unknowingly employed these workers, and that the cybersecurity community has continued to detect thousands of North Korean workers.
• Security company CrowdStrike said its team investigated 320+ incidents involving North Korean operatives gaining remote employment in the one-year period ending June 30, 2025, and described a 220% year-over-year increase in that activity. 

How the operation typically works 

Operators rely on stolen/borrowed identities, fake resumes, and “legitimizing” online footprints. U.S.-based facilitators may receive employer-issued laptops, then enable remote access so the overseas operator can connect in.In one instance, the DOJ described “laptop farms” that hosted victim company laptops so overseas workers could remote access them. 

Once inside, the risk expands quickly: DPRK IT workers may attempt to harvest credentials and session cookies to initiate sessions from non-company devices and pursue further compromise. Finally, these employees also aim at additional monetization, such as data theft, threats to leak stolen source code unless extortion demands were paid. 

VPNs are the enablers of this phenomenon

Official U.S. advisories explicitly call out VPNs as a tactic used to conceal location and reduce scrutiny:

• The 2022 tri-seal advisory (State/Treasury/FBI) notes DPRK IT workers use VPNs, VPSs, and third‑country IP addresses to appear as though they’re connecting from “inconspicuous locations.”
• Microsoft similarly reports these operators use VPNs, proxy services, VPS, and remote monitoring/management (RMM) tools to connect into devices housed at facilitator-run laptop farms located in the target country. (Microsoft)

In other words: VPNs aren’t the goal, they’re the camouflage that makes fraudulent hiring and remote access sustainable at scale.

What this means for Western companies: remote work “trust” is now a security boundary

The uncomfortable takeaway from these cases is that corporate access is being traded like a commodity and remote access workflows (including VPN) are often the bridge that makes it practical. If attackers gain credentials-  through renting, stealing, or social engineering - the VPN becomes a trusted tunnel straight into core systems.

Zeroport’s non-IP, hardware-enforced remote access eliminates this risk by design, it provides granular control over user sessions, does not allow lateral movement, no remote code execution path and no data-exfiltration channel. Fantom removes the risk of stolen credentials VPN bypasses (such as US-based laptop farms). 

Contact us today to learn more about Fantom Enterprise.

‍