North Korea’s widespread IT worker scam that has haunted IT and cryptocurrency companies in the United States is now going global and expanding the range of industries it’s targeting, according to threat intelligence researchers with Okta.

The Okta researchers said in a report this week that after ingesting data from internal and external sources and tracking more than 130 identities used in the schemes, they found that only half of the targets were in the tech sector. Other industries affected by the scam worker operations now include healthcare, finance, public administration, and professional services.

In addition, 27% of the organizations targeted are not in the United States but in other countries, including Great Britain, Germany, Canada, India, and Australia.

“Okta’s findings reveal that the DPRK’s [Democratic People’s Republic of Korea’s] IT Worker operation is not a niche threat confined to large technology companies,” wrote Simon Conant, Okta’s director of threat intelligence, and Alex Tilley, global threat research coordinator. “It’s a widespread, long-term campaign targeting organizations across almost every vertical. This means any organization offering remote or hybrid roles – especially in software development, IT services, or other knowledge-worker disciplines – is a potential target.”

The rapid expansion and sophistication of the scheme “demonstrate that traditional recruitment processes alone are insufficient to prevent infiltration,” Conant and Tilley added.

Making Money, Stealing Data, Extorting Companies

North Korea’s intelligence organizations, using fake and stolen credentials, false application material like cover letters and work histories, and – more recently AI tools like video and voice deepfakes, have worked to place its agents in companies that were advertising for remote IT workers. A key goal is to generate money that can be funneled back to the regime to bypass international sanctions and help pay for its massive weapons programs.

That said, there are also growing numbers of reports that the fraudulent workers are stealing data, extorting companies, and running ransomware operations, the Okta researchers wrote.

“The access afforded by placing DPRK-linked personnel inside Western organizations provides a significant intelligence and disruption capability should the DPRK regime decide to use it,” they wrote. “The potential for broader access and technical collection built through this long-running operation should be of concern to governments and organizations across most sectors of the economy.”

A Maturing, Skilled Threat

Conant and Tilley described a maturing operation that has learned from missteps in the past and been successful enough to now have creative freedom over the tools, techniques, and procedures they use as well as the industries they target.

“It’s possible that increased awareness of this threat – as well as government and private sector collaborative efforts to identify and disrupt their operations – may be an additional driver for them to increasingly target roles outside of the US and IT industries,” the researchers wrote.

U.S. law enforcement has been more aggressive in its approach to the scam, indicting suspects, identifying others, seizing domains, and shutting down “laptop farms” operating in the United States that help the North Korean operatives with their schemes. The U.S. Justice Department has noted a United Nations report that estimated there are 3,000 North Korean IT workers abroad and another 1,000 inside North Korea, with the schemes generating $250 million to $600 million for the country every year.

That will likely grow as North Korea’s operation goes global and expands its scope. The scammers still mostly look for remote software development positions, they are also now applying for other positions in finance – including in payments processing – engineering.

Scammers Widen Targeted Jobs

“This suggests that remote roles of any description are in scope for the scheme,” the researcher rote. “So long as the application, interview process, and the work itself can be performed remotely, the DPRK will attempt to use the opportunity to collect financial payment.”

The expansion into other jobs could be linked to those that advertise the most remote software jobs or industries that interest North Korea beyond just generating money.

Along with moving into other industries and positions, there is also a trend since 2023 of fake workers targeting the AI industry, both AI companies themselves and businesses looking to incorporate the emerging technology in their processes.

A Warning to Other Countries

The skills developed by the scammers in their operations in the United States over the years may be a problem for other countries that haven’t had to deal with them until now.

“Years of sustained activity against a broad range of US industries have allowed DPRK-aligned facilitators and workers to refine their infiltration methods,” Conant and Tilley wrote. “Consequently, they are entering new markets with a mature, well-adapted workforce capable of bypassing basic screening controls and exploiting hiring pipelines more effectively.”

They added that “new markets that may view the ITW scheme as a ‘US big tech problem’ are less likely to have invested time and effort in maturing their insider-threat programs. The educational, technical, and managerial aspects of such a program require some time and effort to become effective.”

The schemes have been successful enough to bring tens of millions of dollars into the regime’s coffers and to be given greater autonomy, resulting in greater variation in tactics. That said, greater awareness and disruption of their operations may be eating into the revenue stream, which may lead to a ramping up of espionage and ransomware initiatives.

Steps to Take

The Okta researchers wrote that organizations need to strengthen their applicant ID verification efforts, tighten recruitment and screening processes, use role-based and segregated access controls, and monitor contractors and third-party service providers.

In addition, they should run insider threat programs, work with peers and law enforcement, and run risk assessment and red team exercises.