my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

Inside the North Korean IT Worker Playbook: IBM and Flare's New Research Shows Exactly How They Get In

John Z Black Mar 23, 2026 Threat Intelligence #north-korea #threat-intelligence #insider-threat #identity-fraud #dprk #remote-work-security

The enforcement story on North Korea’s IT worker scheme is well-documented: laptop farms, busted operators, guilty pleas. That tells you what happens after someone catches them.

IBM and Flare just published something more useful: the attacker playbook itself.

Their joint research is the most detailed technical analysis of DPRK IT worker infiltration tactics published to date. The tactics are specific, documented, and replicable. Someone could run this operation again tomorrow.

How they get hired

The entry point is synthetic identity construction. AI-generated profile photos that pass a quick visual scan. Stolen or purchased Social Security numbers with legitimate credit history. References that check out because they’re part of the support network, not real former colleagues. Cover stories built to survive the casual due diligence most hiring teams actually run.

This isn’t improvised. It’s a production operation specifically tuned for US hiring pipelines.

How they stay hired

Operatives handle video calls but manage camera exposure and deflect scrutiny questions. When suspicion rises, they respond fast – adjusting behavior or exiting cleanly and re-applying under a different identity.

Devices come from US-based intermediaries who physically manage the laptop and proxy the connection. IP geolocation checks see a domestic address. Payment routes through multiple intermediaries before anything reaches North Korea. The laptop farm isn’t just payment infrastructure; it’s what makes the connection look legitimate.

What actually catches them

IBM and Flare translate all of this into detection guidance:

Device fingerprinting can catch mismatches between the interview device and the day-one device, or flag behavior that doesn’t match stated location.

Payment account screening during onboarding is underused. Accounts routing through specific intermediary patterns are a signal.

Reference verification needs depth. Real references have independent digital footprints that predate the job search.

Unscheduled video check-ins, not just polished formal interviews, surface operatives who prepped for the process but struggle with spontaneous interaction.

A hire that makes it through onboarding can sit inside a company’s environment for months before detection. By then the damage is done: code access, credential harvesting, IP exfiltration.

The playbook is documented. The detection controls exist. The gap is that most organizations haven’t operationalized either.

Get the full breakdown of DPRK infiltration tactics and the detection controls that work