North Korea IT worker scheme swells beyond US companies | CyberScoop<\/title> <meta name=\"description\" content=\"Okta Threat Intelligence uncovered a large-scale and sustained operation, reflecting the North Korean regime\u2019s pursuit of any opportunity that allows for remote employment.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/north-korea-it-worker-global-scheme-okta\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"North Korea IT worker scheme swells beyond US companies\"> <meta property=\"og:description\" content=\"Okta Threat Intelligence uncovered a large-scale and sustained operation, reflecting the North Korean regime\u2019s pursuit of any opportunity that allows for remote employment.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/north-korea-it-worker-global-scheme-okta\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-10-02T14:26:07+00:00\"> <meta property=\"article:modified_time\" content=\"2025-10-02T14:26:10+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/north-korea-it-worker-scheme-swells-beyond-us-companies-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1260\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1759256725g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1758741382g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1753281318g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/86212\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=86212\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fnorth-korea-it-worker-global-scheme-okta%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fnorth-korea-it-worker-global-scheme-okta%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-86212 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/north-korea-it-worker-global-scheme-okta\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.165454545455\">\n<div class=\"single-article__header-content\" readability=\"35.509478672986\">\n<p> Okta Threat Intelligence uncovered a large-scale and sustained operation, reflecting the North Korean regime\u2019s pursuit of any opportunity that allows for remote employment. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/86212\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"420\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/north-korea-it-worker-scheme-swells-beyond-us-companies.jpg?resize=640%2C420&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/north-korea-it-worker-scheme-swells-beyond-us-companies-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/north-korea-it-worker-scheme-swells-beyond-us-companies-2.jpg?resize=300,197 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/north-korea-it-worker-scheme-swells-beyond-us-companies-2.jpg?resize=768,504 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/north-korea-it-worker-scheme-swells-beyond-us-companies-2.jpg?resize=1024,672 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/north-korea-it-worker-scheme-swells-beyond-us-companies-2.jpg?resize=1536,1008 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/north-korea-it-worker-scheme-swells-beyond-us-companies-2.jpg?resize=600,394 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/north-korea-it-worker-scheme-swells-beyond-us-companies-2.jpg?resize=256,168 256w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/north-korea-it-worker-scheme-swells-beyond-us-companies-2.jpg?resize=514,337 514w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/north-korea-it-worker-scheme-swells-beyond-us-companies-2.jpg?resize=1029,675 1029w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/north-korea-it-worker-scheme-swells-beyond-us-companies-2.jpg?resize=1285,843 1285w\" sizes=\"(max-width: 1029px) 100vw, 1029px\"><figcaption> The North Korean flag files over the North Korean embassy in Beijing, 18 July 2007. (Photo by PETER PARKS\/AFP via Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"42.980019029496\"><body readability=\"87.844197998377\"><\/p>\n<p>North Korean nationals who conceal their identities to infiltrate businesses as employees or contractors continue to expand their presence beyond technology companies and America\u2019s borders. <\/p>\n<p>Nearly every industry has been duped into hiring North Koreans in violation of sanctions, as <a href=\"https:\/\/www.okta.com\/newsroom\/articles\/north-korea-s-it-workers-expand-beyond-us-big-tech\/\">technology companies represent only half<\/a> of all targeted victims, threat researchers at Okta said in a report this week.<\/p>\n<p>Okta Threat Intelligence found evidence confirming North Korean nationals have targeted and sought roles at any organization recruiting remote talent. The North Korean regime will pursue any opportunity to collect and launder payment if the application, interview process and work can be performed remotely, researchers said. <\/p>\n<p>North Koreans are no longer limiting themselves to IT and software engineering positions. According to Okta\u2019s research, more North Koreans are now applying for remote finance positions, such as payments processors, and engineering roles.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>While technology firms attract the highest volume of applications and job interviews, other verticals including finance and insurance, health care, manufacturing, public administration and professional services appeared often in Okta\u2019s analysis. <\/p>\n<p>Researchers based the study on more than 130 identities used by facilitators and workers participating in the scheme, and linked those personas to more than 6,500 job interviews spread across about 5,000 companies over a four-year period through mid-2025.