Exposing DPRK Employment Fraud Operations
Contents
Research
People, Process, Personas: Nisos Exposes the Human Risk in DPRK Employment Fraud Schemes
Executive Summary
Nisos assesses with high confidence that a Democratic People’s Republic of Korea (DPRK) state-sponsored cell conducted industrial-scale employment fraud against US companies, submitting more than 170,000 job applications that yielded 76 employment offers across 22 operatives between December 2024 and September 2025, utilizing appropriated identities, AI-driven interview assistance, and US-based facilitators to infiltrate UScompanies primarily in the technology sector. The cell—which Nisos identified and has tracked since mid-2025—possesses the same technical indicators, operational patterns, and tactics that align with documented North Korean employment fraud campaigns designed to generate income for the regime. [1]
- Some operatives likely operated from Taraksan, North Korea and other international locations.
- Technical analysis revealed tactics, techniques, and procedures (TTPs) consistent with known DPRK tactics, including use of Astrill VPN, PiKVM devices for remote access, and cryptocurrency payments.
- The cell focused on revenue generation …
People, Process, Personas: Nisos Exposes the Human Risk in DPRK Employment Fraud Schemes
Executive Summary
Nisos assesses with high confidence that a Democratic People’s Republic of Korea (DPRK) state-sponsored cell conducted industrial-scale employment fraud against US companies, submitting more than 170,000 job applications that yielded 76 employment offers across 22 operatives between December 2024 and September 2025, utilizing appropriated identities, AI-driven interview assistance, and US-based facilitators to infiltrate UScompanies primarily in the technology sector. The cell—which Nisos identified and has tracked since mid-2025—possesses the same technical indicators, operational patterns, and tactics that align with documented North Korean employment fraud campaigns designed to generate income for the regime. [1]
- Some operatives likely operated from Taraksan, North Korea and other international locations.
- Technical analysis revealed tactics, techniques, and procedures (TTPs) consistent with known DPRK tactics, including use of Astrill VPN, PiKVM devices for remote access, and cryptocurrency payments.
- The cell focused on revenue generation …
IoC
https://www.nisos.com
http://www.ssn-verify.com
http://www.sss.gov/verify
167.88.61.117
167.88.61.250
http://www.ssn-verify.com
http://www.sss.gov/verify
167.88.61.117
167.88.61.250