The North Korean on your payroll
Contents
In September 2025, Okta Threat Intelligence published research from a large-scale analysis into fraudulent employment schemes conducted by Democratic People’s Republic of Korea (DPRK) IT Workers (ITW).
That research collated data from over 130 actors, conducting over 6500 interviews with 500 companies.
In this post, we look specifically at the activities of two individual personas. We selected these two examples from a large list of actors that we continue to track because they exemplify the typical tools, techniques and procedures (TTPs) employed by DPRK ITW actors. Additionally, each had novel observables that can further inform defenders against these efforts.
These two actors reveal two interesting TTPs DPRK actors use to land employment: the abuse of legitimate LinkedIn profiles to pass reference checks, and the abuse of stolen identities.
#1 - Meet “JJ”
The first of the two actors we will detail we’ll refer to as “JJ”. This actor has prolifically interviewed for roles in multiple …
That research collated data from over 130 actors, conducting over 6500 interviews with 500 companies.
In this post, we look specifically at the activities of two individual personas. We selected these two examples from a large list of actors that we continue to track because they exemplify the typical tools, techniques and procedures (TTPs) employed by DPRK ITW actors. Additionally, each had novel observables that can further inform defenders against these efforts.
These two actors reveal two interesting TTPs DPRK actors use to land employment: the abuse of legitimate LinkedIn profiles to pass reference checks, and the abuse of stolen identities.
#1 - Meet “JJ”
The first of the two actors we will detail we’ll refer to as “JJ”. This actor has prolifically interviewed for roles in multiple …