On June 30, 2025, the U.S. Department of Justice (DOJ) announced a series of actions to disrupt schemes involving remote information technology (IT) workers from North Korea. To combat this cybersecurity threat, companies should:

1. Strengthen processes for hiring remote employees, contractors and vendors.
2. Increase vigilance for suspicious activity by remote workers.
3. Promptly report suspicious activity to law enforcement.

Further, if there is reason to believe that payments were made to North Korean IT workers or their intermediaries, companies should strongly consider voluntarily self-disclosing to the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC).

What Happened?

According to the DOJ, the North Korean regime has trained and deployed thousands of cyber operatives to blend into the global digital workforce and systematically target U.S. companies. These schemes are designed to evade OFAC sanctions and fund the North Korean regime’s illicit programs, including its weapons programs.

From late 2020 to at least October 2024, individuals from North Korea fraudulently obtained employment as remote IT workers with more than 100 U.S. companies, including many Fortune 500 companies.

North Korean IT workers have stolen sensitive employer data, source code (including export-controlled technology) and virtual currency. In one case, North Korean IT workers used false identities to gain employment with an Atlanta-based blockchain research and development company and stole virtual currency worth over $900,000.

North Korean IT workers have also extorted U.S. victim companies by holding stolen proprietary data and code hostage until the companies met ransom demands. In some cases, North Korean IT workers publicly released U.S. victim companies’ proprietary code.

In total, these schemes have caused U.S. victim companies to incur millions of dollars in computer network remediation costs, legal fees and other damages.

Legal Background

In 2022, the DOJ, OFAC and the U.S. Department of State issued an advisory regarding the cybersecurity threat from North Korean IT workers. The advisory also warned of reputational risks and the potential for legal consequences to U.S. companies flowing from OFAC and DOJ investigations.

OFAC investigates potential violations of its sanctions regulations, including the North Korea Sanctions Regulations (NKSR). OFAC may also impose civil penalties for sanctions violations based on strict liability.

The DOJ investigates and prosecutes violations of the International Emergency Economic Powers Act (IEEPA). Under IEEPA, it is a crime to willfully violate, attempt to violate, conspire to violate or cause a violation of any license, order, regulation or prohibition issues pursuant to IEEPA, including Executive Orders related to North Korea and the NKSR.

How Do the Remote IT Worker Schemes Operate?

Before applying for employment with U.S. companies, North Korean IT workers have used several criminal techniques to conceal their true locations and fabricate their bona fides, including the use of:

• Stolen identities.
• Front companies and fraudulent websites.
• Alias (or “burner”) email and social media accounts.
• Artificial intelligence and face-swapping technology during virtual job interviews.

Once employed, North Korean IT workers have used “laptop farms” hosted in the U.S. to remotely access U.S. victim companies’ networks to steal sensitive data and virtual currency. Moreover, North Korean IT workers acting as freelance developers have sought payment in virtual currency to evade Know Your Customer (KYC)/Anti-Money Laundering (AML) measures.

Remote Hiring Processes Should Be Strengthened

The North Korea-related IT schemes represent a new twist on the insider threat posed by remote workers. When hiring remote IT workers, the Federal Bureau of Investigation (FBI) has advised companies to strengthen internal processes, including:

• Complete as much of the hiring and onboarding process in person as possible.
• Implement identity verification processes during interviewing, onboarding and throughout employment.
• Cross-check HR systems and public sources for other applicants with the same resume content or contact information (particularly voice-over-IP numbers).
• Verify that third-party staffing firms conduct robust hiring practices and routinely audit those practices.
• Ask applicants for specific details about their location and educational background.
• Focus on changes in address or payment platforms during the onboarding process.
• For virtual interviews, require applicants to hold identity documents up to the camera and consider having them point their camera outside to verify their location.
• Require signature delivery for company devices and ensure devices are not sent to addresses other than designated work locations.

Vigilance for Suspicious Activity Should Be Increased

These schemes are likely ongoing. The FBI has advised companies to increase their vigilance with respect to network monitoring, including:

• Practice the Principle of Least Privilege on networks, including disabling local administrator accounts and limiting privileges for installation of remote desktop applications.
• Monitor and investigate unusual network traffic, including remote connections to devices, prohibited remote desktop applications and multiple logins into an account in a short period of time from various IP addresses associated with different countries.
• Consider disabling remote collaboration applications on any computer supplied to a freelance developer.
• Monitor endpoints for the use of software that allows for multiple audio/video calls to take place concurrently.
• Monitor network logs and browser session activity to identify data exfiltration through easily accessible means, such as shared drives, cloud accounts, and private code repositories.
• Evaluate suspicious network activity by remote workers and their assigned devices and use internal intrusion-detection software to capture the activity on the suspected devices.

Prompt Reporting to Law Enforcement Is Advised

Companies should report suspicious activity as soon as possible to the FBI’s Internet Crime Complaint Center (IC3) and their local FBI field office. While there is no guarantee that law enforcement will recover stolen data or funds, there have been successes in that regard. For example, the DOJ recently announced the seizure of over $7 million in cryptocurrency, non-fungible tokens (NFTs), and digital assets tied to these schemes.

Consider Voluntary Disclosures to OFAC for Potential Violations

If there is reason to believe that payments were made to North Korean IT workers or their intermediaries, companies should strongly consider self-disclosing potential violations to OFAC, which has previously stated that it considers a voluntary self-disclosure a mitigating factor insofar as it represents cooperation with their investigation. OFAC has also stated that voluntary self-disclosure will result in a reduction in the base amount of any proposed civil penalty. A voluntary disclosure to OFAC must be done before an investigation begins; it would not be a mitigating factor if a company makes a disclosure once OFAC has already begun their investigation.

OFAC’s Economic Sanctions Enforcement Guidelines state that a voluntary self-disclosure must include (or be followed within a reasonable time by) a detailed report to afford OFAC a complete understanding of a potential violation’s circumstances. OFAC will generally expect such a report within 180 days after the initial self-disclosure.

It is also important to note that OFAC violations have a 10-year statute of limitations, meaning companies are required to keep records for a 10-year period and should disclose any violations that occurred within that time.