North Korea’s IT Workers Expand Targets Beyond Tech and Crypto
▼ Summary
– North Korea’s IT worker program has expanded beyond tech/crypto firms to target finance, healthcare, public administration, and professional services globally.
– DPRK-linked workers pursued over 6,500 interviews across 5,000+ companies, with 50% targeting non-tech companies and 27% located outside the United States.
– These workers now target roles beyond coding, including finance, payments processing, engineering, and positions providing access to sensitive systems and data.
– Government agencies and contractors are vulnerable targets due to their network access and high-volume remote hiring practices.
– Organizations should implement multi-layered defenses including rigorous identity verification, advanced screening, least-privilege access, and threat monitoring.
North Korea’s covert IT Worker program, previously concentrated on infiltrating American technology and cryptocurrency companies, has significantly widened its operational focus. This sophisticated state-backed campaign now actively targets a diverse range of global industries, including finance, healthcare, public administration, and professional services, posing a substantial threat to international security.
Recent analysis from Okta’s threat research team has uncovered more than 130 identities tied to operatives linked with the Democratic People’s Republic of Korea (DPRK). These individuals have collectively pursued over 6,500 job interviews with more than 5,000 companies, with data extending into mid-2025. The findings reveal a surprisingly broad reach, with half of the targeted organizations operating outside the technology sector and more than a quarter located in countries other than the United States.
What types of positions are these operatives seeking? According to the report, any organization across all industry verticals that offers remote or hybrid work arrangements is now a potential target for infiltration. The implications extend far beyond simple payroll theft. Once embedded within a company, these workers can gain access to highly sensitive systems and networks, creating opportunities for large-scale data theft, corporate extortion, and intelligence gathering operations.
The DPRK’s IT operatives are no longer limiting themselves to standard coding positions. They are increasingly applying for roles in financial services, payment processing systems, and engineering support functions. While remote software development and IT consulting jobs within tech firms and service providers remain their primary focus, Okta has documented a noticeable surge in job interview attempts by DPRK-linked candidates within several key sectors.
These sectors include organizations specializing in artificial intelligence, healthcare providers and medical technology companies, particularly those developing mobile applications, customer service systems, and electronic health record platforms. The targeting also extends to banks, insurance companies, and FinTech firms, where candidates seek not only software development roles but also back-office positions in payroll and accounting. The campaign even reaches outsourcing and IT service providers, along with government and public administration bodies in the United States, Middle East, and Australia.
Okta’s researchers noted that while their data cannot confirm whether any of these interviews resulted in actual employment, the persistent attempts clearly demonstrate that government agencies are not immune to this ongoing campaign. The exposure risk is particularly significant when considering government contractors, service providers, and consultancies. These organizations frequently maintain extensive access to government networks and sensitive projects, yet they often operate under pressures of high hiring volumes, rapid turnaround times, and large pools of remote workers, making them vulnerable to infiltration.
DPRK IT units have refined their methods considerably, learning from earlier operational mistakes to better circumvent standard identity verification and employee vetting controls. To counter this evolving threat, Okta recommends that organizations implement a multi-layered defensive strategy.
Rigorous identity verification forms the foundation of this defense, requiring government-issued identification documents, cross-referencing of geolocation and payroll information, and utilization of third-party verification services. Companies should establish advanced screening processes that train recruiters to recognize potential red flags, such as inconsistent time zones or refusal to participate in live interviews, while also implementing structured technical assessments conducted under supervision.
The principle of least-privilege access and network segregation is crucial, meaning new hires and contingent workers should begin with minimal system permissions and segmented network access. Organizations must also enforce equivalent identity controls, device security standards, and audit rights in contracts with vendors and third-party partners.
Developing comprehensive insider-threat programs and security awareness training equips human resources, information technology, and security teams to identify suspicious behavior and provides safe channels for reporting concerns. Collaboration and intelligence sharing with law enforcement agencies, Information Sharing and Analysis Centers (ISACs), and peer organizations helps disseminate information about suspicious candidate patterns and infiltration indicators.
Finally, conducting simulated hiring exercises using red-team methodologies allows organizations to proactively test their recruitment pipelines against DPRK-style infiltration attempts, identifying security gaps before they can be exploited and ensuring incident response plans remain current and effective.
(Source: HelpNet Security)
