The U.S. State Department in collaboration with Japan, South Korea, and private cybersecurity partners met in Tokyo, last week, to draw plans for combating North Korea’s side hustle of infiltrating companies through fake IT workers – popularly known as their “IT work fraud scheme.” The coalition will take on the DPRK’s expanding cyber-fraud pipeline, which has already funneled millions of dollars into Pyongyang’s weapons program.
At the Tokyo forum, diplomats and tech leaders from the three nations met with platforms, freelance job sites, crypto services, and AI firms to strategize countermeasures against a network that had masked North Korean nationals as skilled freelancers. The initiative aims to protect businesses and curtail a major revenue stream for the DPRK’s illicit weapons programs.
Deception Fuels Regime Revenue
North Korea’s fraud began as a covert job recruitment pipeline. The cybercriminal ring, as reported earlier, conned U.S. companies into hiring North Korean IT workers using forged or stolen identities. They set up “laptop farms” in the U.S., operated by intermediaries like an Arizona-based woman, to make it appear that work was performed from U.S. soil. The scheme generated at least $6.8 million between 2020 and 2023. These funds were channeled through Chinese banks and used to subsidize the regime’s weapons development.
Read: US Charged North Korean Job Fraud Nexus Amassing Funds for Nuclear Program
In some cases, as noted in a follow-up report, the scheme ensnared hundreds of U.S. firms and relied on over 300 stolen identities. These identities served as a cover, enabling North Koreans to penetrate networks with high-value credentials, all while evading sanctions.
Security awareness firm KnowBe4 also fell victim to one such instance. A North Korean “employee” slipped into its AI engineering stream using an AI-enhanced, stolen U.S. identity. The moment their laptop began loading malware, internal tools alerted the SOC, halting the breach. A tell-tale of how even security firms can fall prey.
Read: KnowBe4 Uncovers Fake Employee: How a North Korean Hacker Was Hired into the Team
Building Collective Defense
The Tokyo forum brought together over 130 stakeholders including government agencies, freelance platforms, payment services, cryptocurrency exchanges, and AI startups. Representatives shared intelligence and best practices to identify, block and prevent fraudulent North Korean IT employment — especially where infiltration can lead to access to sensitive data, reputational damage, or future cyberattacks.
“North Korean state-directed IT workers generate revenue for North Korea’s weapons of mass destruction (WMD) and ballistic missile programs, violating U.S. sanctions and multiple UN Security Council resolutions. Engaging with these workers exposes companies to theft of sensitive data and assets, reputational harm and legal consequences, as well as increased risk of targeting by malicious North Korean cyber actors.” – U.S. Department of State
Japan, South Korea, and the U.S. have coordinated against the threat since 2022. The initiative now extends its reach, including crypto and fintech platforms — sectors where North Korea has previously harvested hundreds of millions of dollars in ill-gotten gains from entities like DMM Bitcoin, Upbit, and WazirX.
Read: Indian Crypto Exchange WazirX Faces Uncertain Future After Cyberattack
Mandiant will play a leading role in the operational effort. Its responsibilities include helping governments analyze the behaviors of fraudulent IT worker networks and enabling providers to implement intelligent red flags and detection rules. Though not disclosed publicly, these likely span AI-based identity vetting, anomalies in IP usage, credential-sharing patterns, and cross-border payment flows.
This initiative represents a turning of the tide. North Korea’s job fraud scheme — once low-profile and opportunistic — has evolved into a refined mechanism for sanctions evasion and regime funding.
Even companies that believed they were operating above suspicion have been targeted — as evidenced by KnowBe4’s compromise. That’s why the Tokyo forum’s multi-industry scope is essential. Platforms facilitating remote hiring, financial transactions, or identity validation all have a role to play.
