North Korea's Fake IT Workers Stealing Business Data

How small businesses hiring remote contractors are funding weapons programs

The U.S. Treasury sanctioned six people and two companies on March 18. The scheme: North Korean fake IT workers pose as American contractors, get hired, collect paychecks, and send the money back to fund weapons programs. Some steal company data while they're at it.

What you'll learn

What the North Korean fake IT workers scheme is
Why small businesses are targets
How they pass background checks
U.S. Treasury sanctions details
Three ways to verify remote contractors

The scheme

According to the U.S. Treasury, North Korean fake IT workers:

Use stolen American identities to apply for remote IT jobs

Pass video interviews with coaching and sometimes deep-fake technology

Collect paychecks funneled back to North Korea's weapons programs

Steal company data, customer information, intellectual property

Create legal liability for businesses that unknowingly hire them

If a business hired a North Korean fake IT worker, the business is liable. And if they copied customer databases or financial records, that data is sitting in Pyongyang. Can't undo that.

Why small businesses

Cost pressure

Small businesses hire remote contractors because they're cheaper. That's the opening. North Korean fake IT workers underbid American contractors and still profit after sending money to Pyongyang.

Minimal background checks

Large corporations have extensive vetting. Small businesses? Often just a video interview and checking LinkedIn. North Korean fake IT workers show up with fake profiles, stolen identities, enough coaching to pass.

Access to everything

IT contractors get access to customer databases, financial systems, proprietary processes. By the time businesses realize they hired North Korean fake IT workers, those operatives have had months of unrestricted access.

How they operate

The U.S. Treasury's March 18 announcement:

Identity theft: They steal American identities complete with Social Security numbers, addresses, work histories. Create LinkedIn profiles, GitHub accounts, portfolios.

Application: They apply for remote IT positions. Resumes look perfect. Rates are competitive. English is good (sometimes using AI translation).

The interview: They pass video interviews using coaching, deep-fake video, time zone manipulation, rehearsed answers.

The work (and theft): They do the job adequately while collecting paychecks sent to North Korea, copying customer databases, stealing proprietary information, installing backdoors.

Discovery (too late): Businesses realize something's wrong months later. By then, North Korean fake IT workers have moved on. The stolen data is already being exploited.

The Treasury warns: businesses who hire North Korean fake IT workers—even unknowingly—may face legal consequences for providing support to a sanctioned regime.

What job boards won't tell you

The same platforms that make it easy to hire remote contractors make it easy for North Korean fake IT workers to apply. Upwork, Fiverr, LinkedIn. All useful tools. All exploitable. The Treasury estimates thousands of these operatives are currently employed by American companies.

Protect business email

While vetting contractors, protect the email accounts North Korean fake IT workers use to communicate and gather intelligence.

Forward suspicious emails—especially from new contractors or job applicants—to [email protected] for instant analysis.

Easier to catch them in the application phase than clean up after months of data theft.

Three ways to verify contractors

1

Verify identity and address

If you hired remote IT help recently, verify them. Check LinkedIn connections (do they connect to real people?). Call previous employers. Verify physical addresses. If anything feels off, end the contract and audit what they accessed.

Red flags: Vague about location, reluctant to provide references, unusually low rates, requests payment to foreign accounts.

2

Audit contractor access

Review what remote contractors can access. Do they really need customer databases? Financial records? If you hired contractors in the last year, audit their system access logs. North Korean fake IT workers often request more access than their job requires.

Least privilege: Contractors should only access what they need for their job. No more.

3

Screen suspicious communications

North Korean fake IT workers use sophisticated social engineering. Forward suspicious contractor emails or job applications to [email protected] if anything feels off.

Trust your instincts: If something feels wrong, there's probably a reason. Verify thoroughly.

Bottom line
The U.S. Treasury sanctioned individuals and companies supporting North Korean fake IT workers on March 18, 2026. These operatives pose as American contractors, steal paychecks to fund weapons programs, steal business data. Verify identities. Audit contractor access. Watch for red flags. Legal liability falls on businesses that unknowingly hire them.

#NorthKoreaFakeITWorkers #RemoteContractorSecurity #SmallBusinessSecurity #ITContractorVetting #BusinessSecurity2026 #DataProtection

Get weekly security updates

Don't wait for the next infiltration. Join thousands who get the free weekly Insider Notes Newsletter.

Sign up free at CraigPeterson.com

No spam. No jargon. Real protection.

Verify before trusting.

North Korea's Fake IT Workers Stealing Business Data