Exposing a Fraudulent DPRK Candidate
Contents
Research
Exposing a Fraudulent DPRK Candidate: How Nisos Identified a Suspected North Korean Operative
Executive Summary
Since early 2023, Nisos has provided our clients with critical insights and conducted OSINT (Open-Source Intelligence) pre-employment and insider risk investigations to mitigate the threat of North Korean (DPRK) IT worker employment schemes. In June 2025, we used a combination of pre-employment OSINT due diligence and targeted interview questions to expose a suspected DPRK operative, who applied for a remote Artificial Intelligence (AI) architect role at Nisos. The operative unsuccessfully used stolen personally identifiable information (PII), a newly created email, and an AI-created resume to pose as a Florida-based lead AI architect and senior full stack developer. Nisos subsequently identified an employment fraud network involving the IT worker, which included a laptop farm located in Florida. Our investigation of the laptop farm identified that DPRK IT workers leverage Raspberry Pi-based KVM (Keyboard-Video-Mouse) devices to remotely access desktops …
Exposing a Fraudulent DPRK Candidate: How Nisos Identified a Suspected North Korean Operative
Executive Summary
Since early 2023, Nisos has provided our clients with critical insights and conducted OSINT (Open-Source Intelligence) pre-employment and insider risk investigations to mitigate the threat of North Korean (DPRK) IT worker employment schemes. In June 2025, we used a combination of pre-employment OSINT due diligence and targeted interview questions to expose a suspected DPRK operative, who applied for a remote Artificial Intelligence (AI) architect role at Nisos. The operative unsuccessfully used stolen personally identifiable information (PII), a newly created email, and an AI-created resume to pose as a Florida-based lead AI architect and senior full stack developer. Nisos subsequently identified an employment fraud network involving the IT worker, which included a laptop farm located in Florida. Our investigation of the laptop farm identified that DPRK IT workers leverage Raspberry Pi-based KVM (Keyboard-Video-Mouse) devices to remotely access desktops …
IoC
167.88.61.250
167.88.61.117
167.88.61.117