North Korea is rapidly expanding its illicit IT worker scheme beyond the U.S. tech sector, successfully obtaining interviews and potentially employment at companies in dozens of industries across the world. 

Cybersecurity giant Okta published a report on Tuesday outlining its continuing research into the IT worker campaign, which has seen North Korea illegally place thousands of its citizens in high-paying roles at U.S. companies to circumvent sanctions and earn millions of dollars for Pyongyang’s military. 

Using fake IDs or stolen documents, North Korea initially focused on getting its citizens hired at cryptocurrency companies and other blockchain-related firms. Before long, most Fortune 500 companies had interviewed or hired a North Korean IT worker.

Okta said their new research into the scheme revealed that North Korea has honed its skills on U.S.-based companies and has expanded into dozens of different countries and industries. 

The findings suggest North Korea is evolving its campaign to include effectively any remote roles that fall within the general scope of their scheme. As long as the application, interview process and work can be done remotely, North Korean workers will attempt to apply for it, Okta researchers claimed. 

The impacted industries now include finance, healthcare, government and professional services — with the information and technology sector only accounting for about half of the targeted entities. Organizations outside of the U.S. now represent about 27% of all targeted entities. 

Okta used internal and external sources to track more than 130 identities operated by North Korean facilitators and workers. These identities were linked to over 6,500 initial job interviews across more than 5,000 distinct companies up until mid-2025.

Okta declined to provide more information about how they compiled their findings because they want to avoid tipping off North Korean threat actors about how they gained visibility into their campaign. But the company said it validated its findings with other cybersecurity firms, law enforcement agencies and companies that had been targeted. 

The 130 fake identities tracked by Okta is likely a very small sample of the overall campaign, the company said. 

North Korean IT worker units “appear to be learning from earlier missteps and are targeting a greater number of industries in a greater number of countries.” 

“Targeted entities in those countries now face a mature, experienced threat that has achieved the necessary success to have been granted a level of ‘creative freedom’ over targeted verticals and the tools, techniques, and procedures they use to gain employment,” Okta’s Threat Intelligence team said.

They added that the increased awareness of the threat in the U.S. may have put pressure on North Korea to increasingly target roles in other countries and industries.

AI, finance and healthcare

Most North Korean IT workers are still seeking out remote software engineering positions but Okta found evidence of an increasing number of threat actors applying for remote finance positions at payments processors. 

Okta also tracked a “marked” increase in attempts to gain employment at artificial intelligence companies or AI-focused roles. 

In the healthcare and medical technology industry, Okta saw a “sustained number” of job interviews focusing on mobile application development, customer service systems and electronic record-keeping platforms — potentially endangering patient information and health data. 

“Healthcare organizations may be under-resourced in insider-threat detection to counter fraudulent employment attempts, relying on traditional recruitment processes that may not catch sophisticated impostors,” Okta explained. 

Okta also reported an increase of attempts to secure positions within government, finding evidence of multiple interviews with U.S. state and federal government departments between 2023 and 2025 as well as other attempts to get hired within Middle Eastern and Australian government entities. 

Recorded Future News previously reported on at least one instance where a North Korean IT worker was hired as part of a U.S. political campaign in Oregon. Okta said it is unable to confirm whether any of the U.S. government interviews resulted in employment. 

10% progressed

Okta’s research also indicates a substantial shift to companies outside of the U.S., with most targeting organizations in the U.K., Canada and Germany. 

The researchers said years of sustained activity against U.S. companies has allowed North Korea to refine its infiltration methods, allowing them to enter new markets “with a mature, well-adapted workforce capable of bypassing basic screening controls and exploiting hiring pipelines more effectively.” 

But Okta’s sample of data showed that at most, about 10% of the candidates progressed to follow-up interviews.

Significant law enforcement efforts coordinated by the U.S. have likely disrupted key revenue generators for North Korea, prompting them to shift tactics and move to industries or countries that do not have experience with the campaign. 

Okta also warned that North Korean threat actors will “increasingly look to ransomware, data theft and extortion tactics as they are pressured to maintain historical levels of revenue generation.”

“Okta’s findings reveal that the DPRK’s IT Worker operation is not a niche threat confined to large technology companies. It’s a widespread, long-term campaign targeting organizations across almost every vertical,” the company said.  

“This means any organization offering remote or hybrid roles — especially in software development, IT services, or other knowledge-worker disciplines — is a potential target.”