Okta warns of North Korean fraud in remote tech hiring

Okta has published new research on how North Korean threat actors are securing remote technology jobs under false identities in schemes designed to generate revenue, steal data and create leverage for extortion.

Okta's Threat Intelligence team analysed activity linked to more than 130 fraudulent personas that targeted over 5,000 organisations. The latest findings focus on two identities, "JJ" and "EM", which illustrate common methods used by Democratic People's Republic of Korea-linked IT workers.

The analysis adds detail to broader concerns among employers and security teams about "IT worker" operations, in which applicants use stolen or fabricated documents and synthetic online histories to pass recruitment checks and gain access to corporate systems.

False personas

Okta described how these actors build "artificial" personas, pointing to patterns in the creation of online accounts used only for job applications and related activity. Services involved include job boards, recruiter scheduling tools, document workspaces, dynamic DNS providers and coding platforms.

A limited personal online footprint combined with repeated use of employment-related services creates a pattern defenders can use for detection. Okta also noted that PDF properties in CVs can sometimes provide additional indicators, such as signs of duplication and reuse.

The research also highlighted abuse of legitimate professional profiles. Historically, Okta said, some actors avoided LinkedIn or used sparse accounts with few connections and little activity-signals that can raise suspicions during screening.

In JJ's case, the actor provided an active LinkedIn profile that appeared more credible than typical fraudulent accounts, with close to 200 connections, multiple third-party skill endorsements and a linked GitHub account with realistic-looking content.

Okta concluded that the LinkedIn profile belonged to a real person who had worked at the listed organisation. The actor allegedly misrepresented the profile as their own and changed the fraudulent persona's name to match the legitimate individual.

Stolen identities

The second case, EM, centred on identity theft and what Okta described as a higher success rate in interviews. EM allegedly conducted hundreds of interviews over more than a year across many sectors, with a strong preference for AI-related roles.

Okta observed EM interviewing with critical national infrastructure organisations, including commercial aviation, communications providers and internet service providers, as well as a voting technology company and defence contractors.

Okta said EM's persona was built around a photo of a real person whose personal information was sufficiently exposed online to be co-opted. When asked about work eligibility, EM claimed US citizenship and presented identity documents that appeared realistic.

Okta found online images of the legitimate individual holding an identity document that was almost identical to the one the actor presented, but with a different photo and signature. It also flagged VoIP numbers as a common marker and said one caller ID location contradicted the persona's stated biography.

Okta added that the LinkedIn profile listed on EM's CV had been removed by LinkedIn's security team. It said inconsistencies also appeared in the persona's photos across platforms, which did not match the image used in the identity documents. Several profile pictures appeared AI-generated, based on online detection tools, according to Okta.

GitHub signals

The research also examined how GitHub profiles are used in screening. Okta said DPRK-linked IT worker actors often create repositories and activity histories that appear extensive.

In EM's case, a GitHub account associated with the persona showed thousands of contributions dating back to 2011 on the platform's public display. Using the GitHub API, Okta identified the account creation date as December 2024 and assessed that the actor forged commit dates by changing the year on unsigned commits.

Hired risk

Okta said it had high confidence EM secured employment, citing a social media post from an employer welcoming a new hire. The photo in that post appeared AI-generated, Okta said, and it reported taking steps to inform the organisation.

Okta said the risk extends beyond direct hires, noting that many DPRK IT workers seek contract roles through third-party providers. These arrangements may involve weaker screening for short-term workers than direct employment checks.

Okta warned that organisations that unknowingly hire such actors face multiple risks, including salary payments diverted to the North Korean regime, privileged access to internal systems, and exposure to ransomware and extortion. It also raised potential legal exposure related to sanctions compliance.

Recruitment controls

Okta outlined measures for employers focused on identity verification, interview controls and post-hire monitoring. It recommended verifying government-issued IDs at multiple stages, cross-checking stated locations against IP addresses and time-zone behaviour, and using accredited third-party services for document authentication and employment checks.

Okta also recommended training HR teams, checking for candidate "swap-outs" between interview rounds, and using structured assessments such as observed live coding. It cautioned against relying on LinkedIn alone for employment verification.

"Employers should not rely on a LinkedIn profile as a basis for determining employment history," said Okta Threat Intelligence.

For high-trust roles, Okta recommended in-person identity checks. It also advised least-privilege access for new hires and contractors, segmented environments, and monitoring for anomalous activity such as large data transfers and logins from unexpected geographies.

Okta also urged organisations to prepare incident response plans that cover insider threats and supply chain risks, and to coordinate more closely with law enforcement and industry peers as IT worker tactics and tooling continue to evolve.