The phone call that ended Christina Chapman’s career as the most prolific known facilitator of North Korean hiring fraud came in October 2023. Federal agents had been watching her suburban home in Litchfield Park, Arizona, for months. When the search warrant was executed, they recovered more than ninety company-issued laptops, each one labelled with sticky notes identifying the US company that had shipped it and the stolen American identity associated with that device. By the time prosecutors filed charges, they had traced $17.1 million in salaries that 309 US companies had paid to North Korean IT workers who had used Chapman’s home as their virtual American address.
By July 2025, Chapman had been sentenced to 102 months in federal prison. Her former co-conspirators have followed. In April 2026, Kejia Wang and Zhenxing Wang — operating a separate but related network in New Jersey — received sentences of 108 and 92 months for placing North Korean IT workers at more than 100 American companies, including Fortune 500 firms. Across all DPRK IT worker prosecutions to date, the Department of Justice has now publicly identified 479 corporate victims. The actual number is almost certainly significantly higher.
The companies on the published victim lists are not the obvious targets. They include a major US television network, an aerospace manufacturer, an American car maker, a Silicon Valley technology firm, a luxury retail chain, a US-based media and entertainment company, and several banks. These are organisations with mature HR functions, in-house counsel, established background screening relationships, and dedicated security teams. They are not, by any normal measure, soft targets. And yet they hired North Korean IT workers, paid them salaries for months or years, and granted them access to internal systems — without realising it.
Understanding how that became possible is the first step in understanding why this story is not, fundamentally, a cybersecurity story or a sanctions story or a counterintelligence story. It is a hiring story. The standard architecture of pre-employment background verification — the assumption that confirming an identity exists, has a clean record, and is associated with verifiable employment history is sufficient to know who is on the other end of a video call — has been systematically defeated.
The Scale of What Has Been Built
The DPRK remote IT worker scheme did not begin as a sophisticated operation. It began as an opportunistic response to two converging developments: crushing international sanctions imposed on North Korea in 2016 that cut Pyongyang off from the US financial system, and the rapid global expansion of remote work during the COVID-19 pandemic. The North Korean government, which had spent the previous decade making information technology a national educational priority, found itself with thousands of trained software engineers and no legitimate way to monetise them internationally.
What emerged was an industrial-scale fraud apparatus. According to South Korea’s National Intelligence Service, the headcount in North Korea’s cyber divisions — which includes IT worker infiltrators, cryptocurrency thieves, and military hackers — grew from approximately 6,800 in 2022 to 8,400 in 2024. The IT worker operation is run out of the DPRK’s Department 53. Workers are typically deployed in three- to five-person teams to operational hubs in China, Russia, the United Arab Emirates, Nigeria, and Pakistan, where they manage dozens of fabricated or stolen identities, apply for remote jobs at Western companies, and route their salaries back through a network of intermediaries to Pyongyang.
The financial scale is significant. The US Treasury Department has assessed that DPRK IT worker schemes generated approximately $800 million in 2024 alone. Individual operatives are reported to earn around $300,000 per year. Coordinated teams have generated more than $3 million in single operations. The Wang network in New Jersey produced over $5 million across the companies it infiltrated. The Chapman network in Arizona produced $17.1 million. These are not edge cases; they are the modal pattern.
The cybersecurity firm CrowdStrike reported in 2025 that infiltrations by North Korean threat actors across its enterprise client base increased by 220% in twelve months. The most active DPRK cluster, tracked by industry researchers as “Famous Chollima,” has been observed using artificial intelligence at every stage of the operation — from generating synthetic profile photos, to writing tailored resumes and cover letters, to running real-time deepfake video during interviews. Identity and access management providers tracking these patterns have observed thousands of suspicious interview attempts linked to DPRK tradecraft across more than 5,000 companies globally.
The targeting pattern has also broadened. The earliest cases were concentrated in cryptocurrency firms, decentralised finance projects, and small technology companies — predictable choices given the digital asset exposure and the loose verification practices that often accompanied rapid scaling. The current pattern is different. Healthcare organisations, financial services firms, insurance carriers, and public administration agencies are all now appearing in the case data. The reason is straightforward: the operatives go where the remote IT jobs are, and remote IT jobs are now everywhere.
