John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
The laptop came back from Melbourne, Florida – shipped there from a rental house somewhere else. That detail is how investigators knew they had the right person.
Nisos, a threat intelligence firm in Virginia, had been watching. They’d set a trap. And it worked.
How the Scheme Works
North Korea sends skilled developers to infiltrate Western tech companies by applying for remote jobs under false identities. They’re good at it. They pass technical interviews. They deliver work on time. The salary goes to Pyongyang, sometimes funding weapons programs.
The “laptop farm” is how the domestic piece works. Someone inside the US hosts the physical hardware. The North Korean worker connects remotely. From the company’s perspective, they hired a developer in Indiana. What they actually did is hire someone in Pyongyang routing through a forwarding address in Indiana.
Three Americans were sentenced this week for running exactly this operation, routing approximately $1.28 million in fraudulent salary to North Korea. OFAC simultaneously sanctioned six individuals and two entities tied to the wider DPRK network.
The Trap
Nisos brought in a suspected North Korean worker through a fake hiring process, then handed them a dedicated laptop on a monitored network. That setup tells you almost everything: where traffic goes, what tools are being used, who the worker is actually communicating with.
The laptop came back having been through Melbourne, Florida – part of the physical forwarding infrastructure the operation depends on. Combined with what Nisos observed on the monitored network, they had enough to confirm the suspicion.
Here’s the part that should make every security team uncomfortable: after the investigation, Nisos called some of the companies already infiltrated. Those companies had security teams – in some cases, pretty good ones. They had no idea.
Nisos CEO Ryan LaSalle: “Most of the companies weren’t aware of it, even if they had pretty robust security teams. It wasn’t really high on the radar.”
It still isn’t, for most organizations.
What to Actually Look For
These workers are often genuinely good at the job, so the tells are in the logistics, not the work product.
Watch for workers unusually insistent about using their own equipment, or with complex setups involving KVM switches. Pay attention to IP address inconsistencies during onboarding – especially candidates who interview from one location and work from another, routed through a VPN.
Be especially alert to workers who push back hard on any in-person requirement, resist video calls, or have inconsistencies in their background. References who are hard to verify. Employment histories at companies with no public profile. LinkedIn pages that are a little too sparse or too polished.
The access these workers get is real. They’re inside your codebase, your infrastructure, potentially your customer data. The risk isn’t just salary fraud – it’s what a state intelligence operation does with access to a Western tech company’s systems over months or years.
For hiring managers and security teams, the fixes are practical and unglamorous: add friction to remote onboarding, be consistent about hardware requirements, and take seriously the question of where a remote worker is actually physically located.
Most companies haven’t been asking that question. That’s the gap the scheme exploits.