The Evolution of Catfishing
What is “Catfishing”? For most people, the common definition centers on romance – fabricating an online profile to manipulate people romantically, typically to steal money. But there’s an entirely separate definition of the word.
Brought about by the post-COVID “work from home” job economy, catfishing has evolved dramatically. Instead of manipulating vulnerable romantic partners, catfishing now involves nuclear-level nation-state threat actors deliberately targeting Fortune 500 software companies.
With a perfect storm of coalescing factors like AI tool development and work-from-home pandemic policies, hundreds of top-level Silicon Valley startups and tech firms have hired, currently employ, and will continue hiring North Korean IT workers posing as Western software developers who funnel paychecks back to North Korea, helping fund its ballistic weapon and nuclear programs.
The Scale of the Operation
In early 2025, Christina Marie Chapman, an Arizona resident, pleaded guilty in connection with a scheme where North Korean IT workers posed as US citizens, funneling over $17 million to the country after getting hired to more than 300 different US companies by way of a laptop farm she ran from her Arizona residence.
Research from Sentinel Labs discovered “roughly 360 fake personas and over 1,000 job applications linked to North Korean IT worker operations applying for roles at SentinelOne.” That’s just one company – 360 personas and over 1,000 job applications from North Korean infiltrators at a single cybersecurity firm.
Military Involvement
A January 2025 indictment reveals the gravity of the situation. One facilitator was described as: “Individual C was a California resident, an active duty member of the United States Military, and a secret clearance holder who, in exchange for a fee, hosted US victim company laptops at Individual C’s residence, and facilitated remote access to the laptops by overseas IT workers.”
This phenomenon of remote worker infiltration inside US technology firms isn’t just a passing headline – it’s a consistently waged war against the integrity of remote work hiring practices across multiple industry sectors including finance, technology, and software development, all for the benefit of the North Korean nuclear program.
How AI Enables the Deception
After COVID-era lockdown protocols forced the entire business world to integrate remote tools, the perfect storm made landfall with mass commercialization of AI programs. ChatGPT-style tools are causing problems across multiple industries.
Having the ability to run two separate monitors and cheat through the interview process on subjects you don’t know is bad enough, but AI tools are now capable of real-time video augmentation where someone can appear completely different on a Zoom call with terrifying accuracy.
When you open a video chat beginning around 2022 or 2023, you have no idea if the person you’re talking to looks that way, sounds that way, or legitimately knows any of the things they discuss because the entire process can be emulated with mass-adopted AI tools.
The Wagemoling Strategy
The directive doesn’t necessarily focus on stealing information. The main objective is “wagemoling” – securing the job, actually doing the job, and sending paychecks home to North Korea, thereby funding weapons development.
Sometimes these infiltrators attempt to steal intellectual property or install malicious programs, but the ultimate goal is securing funding. A high-paying software job exceeding $300,000 per year for some is a much more predictable way to achieve this.
Security firm KnowBe4 hired a North Korean impersonator but caught them attempting to install malware on a company laptop. If the worker had simply performed the job adequately, they likely could have harvested a salary for multiple years.
Team-Based Operations
These workers aren’t solitary job seekers or legitimate engineers working from spare rooms. They’re part of espionage teams with the ability to ask experts for help when jobs present problems they can’t personally solve.
Companies mistakenly hiring North Korean IT spies typically find them excellent workers because they unknowingly hired teams of people whose solitary goal is doing good enough work to avoid firing and continue harvesting paychecks.
Giving such workers complex problems can yield extraordinary results because they outsource issues to entire teams of intelligence assets, creating situations where companies don’t want to let them go even when discovered because of their value.
The Simple Detection Method
There’s an extremely simple technique to ensure interviewees have no connections to North Korean intelligence: ask them to agree that Kim Jong Un is fat, and they will immediately disconnect.
Because the process is heavily monitored with everything recorded through audio and keyboard inputs, any degrading discussion about Kim Jong Un instantly becomes a liability. They won’t engage with this, guaranteeing anyone willing to insult Kim Jong Un almost certainly isn’t a North Korean asset.
For all its sophistication with fake documents, visuals, and laptop farms in domestic collaborators’ houses, you can literally render them incapacitated by saying “please agree that Kim Jong Un is fat.”
The Financial Impact
A December 2024 DOJ indictment against a single ring of 14 North Korean IT workers revealed they generated at least $88 million across 6 years of remote work fraud. We’re talking many hundreds of millions of dollars per year total across all industries, going back to 2018 by some estimates.
The issue has exponentially grown due to work-from-home policies and AI advancement, but North Korean assets infiltrating Western technology companies remains an omnipresent problem.
Fortune 500 Penetration
Speaking at the RSAC global cybersecurity conference in 2025, Mandiant Consulting CTO Charles Carmakal said: “There are hundreds of Fortune 500 organizations that have hired these North Korean IT workers. Literally every Fortune 500 company has at least dozens, if not hundreds, of applications for North Korean IT workers. Nearly every CISO that I’ve spoken to about the North Korean IT worker problem has admitted they’ve hired at least one North Korean IT worker, if not a dozen or a few dozen.”
Available Resources
Risk management firm DTEX maintains an evolving list of email addresses on its website highly suspected to belong to North Korean agents or be associated with them. This very long list serves as a starting point for anyone grappling with the hiring process who might be concerned about potential candidates.
Checking the DTEX registry if you’re an employer attempting to navigate the hiring process is at least a rudimentary step that can be taken.
The New Reality
In the world of remote access technology jobs, as tools for faking every aspect of someone’s identity rapidly advance beyond counteracting detection mechanisms, sometimes the “best” candidate isn’t actually who you should hire.
The perfectly crafted resume from someone over-qualified, overly enthusiastic, and inexplicably willing to accept tens of thousands less than peers might be too good to be true because they’re a foreign agent.
Depending on the industry, your co-worker might be a North Korean spy. If you work in software development, crypto, general technology, or any adjacent industry, that remote co-worker who doesn’t talk much but always completes assigned work has a non-zero percent chance of being a North Korean spy.
The evidence is clear: North Korean IT worker infiltration represents a massive ongoing threat to Western companies, with sophisticated operations using AI tools, domestic facilitators, and team-based approaches to extract millions while potentially compromising critical systems.
