The remote worker showed up on camera, sort of. Back-lit, slightly out of focus, reluctant to turn on the video at all. Their resume said 15 years as a senior developer. Their answers came a beat too slow—eyes drifting off-screen, consulting something out of frame. Their work was fine. In some cases, better than fine. But something was wrong.
That something, it turned out, was North Korea.
In the new season of To Catch a Thief, host and former New York Times lead cybersecurity reporter Nicole Perlroth investigates one of the most audacious schemes in the history of economic espionage: how North Korean agents infiltrated the American workforce—not by hacking, but by hiring. No zero-days. No phishing campaigns. Just a LinkedIn profile, a stolen identity, and a job posting.
The Scheme Behind the Resume
The mechanics are straightforward enough to be unsettling. North Korean operatives build convincing digital personas, complete with polished resumes and plausible work histories, LinkedIn profiles connected to fake former employers.
But the companies those employers are listed at don't exist, or used to be frat houses in Michigan. Profile photos turn up on multiple accounts under different names. And every one of these workers shares something peculiar: not a single data breach on record. In a world where nearly every real person has had their credentials compromised at least once, a clean digital record is a tell.
They apply for open positions by the thousands. They route their traffic through offshore VPNs and bounce connections across a network of laptops managed by facilitators inside the United States. They use stolen identities to pass background checks at the most reputable screening firms in the country. And when they land a job, they show up. They do the work. Sometimes they're the best worker on the team.
When they're discovered and fired, some come back the next day. Different shirt. Hair combed the other way. A new name.
A Nuclear-Armed Adversary on the Payroll
This isn't a story about fringe freelancers gaming a gig platform. It's state-sponsored employment fraud at scale, managed and directed by a regime that has turned cyber crime into a core pillar of its economy.
North Korea has spent decades finding ways around international sanctions—counterfeiting $100 bills so convincing they forced the US Treasury to redesign the note, hacking cryptocurrency exchanges for billions.
Remote IT work is the latest evolution: lower risk, steadier income, and far harder to attribute. The regime withholds an estimated 90% of each worker's salary. Multiply that across hundreds of workers operating under thousands of personas and the numbers become hard to absorb. CrowdStrike identified 700 confirmed instances in 2025 alone. At an average developer salary of $150,000, that's roughly $105 million flowing directly toward North Korea's weapons program. A UN panel put the full annual take at close to half a billion dollars.
"Cyber theft punctures the sanctions," former NSA cybersecurity director Rob Joyce explains in the TCAT season premiere. "Sanctions assume you can restrict the revenue. This cyber channel creates revenue that's borderless, deniable, and renewable."
Why Traditional Controls Keep Failing
AWS CISO Amy Herzog describes detection at Amazon as a pattern that crystallizes over time—geographic inconsistencies in a work history, a degree from a school that didn't offer the listed major, keystroke latency running ten times higher than expected because the worker was routing keystrokes from across the world. Amazon fed those signals into AI models built specifically to surface employment fraud. The models lit up with 1,800 North Korean infiltration attempts. The quarter-over-quarter jump in suspected applicants at Amazon: 27%.
One of the largest staffing agencies in the United States now flags 25 to 30 new North Korean profiles every single day. Their database of confirmed DPRK operatives has reached nearly 12,000 entries. They mark every one of them "do not use." Recruiters still try to hire them because the resumes are that good.
At cybersecurity company SentinelOne more than 300 personas submitted over 1,000 applications in the first half of 2025.
The controls these organizations use aren't naive. They're the same controls that have worked for decades. Stolen identities pass background checks. VPNs mask locations. Remote interviews let anyone stay just out of frame. As Ryan LaSalle, CEO of threat intelligence firm Nisos, puts it: the operative asks HR to ship the laptop to a different address because mom is sick and they're visiting in another city. HR says of course. The laptop lands at a house full of strangers.
The Scale of What's Already Inside
Here's the number that lands hardest: this has been going on for ten years.
Mandiant CTO Charles Carmakal told Nicole he has yet to find a Fortune 500 CISO he's confident actually knows whether their company has hired a North Korean IT worker. Most who engaged seriously with the question found they had. The ones who said they hadn't, Carmakal suspects, just hadn't looked hard enough.
The FBI issued an advisory in 2022 warning companies that North Korea was dispatching thousands of IT workers to secure remote positions and funnel revenue back to Pyongyang. It barely registered. even within the security community. The investigators at Nisos who first cracked a case in 2022 discovered the advisory mid-investigation. When they cross-referenced their technical findings with the accounts listed in it, the match was immediate.
The insider threat this creates isn't theoretical. These workers hold real access to real systems. As nation state insider threat investigator Michael "Barni" Barnhart puts it: "What we have now is a worldwide chess game, and they've put all their pieces in place. If push comes to shove, you have thousands and thousands of organizations at your disposal that you can start blowing up from the inside."
Listen: To Catch a Thief, Season 2, Episode 1
Season Two of To Catch a Thief traces how all of this happened, from the geopolitical conditions that made the IT worker scheme possible to what comes next when a sanctioned adversary already holds access inside your organization.
Nicole speaks with former NSA and CIA officials, Fortune 500 CISOs, the threat hunters who built the cases, and (in an episode coming soon) a North Korean worker the investigators decided to hire on purpose.
To Catch a Thief is co-produced by Nicole Perlroth and Rubrik, in partnership with Pod People. Follow the show wherever you listen to podcasts.