<\/p>\n<p>Okta acknowledges this only reflects a small sample of North Korea\u2019s scheme, but said it highlights the extent to which IT worker units are targeting more industries in more countries. <\/p>\n<p>\u201cIt\u2019s possible that increased awareness of this threat \u2014 as well as government and private sector collaborative efforts to identify and disrupt their operations \u2014 may be an additional driver for them to increasingly target roles outside of the US and IT industries,\u201d Okta threat researchers said in the report.<\/p>\n<p>Indeed, threat intelligence firms and officials have consistently warned about the growing pervasiveness of North Korea\u2019s scheme. In April, Mandiant said <a href=\"https:\/\/cyberscoop.com\/north-korea-workers-infiltrate-fortune-500\/\">hundreds of Fortune 500 organizations<\/a> have unwittingly hired North Korean IT workers. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>CrowdStrike, in August, said it observed a <a href=\"https:\/\/cyberscoop.com\/crowdstrike-north-korean-operatives\/\">220% year-over-year increase<\/a> in North Korean IT worker activity, amounting to 320 incident response cases in the past year. The Justice and Treasury Departments have <a href=\"https:\/\/cyberscoop.com\/doj-seizure-crypto-north-korea-it-workers\/\">seized cryptocurrency<\/a>, issued <a href=\"https:\/\/cyberscoop.com\/doj-indicts-five-in-north-korean-fake-it-worker-scheme\/\">indictments<\/a> and <a href=\"https:\/\/cyberscoop.com\/treasury-department-sanctions-north-korea-worker-scheme\/\">sanctioned people and entities<\/a> allegedly involved in the yearslong scheme.<\/p>\n<p>Okta analysis revealed a global expansion of the North Korea IT worker operation, with 27% of targeted roles based outside of the United States. Researchers observed North Korean operatives targeting roles in the United Kingdom, Canada and Germany, with each country accounting for about 150 to 250 roles. <\/p>\n<p>Other top targeted countries include India, Australia, Singapore, Switzerland, Japan, France and Poland.<\/p>\n<p>Okta cautioned that non-U.S.-based companies are likely less skilled and concerned with finding North Korean job applicants because the scheme was largely viewed as a U.S. technology industry problem. This creates an elevated problem in newly targeted countries, researchers said. <\/p>\n<p>\u201cYears of sustained activity against a broad range of U.S. industries have allowed Democratic People\u2019s Republic of Korea-aligned facilitators and workers to refine their infiltration methods,\u201d Okta said in the report. \u201cConsequently, they are entering new markets with a mature, well-adapted workforce capable of bypassing basic screening controls and exploiting hiring pipelines more effectively.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.5306324110672\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/north-korea-it-worker-scheme-swells-beyond-us-companies-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/north-korea-it-worker-global-scheme-okta\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>North Korea IT worker scheme swells beyond US companies |<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[78,338,2947,302,2064,647,2911,614,256,288,509],"tags":[86,341,2949,306,2065,240,2913,619,262,294,511],"class_list":["post-8045","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-department-of-justice-doj","category-fake-it-workers","category-geopolitics","category-it-workers","category-north-korea","category-north-korean-it-workers","category-okta","category-research","category-threats","category-treasury-department","tag-cybersecurity","tag-department-of-justice-doj","tag-fake-it-workers","tag-geopolitics","tag-it-workers","tag-north-korea","tag-north-korean-it-workers","tag-okta","tag-research","tag-threats","tag-treasury-department"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/department-of-justice-doj\/\" rel=\"category tag\">Department of Justice (DOJ)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/fake-it-workers\/\" rel=\"category tag\">fake IT workers<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/geopolitics\/\" rel=\"category tag\">Geopolitics<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/it-workers\/\" rel=\"category tag\">IT workers<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/north-korea\/\" rel=\"category tag\">North Korea<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/north-korean-it-workers\/\" rel=\"category tag\">North Korean IT workers<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/okta\/\" rel=\"category tag\">okta<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/treasury-department\/\" rel=\"category tag\">Treasury Department<\/a>","tag_info":"Treasury Department","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8045","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8045"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8045\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8045"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8045"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8045"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8045,"date":"2025-10-02T09:26:07","date_gmt":"2025-10-02T14:26:07","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=86212"},"modified":"2025-10-02T09:26:07","modified_gmt":"2025-10-02T14:26:07","slug":"north-korea-it-worker-scheme-swells-beyond-us-companies","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/10\/02\/north-korea-it-worker-scheme-swells-beyond-us-companies\/","title":{"rendered":"North Korea IT worker scheme swells beyond US companies"},"content":{"rendered":"