How Standard BGV Fails Against This Threat
The architecture of pre-employment background verification was designed against an assumed adversary that does not match the DPRK model. The traditional assumption is that a candidate is who they claim to be — a real person with a real history — and the job of BGV is to confirm that history is accurate and clean. Identity verification confirms that a document is authentic and that the person presenting it matches the document’s photo. Criminal record checks confirm that the identity does not have a disqualifying conviction. Employment verification confirms that the named employers acknowledge having employed the candidate. Education verification confirms that claimed credentials are real.
The DPRK operatives have built their operation specifically to satisfy each of these checks. The identities they use are typically not invented — they are stolen from real Americans, in some cases purchased on dark web marketplaces, in some cases obtained through “identity rental” arrangements with willing US-based facilitators. Christina Chapman’s case made this explicit: she helped operatives “verify stolen identities so they could pose as real US citizens.” The Social Security numbers she helped them use belonged to real people. The driver’s licences she helped forge contained the photos of the DPRK operatives but the identifying details of the stolen Americans. When background checks ran, the identity validated, the SSN matched the date of birth, the address history was consistent, and no criminal record appeared — because the actual person whose identity had been stolen had a clean record.
Employment history works the same way. DPRK operatives maintain working LinkedIn profiles for their personas, build out GitHub portfolios with code that may have been written by previous operatives or scraped from open-source projects, and in some cases route past-employment verification calls to fictitious staffing firms staffed by other operatives. The DOJ’s indictment against the Wang network names “Baby Box” and “Cubix” as fictitious technology companies that existed solely to serve as employment references for the operatives running the infiltration scheme.
Video interviews — the part of the hiring process most people instinctively assume cannot be defeated — have become the most vulnerable part of the chain. Palo Alto Networks’ Unit 42 demonstrated in 2025 that it took a researcher with no prior experience just over an hour, using freely available consumer software and a standard laptop, to produce a convincing real-time deepfake suitable for a video interview. CrowdStrike’s investigators have observed DPRK operatives paying premium prices for subscriptions to deepfake services during active hiring operations. Microsoft’s March 2026 report on AI as state-sponsored tradecraft documented operatives using generative AI to script interview responses in real time, translate technical content, and produce convincing audio-visual presence in interviews that would previously have been broken by language or technical inconsistencies.
The KnowBe4 case is the most often-cited illustration of how this lands in practice. KnowBe4 is a publicly traded cybersecurity company whose business is training other companies to recognise social engineering attacks. In 2024 they hired a remote IT worker who had passed four rounds of video interviews and a pre-employment background check. The discrepancy was caught only after the new hire attempted to load malware onto his corporate workstation in his first week. Internal investigation confirmed he was a North Korean operative using a synthetic identity built on top of stolen US personal data and an AI-modified profile photograph. He had cleared every check the company had built specifically to catch this kind of fraud.
The Operational Architecture
The mechanics of a successful DPRK IT worker placement involve several coordinated elements that no single verification check is well-positioned to catch.
The first is the identity pipeline. DPRK operatives obtain US personal data — Social Security numbers, dates of birth, address histories — through dark web marketplaces, breached datasets, and active identity-rental arrangements with US facilitators. They combine that data with fabricated or AI-generated profile imagery to produce a working synthetic persona. The persona is then validated through low-friction online services — building a credit footprint, opening payment accounts, registering on freelancer platforms — to give it the digital depth necessary to clear background screens.
The second is the application infrastructure. Operatives apply for jobs through standard channels, often through staffing firms and freelancer platforms where verification is lighter than direct hiring. Microsoft researchers documented in 2026 that DPRK actors had been observed making automated queries to Workday recruiting API endpoints — programmatic scans for open roles before any human applied. The operatives maintain hundreds of these personas simultaneously, applying for dozens of positions, optimising for which job descriptions are most likely to be filled remotely with minimal in-person verification.
