With the continued rise in remote work, companies now face a unique vector for potentially significant sanctions risks that continues to catch even the most vigilant companies off guard. This threat comes from the Democratic People’s Republic of Korea “DPRK” or “North Korea”) and its deployment of IT and software development workers to generate illicit revenue. I’ve worked with a few clients that have dealt with this issue and, believe it or not, many of the workers are actually productive and good at their work. These workers are not necessarily tasked with hacking into companies or stealing money or other assets. Rather, they are there to collect paychecks to help fund the country’s military. This makes them all the more difficult to identify, since it’s not as simple as identifying an under-performer or someone not completing their work.
As this threat continues to grow and these workers utilize new tools and methods to hide their true identities, such as utilizing AI deepfakes, it becomes crucial for companies to stay abreast of developments in this area. In this post, I’ll summarize the key issues from the original guidance, highlight recent developments, and provide actionable steps to help potential clients mitigate risks and ensure compliance.
The 2022 Guidance: A Foundational Overview of the Threat
The U.S. Department of State, Treasury, and FBI issued a comprehensive advisory in May 2022 to alert the global community about DPRK IT workers posing as non-North Korean nationals to secure freelance employment. This advisory explains that the DPRK dispatches thousands of highly skilled IT professionals worldwide to earn foreign currency, with a primary focus on supporting regime priorities under leader Kim Jong Un. These workers, often based in China and Russia but also in Africa and Southeast Asia, specialize in areas like software development, mobile apps, virtual currency platforms, AI applications, and database management. They can earn upwards of $300,000 individually or $3 million as teams annually, with a significant portion remitted to the DPRK government. Many are affiliated with sanctioned entities, such as the Munitions Industry Department’s 313 General Bureau, the Ministry of Atomic Energy Industry, or military units under the Korean People’s Army—all blocked under U.S. Executive Orders like 13722 and 13382. While their work is often legitimate IT development, it can overlap with malicious cyber activities, such as enabling intrusions or laundering funds. Alarmingly, reports indicate many workers face forced labor conditions, with up to 90-percent of wages withheld, excessive hours, and constant surveillance.
How DPRK IT Workers Operate
North Korean workers target freelance platforms, payment services, and direct contracts in wealthier regions like North America, Europe, and East Asia, often masquerading as U.S.-based teleworkers or nationals from South Korea, China, Japan, or Eastern Europe. They obfuscate identities using VPNs, VPSs, proxy accounts, and falsified documents like passports, driver’s licenses, and diplomas, sometimes stolen or purchased from third parties. Subcontracting to unwitting non-DPRK freelancers is common, as is using dedicated devices to evade detection. Profiles on platforms feature fabricated resumes with realistic but unverifiable education and work histories, including claims of affiliation with Western companies.
Once hired, they may exploit access for cyber espionage, data theft, or supporting DPRK’s virtual currency operations. However, oftentimes the individual is actually a productive worker—they meet deadlines and produce quality work. While the former is obviously problematic, the latter makes it much more difficult to detect. There may be no warning signs when an employee is productive, yet would still cause sanctions violations for the company.
Red Flag Indicators from the 2022 Advisory
Freelance work and payment platform companies should be alert for the following activities:
- Multiple logins into one account from various IP addresses in a relatively short period of time, especially if the IP addresses are associated with different countries;
- Developers are logging into multiple accounts on the same platform from one IP address;
- Developers are logged into their accounts continuously for one or more days at a time;
- Router port or other technical configurations associated with use of remote desktop sharing software, such as port 3389 in the router used to access the account, particularly if usage of remote desktop sharing software is not standard company practice;
- Developer accounts use a fraudulent client account to increase developer account ratings, but both the client and developer accounts use the same PayPal account to transfer/withdraw money (paying themselves with their own money);
- Frequent use of document templates for things such as bidding documents and project communication methods, especially the same templates being used across different developer accounts;
- Multiple developer accounts receiving high ratings from one client account in a short period, with similar or identical documentation used to establish the developer accounts and/or the client account;
- Extensive bidding on projects, and a low number of accepted project bids compared to the number of projects bids on by a developer; and
- Frequent transfers of money through payment platforms, especially to PRC-based bank accounts, and sometimes routed through one or more companies to disguise the ultimate destination of the funds.
Companies employing freelance developers should be alert for the following activities:
- If a freelance software development website or payment platform account has been shut down or the worker contacts the employer requesting use of a different account, especially if registered to a different name;
- Use of digital payment services, especially PRC-linked services;
- Inconsistencies in name spelling, nationality, claimed work location, contact information, educational history, work history, and other details across a developer’s freelance platform profiles, social media profiles, external portfolio websites, payment platform profiles, and assessed location and hours;
- Surprisingly simple portfolio websites, social media profiles, or developer profiles;
- Direct messaging or cold-calls from individuals purporting to be C-suite level executives of software development companies to solicit services or advertise proficiencies;
- Requests to communicate with clients and potential clients on a separate platform than the original freelance platform website where the client found the IT worker;
- An employer proposes to send documents or work-related equipment such as a laptop to a developer, and the developer requests that items be sent to an address not listed on the developer’s identification documentation. Be particularly suspicious if a developer claims they cannot receive items at the address on their identification documentation;
- Seeking payment in virtual currency in an effort to evade KYC/AML measures and use of the formal financial system;
- Requesting payment for contracts without meeting production benchmarks or check-in meetings;
- Inability to conduct business during required business hours;
- Incorrect or changing contact information, specifically phone numbers and emails;
- Biographical information which does not appear to match the applicant;
- Failure to complete tasks in a timely manner or to respond to tasks;
- Inability to reach them in a timely manner, especially through “instant” communication methods; and
- Asking co-workers to borrow some of their personal information to obtain other contracts.
