Inside the North Korean Infiltrator Threat
Source: Flare + IBM X-Force
Executive Summary
A joint investigation by Flare and IBM X-Force has exposed one of the most sophisticated state-sponsored employment fraud operations in history. Thousands of North Korean IT workers - operating under fabricated identities - have successfully infiltrated companies across the United States, Europe, and Asia. These operatives earn salaries that are funneled directly to the DPRK regime, generating an estimated hundreds of millions of dollars annually in revenue for Pyongyang’s weapons programs.
This is not a hypothetical risk. It is an active, scaled operation with dedicated infrastructure, management layers, and support networks already embedded in Western labor markets.
Key Findings
Internal Management Platforms
The research uncovered purpose-built internal platforms - referred to as “RB Site” and similar codenames - used by North Korean handlers to manage their network of placed operatives. These platforms track job placements, coordinate work output, and manage the flow of earnings back to the DPRK. The existence of such platforms indicates a level of operational maturity that goes far beyond opportunistic fraud.
Western Collaborators and Facilitator Networks
North Korean operatives do not act alone. The Flare and IBM X-Force investigation identified a network of Western collaborators - so-called “facilitators” - who provide US-based addresses, receive company-issued laptops, and maintain the physical infrastructure that allows remote DPRK workers to appear as legitimate domestic employees. These facilitators are recruited through LinkedIn, GitHub, and freelancing platforms, often without understanding the full scope of what they are enabling.
Daily Operations and Tradecraft
DPRK IT workers maintain convincing online personas, complete with fabricated employment histories, professional headshots (often AI-generated), and active GitHub contribution graphs. They participate in technical interviews using a combination of real skill, coaching from handlers, and in some cases, real-time assistance from teammates during remote interviews. Once placed, they perform legitimate work - often competently - while their earnings are systematically extracted.
Impact on Hiring
The implications for any company conducting remote interviews are significant. Traditional hiring processes - resume screening, video interviews, reference checks - were designed for a world where candidates are who they claim to be. The DPRK operation exploits every assumption in that chain.
Companies face three distinct risks: financial (salaries funding a sanctioned regime, potential OFAC violations), security (insider access to proprietary code, customer data, and internal systems), and operational (the discovery and removal of compromised employees disrupts teams and timelines).
The FBI, Department of Justice, and Department of the Treasury have all issued advisories. Multiple arrests of facilitators have been made. But the scale of the operation means that reactive detection - finding operatives after they are hired - is insufficient.
How ShowUp Addresses This Threat
ShowUp.cv was built for exactly this scenario. By requiring candidates to complete a verified, in-person interview session at a professional proctoring center, ShowUp eliminates the core vulnerability that DPRK operatives exploit: the assumption that the person on the video call is the person who will show up to work.
At a ShowUp session, candidates present government-issued identification, are photographed, and complete their technical interview on a clean, monitored workstation. There are no proxies, no real-time coaching, no AI assistance tools. The person who interviews is the person who is verified.
For companies operating in regulated industries, handling sensitive data, or simply unwilling to accept the risk of interviewing strangers - ShowUp provides the infrastructure to verify before you hire.
This article summarizes findings from the Flare + IBM X-Force report on the North Korean Infiltrator Threat, published March 2026. For the full research, visit the link above.
Ready to eliminate impersonation risk from your hiring process? Book a demo with ShowUp.cv and see how in-person verified interviews work.