The North Korea fake IT worker scheme has become a pernicious threat across several industries. While best practices emphasize precautions throughout the hiring phase, once onboarded such operatives can be challenging to detect. Combinations of behavioral analytics, threat intelligence, and other points of information are taking shape as essential defenses, as a recent case attests.
According to a recent report from LevelBlue SpiderLabs, a suspected North Korea-linked operative was hired, passed security checks, and was assigned to work on Salesforce data before being identified and terminated 10 days later. It took a combination of geolocation anomalies, unmanaged device access, and threat intelligence correlation to identify the threat.
In August 2025, routine onboarding quickly unraveled when Cybereason XDR behavioral analytics flagged suspicious login patterns and LevelBlue SpiderLabs threat intelligence confirmed the organization had unknowingly hired the bad actor.
When an admin from the organization activated the new hire’s EntraID account, the team observed that the new hire used an EntraID login from a Dallas, Texas, IP address that deviated from his usual login regions (China). The EntraID login originated from an unmanaged device and used an IP address from the Astrill VPN, which is typically used by North Korea-linked IT workers.
Tue Luu, threat detection engineer at LevelBlue SpiderLabs, told CSO that it was the threat intelligence correlation that set alarm bells ringing. “These things are seldom determined by a single piece of information or telemetry or behavior; rather, they result from a confluence of suspicions and statistical anomalies.”
The North Korean fake IT worker scheme can allow operatives to steal sensitive data, proprietary source code, trade secrets, and intellectual property. It can expose organizations to ransom demands and the harvesting of credentials to maintain persistent unauthorized access.
“It’s the ultimate trojan horse: difficult to mitigate, especially if they pass your employee vetting process,” Luu said.
It’s estimated that North Korea-linked remote worker schemes have infiltrated hundreds of organizations globally, generating between $250 million and $500 million annually for the regime.
How the scheme played out in detail
Friday: Threat actor hired as remote employee assigned to work on Salesforce data and passed standard verification procedures.
Friday to Wednesday: Cybereason XDR established behavioral baseline showing consistent logins from China.
Thursday: A login anomaly is detected that triggered a high-severity alert.
Friday: Threat intel matched OTX pulse for Astrill VPN infrastructure used by North Korean actors.
Monday: User’s account revoked and an extended investigation initiated.
During the SpiderLabs team’s deep dive, they scoured employee interactions, group chat additions, and other material to look for evidence of persistence mechanisms and remote access tools. They found no evidence of residual access, backdoors, or malicious artifacts, attributed to the speed of detection.
In most cases, these rogue insiders attempt to operate in the shadows.
“As long as they aren’t lighting up too many of the company’s controls, perhaps using communication channels that pass proxy muster, you may see methods like QQ chat clients, pastebin-like sites, or even shared cloud-based email drafts as ways to pass information,” Luu said.
Key signs of NK-linked insider infiltration
SpiderLabs has found that these threat actors commonly operate from China rather than North Korea because the internet is more stable and they can employ VPN services to conceal their true geographic origin.
Astrill VPN has the ability to bypass China’s Great Firewall and allows threat actors to tunnel traffic through US exit nodes and masquerade as legitimate domestic employees. As a result, authentication events from known Astrill VPN IP ranges represent a high-fidelity indicator of compromise.
In this case, however, the VPN itself wasn’t the only sign things were not as they seemed.
“I believe what happened here is that Astrill VPN was not a standard solution used in the specific environment we were monitoring for the client in this case. If it had been, then this particular indicator might not have had as much weight,” Luu said.
“The true anomaly here is that the use of that particular VPN software was unusual for this particular environment. There are personal VPNs and business VPNs, and the XDR solution can distinguish between the personal and business VPN solutions and only alert on the personal VPN usage,” Luu added.
No silver IAM bullet for CISOs
Identity and access management offers no magical method for spotting fake IT workers. As this example demonstrates, discovering a North Korean insider requires patching together a number of signals. This investigative and alert work can take different forms.
“Some approaches start with well-segregated privileges and begin ramping up privileges over time as trust and tenure are established to ‘slow roll’ risky hires,” Luu told CSO.
In some cases, it’s looking for logon or work activity outside of typical working hours for a particular geography.
“Certainly, the confluence of suspicions helps. For example, are employees accessing data or attempting to authenticate data, hosts, or applications outside their established roles?” Luu noted.
The reminder for CISO is to ensure onboarding processes are robust and regularly reviewed. “Learn what software is ‘normal’ in your environment and set software standards, and ensure employees have company-managed devices, preferably Windows for more control,” Luu advised. “Make sure IT admins apply EntraID Conditional Access policy to lock down logins from allowed regions or areas where employees are employed. The client didn’t have the conditional access policy activated before the incident, and they applied it after as a recommendation from Cybereason.”