Recent Developments: Escalating Threats and Enforcement
Since that initial guidance, the DPRK IT worker scheme has evolved and has begun incorporating AI tools like deepfakes for interviews and expanding beyond tech into sectors like finance, payments, and engineering. U.S. authorities have ramped up responses with new sanctions, international collaborations, and warnings, reflecting the scheme’s growing scale—estimated to generate hundreds of millions annually.
New OFAC Sanctions Designations
In the Summer of 2025, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) designated multiple individuals and entities involved in DPRK IT worker networks. On July 8, 2025, OFAC sanctioned Song Kum Hyok, a DPRK cyber actor linked to the Reconnaissance General Bureau’s Andariel group, for using stolen U.S. identities to facilitate remote employment schemes. OFAC also designated Russian national Gayk Asatryan and his companies, Asatryan LLC and Fortuna LLC, for employing DPRK workers under contracts with DPRK entities like Korea Songkwang Trading General Corporation and Korea Saenal Trading Corporation.
On July 24, 2025, sanctions hit the Korea Sobaeksu Trading Company (a front for the sanctioned Munitions Industry Department) and individuals Kim Se Un, Jo Kyong Hun, and Myong Chol Min for facilitating overseas IT worker deployments, including to Vietnam, and revenue generation through cryptocurrency and trade. The State Department offered up to $3 million rewards for information leading to the arrest of Kim Se Un and Myong Chol Min.
On August 27, 2025, OFAC designated of Russian national Vitaliy Sergeyevich Andreyev and DPRK official Kim Ung Sun for converting cryptocurrency to cash (nearly $600,000 since late 2024), alongside Chinese front company Shenyang Geumpungri Network Technology Co., Ltd., and DPRK’s Korea Sinjin Trading Corporation, which have generated over $1 million for DPRK’s military since 2021. These actions block assets and prohibit U.S. transactions, with secondary sanctions risks for foreign financial institutions.
International Coordination and Warnings
In August 2025, the U.S., South Korea, and Japan issued a joint statement reaffirming efforts to counter DPRK IT workers, highlighting their use of AI for identity obfuscation and targeting blockchain industries. Risks include IP theft, data breaches, and legal penalties; mitigations emphasize enhanced due diligence and public-private partnerships, such as a Tokyo event with Mandiant. A September trilateral meeting echoed these concerns.
The FBI’s July 2025 Public Service Announcement warns of U.S.-based facilitators aiding DPRK workers with internet access, laptop reshipment, and job applications. Red flags include document inconsistencies, unverified histories, and suspicious payments; tips urge video interviews with AI checks and direct verifications. Microsoft’s June report details evolving tactics, including indictments of DPRK nationals. The Justice Department’s June announcement of nationwide actions against these schemes, including indictments, underscores coordinated enforcement.
Actionable Guidance for Businesses and Platforms
Drawing from this guidance, here are practical steps to protect your organization:
For Companies Hiring IT Freelancers or Remote Workers
- Enhanced Due Diligence and Verification: Conduct video interviews requiring unobscured backgrounds and use AI deepfake detection tools to counter falsified appearances. Perform background checks and consider employing in-person drug tests or fingerprinting, if possible. Verify education and employment directly with institutions using independent sources, not applicant-provided contacts.
- Payment and Equipment Protocols: Avoid virtual currency payments and ensure banking details match IDs. Monitor for any changes in payment details, especially frequent changes. Ship laptops or materials only to addresses on official documents; flag requests for alternate shipping. Monitor for small, unauthorized transactions, as seen in cases where DPRK workers stole over $50,000 in installments.
- Technical Safeguards: Disable remote desktop tools on company devices and use port scanning to detect VPNs or proxies. Analyze login patterns for anomalies like multi-country IPs or extended sessions.
- Vendor and Subcontractor Oversight: Educate third-party vendors on risks and require them to adopt similar verifications. Be wary of recommendations for additional hires from current contractors.
For Freelance Platforms and Payment Providers
- Account Creation and Monitoring: Consider video identity verification for high-risk entities and reject low-quality ID images. Flag new accounts for review, restricting activity until verified. Automate alerts for similar templates, high ratings from single clients, or excessive bidding.
- Fraud Detection: Scrutinize for proxy accounts, forged documents, and transfers to high-risk jurisdictions like China. Collaborate with law enforcement for forgery checks.
- Ongoing Compliance: Refresh KYC/AML processes regularly and integrate AI and other new tools to detect deepfake submissions.
General Best Practices
- Develop a sanctions compliance policy that also includes hiring for remote work, including training on identifying and escalating red flags.
- Report suspicious activity to the FBI or OFAC promptly, which can even lead to significant rewards.
- Consider periodic audits, whether internally or with outside counsel, especially if operating in tech, crypto, or AI industries that have been constant targets.
- Initiate an internal investigation if you identify any red flags or have concerns that one of your workers isn’t who they say they are. Determine if a voluntary self-disclosure is necessary, depending on the results of the investigation.
Legal Consequences: Why Compliance Matters
Sanctions violations are strict liability and can lead to severe penalties, with up to 20 years’ imprisonment and $1 million in fines for each violation. As such, it’s extremely important to implement the necessary controls to avoid these situations, and to take appropriate action if you are a victim of one of these schemes.
This DPRK IT worker threat is unique and it continues to evolve. With proper controls and compliance procedures, businesses can safeguard against these risks. Staying ahead in sanctions law isn’t just about avoidance; it’s about building resilient operations in a complex global environment.