The third is the interview defeat. The combination of deepfake video, AI-scripted responses, and pre-rehearsed technical material allows operatives to pass even multi-round technical interviews. In documented cases, a single operative has used different synthetic personas to interview for the same position multiple times, increasing the statistical probability of one of the personas being hired. Where in-person presence is required, the operation employs proxy interviewees — different people who appear on camera for the interview from the person who will actually do the work.
The fourth — and the part most relevant to BGV professionals — is the post-hire concealment infrastructure. Once a DPRK operative is hired, the company ships a laptop to the address on the identity documents. That address belongs to a US-based facilitator who receives the laptop, plugs it into a residential internet connection, and either operates it as a thin client controlled remotely by the operative overseas, or ships it onward to a country adjacent to North Korea where the actual work is performed. The result is that login activity, geolocation signals, IP addresses, and device telemetry all suggest the worker is in the United States, while the actual work is happening in China, Russia, or elsewhere. Christina Chapman’s home contained more than ninety such laptops at the time of the raid. Within the broader operation, US-based facilitators are estimated to operate hundreds of similar farms.
What Has Made This Worse in 2026
Three developments in 2025 and 2026 have made the threat materially harder to defend against than it was even a year ago.
The first is the AI inflection point. Microsoft’s March 2026 threat report described generative AI as a “force multiplier across the entire DPRK operation,” removing the technical and linguistic barriers that had previously been the most reliable detection signals. Resumes that once contained subtle grammatical artefacts now read flawlessly. Cover letters that once felt formulaic now sound authentically idiomatic. Interview answers that once stumbled on cultural references now incorporate them naturally. The signals that experienced recruiters used to develop intuition for have largely been eliminated by the same tools that are now broadly available to legitimate candidates.
The second is the AI in real-time interviews. Where deepfake technology in 2024 was still expensive, technically demanding, and prone to visible artefacts, the 2025 and 2026 generation of consumer-grade tools is none of those things. Unit 42’s demonstration of how quickly a credible real-time deepfake can be assembled — about an hour, on a standard laptop, using freely available software — fundamentally changes the assumed difficulty curve. The interview is no longer a reliable identity verification step in itself.
The third is the scope expansion. The early enforcement actions concentrated on cryptocurrency firms, where the asset theft potential was highest. The 2026 case data shows infiltrations into healthcare provider networks, regional banks, insurance carriers, US state government contractors, and aerospace suppliers. Some of those have national security implications because of the data the operatives gained access to. Others have employment law and data privacy implications. All of them suggest that any organisation hiring remote IT roles at scale is now in scope.
The Question Underneath the Question
What the DPRK IT worker scheme exposes — and what makes it more than just another fraud trend — is a structural gap in how the global hiring economy thinks about identity.
Background verification, as it has been practised for the last three decades, operates on the assumption that an identity is a kind of fixed reference point against which other data can be checked. If the identity is real, the criminal record is real, the employment history is real, and the candidate matches the documents, the verification is complete. The DPRK operatives have built their operation on the recognition that an identity is actually three separate things: the documentary record of who a person is, the digital footprint of who they appear to be, and the physical presence of who is actually performing the work. Standard BGV verifies the first two with reasonable rigour. It does not verify the third at all.
Closing that gap is not a matter of running better background checks. It is a matter of redesigning the architecture so that identity is established and maintained across the employment lifecycle — not just at hire — and so that the link between the identity on the documents and the human being doing the work is continuously visible.
That is the work the BGV industry will be doing for the rest of this decade. The DPRK operation is the most visible illustration of why it matters. But the underlying vulnerability — the assumption that a verifiable identity is the same as a verified human — is much broader than North Korea, and it will outlast this particular adversary. Other state actors are already adapting the same techniques. The infrastructure has been built. The methods are documented. The cost of entry is low.
For organisations hiring remote workers in 2026, the question is no longer whether this attack vector is real. It is whether the verification architecture you have today is built for the threat as it actually exists, or for the threat as it existed in 2019. For most companies, the honest answer is the second one. The first step in changing that is recognising the gap.
AMS Inform provides background verification and workforce screening services across 160+ countries. For organisations re-evaluating their remote hire verification architecture in light of the DPRK IT worker threat, speak to our team at AMSinform.com.
