Cybersecurity: Is Your New IT Colleague from North Korea?

by John Jenkins

July 6, 2026

The nice folks from the Hermit Kingdom have a well-established reputation for being among the world’s top cybersecurity menaces, and they’ve apparently expanded the scope of their activities to include sophisticated efforts to obtain remote IT gigs with US companies.  This Skadden memo discusses how North Korea deploys skilled professionals in other countries in order to obtain multiple remote IT positions. These people then funnel the money they receive back to North Korea, which, among other things, helps it do an end-run around international sanctions.

 

The memo addresses the mechanics of the scheme, the remarkably large amount of money involved ($400 million to $600 million annually), and the cyber threats and other risks to employers that it poses.  This excerpt highlights some of the “red flags” that employers should be on the lookout for:

-LinkedIn profiles that appear credible at a glance but lack genuine company page links, show limited connections or activity, or use slightly altered employer names.

– Candidates or workers who are reluctant to appear on unscheduled or live video, whose video feeds consistently have technical issues or whose on-screen appearance is inconsistent between calls.

– References that cannot be independently verified.

– Multiple or inconsistent addresses associated with the candidate — such as discrepancies across identity documents, LinkedIn profiles and home addresses — or requests to change payroll information or deliver work equipment to different addresses.

– Network logins from non-U.S. locations, or multiple logins into a single account from various IP addresses within a short time period.

The memo also addresses best practices for interviewing and onboarding new remote employees, and for ensuring that North Korea hasn’t already infiltrated the company’s existing workforce.