North Korean hackers are reportedly posing as remote IT workers for more companies. Cybersecurity experts have warned that the scheme, previously identified in the United States, is now affecting companies in Europe. The issue earlier drew attention in the US after an incident involving Amazon. In December 2025, the e-commerce giant’s chief security officer, Stephen Schmidt, said that keystroke data indicated a contractor hired as an IT worker was likely operating from overseas rather than the US. The delay in command signals reaching Amazon’s Seattle systems suggested the person was “half a world away,” highlighting concerns that such workers may be using remote jobs to fund the Democratic People’s Republic of Korea.Researchers have claimed that operatives linked to the North Korean government are using online identities and AI tools to obtain remote IT jobs at companies outside the country. According to a Financial Times report, cybersecurity researchers now say the activity is emerging in Europe as well. Jamie Collier from the Google Threat Intelligence Group told FT that investigators have identified signs of the practice spreading to the region, including “laptop farms” being set up in the United Kingdom to support the operation. Meanwhile, figures from the US Department of Justice show that workers infiltrated more than 300 US companies between 2020 and 2024, generating at least $6.8 million for North Korea.
What the cybersecurity researchers said about Europe’s North Korean IT workers’ problem
In a statement to FT, Collier said, “Recruitment has not naturally been seen as a security issue, so it’s an area of weakness in companies’ systems and these operatives are targeting that vulnerability. When we had to tell a client that one of their workers was actually a fake North Korean operative, the feedback was ‘are you 100 per cent sure, because he’s one of our best employees’.”According to investigators, the scheme often begins with identity theft. Fraudsters may take control of inactive LinkedIn accounts or pay account holders for access. They then create false CVs and identity documents while coordinating with other operatives to provide endorsements on the platform. AI tools are also used to generate digital avatars, masks, and deepfake filters during remote job interviews.Alex Laurie of Ping Identity said AI has increased the credibility of such applicants. “By using large language models, operatives can generate culturally appropriate names and matching email address formats, ensuring that their communications do not trigger linguistic or cultural ‘red flags’ that previously spotted such scams,” he said.“The future of UK national security will be determined by the ability of its corporate sector to authenticate its workforce in the face of persistent, AI-enhanced adversarial impact,” Laurie added.Security specialists say that after companies strengthened their online recruitment checks, some North Korean groups began paying individuals, often described as facilitators, to attend interviews on their behalf.The next stage of the scheme can involve intercepting laptops sent by employers to new hires. Operatives then access the machines remotely and use large language models or chatbot tools to perform assigned tasks, sometimes while holding multiple jobs simultaneously.Rafe Pilling from Sophos described the operation as state-backed activity. “A mini army of North Koreans has been targeting high-salary, fully remote tech jobs. Framing themselves as talent with around seven to 10 years’ experience, getting jobs, drawing a salary — rinse and repeat,” he said.In a January LinkedIn post, Stephen Schmidt said Amazon had prevented more than 1,800 suspected North Korean operatives from obtaining jobs since April 2024.“These were increasingly targeting AI and machine learning roles. This isn’t Amazon-specific—this is likely happening at scale across the industry,” Schmidt noted.Cybersecurity company KnowBe4 has also said it experienced such an incident. In that case, the individual posing as a worker gained access to the company’s systems and attempted to install malware, but the activity was detected before it could be completed.
