Nicole Perlroth and the investigators at Nisos had spent three years tracking North Korean IT workers from the outside. They knew how the scheme worked, how it spread, and roughly how large it had grown. What they didn't know was what it looked like from the inside.
Episode 2 of To Catch a Thief changes that.
The episode follows a decision that Nisos CEO Ryan LaSalle describes, simply, as "crazy": the decision to hire a North Korean operative on purpose.
Hiring the Spy
When a man calling himself Joseph applied for an AI developer role at Nisos, something was immediately off. He looked like a teenager, despite a resume listing years of senior experience. His answers came with a beat of delay. His eyes kept drifting off-screen. Nisos choreographed a second interview and laid a trap: they invented a hurricane.
"There was no Hurricane George," Nicole explains in the episode. The team made it up. Joseph consulted something off-screen, improvised an answer about strong winds and fallen branches, and confirmed everything the team suspected. He wasn't in Florida. He almost certainly wasn't named Joseph.
Nisos's chief people officer Magen Gicinto, a former CIA officer, pushed the team to lean in rather than cut him loose. They brought him back. And then they hired him on a fake contract and shipped a tracked, spyware-laced laptop to a Florida address he provided.
A Walk-In Closet in Florida
When Nisos turned on the laptop's camera, what they saw was not a home office. It was a walk-in closet: wire shelves, a row of open laptops. Their machine sat alongside devices with other companies' logos visible on the screens: a healthcare company, an insurance brokerage, a mortgage company. Every laptop in the closet connected back to remote desktop infrastructure that let operators overseas control each machine's keyboard and mouse. To any employer watching from the outside, the activity looked completely legitimate.
A canary token embedded in Nisos's onboarding document confirmed what they already suspected. It pinged back from China.
Inside the Discord
The real break came when Joseph logged into his personal Google account from Nisos's laptop. His passwords were stored there, including credentials for Discord. Nisos wasn't expecting much. What they found was not a gaming server. It was a complete operational picture of a 22-person cell.
Every job application, every interview, every rejection, and every offer letter was tracked in Discord. A leaderboard measured each member's output. A channel labeled "horror" captured failed attempts so other operatives could learn from them. Tips for handling screening questions circulated in real time, including what a university mascot is and why interviewers ask about it.
The top performer on the leaderboard had submitted 26,688 applications and landed 5,781 interviews. Others were juggling multiple active jobs simultaneously, coordinating among themselves to decide who would handle each meeting and outsourcing overflow work to subcontractors in India, the Philippines, and Nigeria. One CEO, after Nisos told him his employee was a North Korean operative, had already figured something was wrong: the person vanished and was replaced by a demand from a developer in India for $10,000 in back pay for doing the work of building an entire app.
"PJU just got his dream job," the Discord would announce whenever someone landed an offer, LaSalle recounts in the episode—followed days later by a frowning emoji: "PJU just lost his dream job."
One Cell. One Summer. 160,000 Applications.
From June through September, Nisos watched this single cell submit 160,000 job applications in the United States. When companies tried to fire operatives, some moved to extortion, threatening to release source code, sell access to more capable threat actors, or simply hold the company's own IP hostage. In one case, Michael "Barni" Barnhart at DTEX described a single extortion email that combined all three demands at once.
One disclosure stopped the Nisos team cold. A placement firm revealed the worker they'd been tracking had been placed at a US nuclear utility. Screenshots from the Discord showed what appeared to be an industrial control system panel. It turned out to be a training screen with no live system access. The worker had already been fired before Nisos notified the company. The near-miss illustrated what's actually at stake when these operatives accumulate access.
The Treasury Department revised its estimates in March: North Korea's remote worker scheme generated $800 million in 2024 alone.
And the scheme can't operate at this scale without domestic help. As LaSalle puts it: "There are thousands of people who are trying to rob US companies of payroll, and there are hundreds of Americans who are happy to help them." That thread—the Americans lending their identities and running the laptop farms—is where episode three of To Catch a Thief picks up.
Listen: To Catch a Thief
Episode 2 of To Catch a Thief, "The Cell," is available now. Nicole's investigation includes interviews with Ryan LaSalle and the Nisos team, a defector who describes life inside a North Korean IT worker cell operating out of China, and researchers who've traced operatives from Discord channels to pool parties and Minion memes in Laos.
To Catch a Thief is co-produced by Nicole Perlroth and Rubrik, in partnership with Pod People. Follow the show wherever you listen to podcasts.