North Korean hackers use fake WFH jobs to infiltrate UK firms
North Korean state-backed hackers are using AI generated resumes and stolen identities to infiltrate UK firms, under the guise of remote IT working.
According to a new threat report from Crowdstrike, the group – known as ‘Famous Chollima’ – has pivoted its focus from the US to the UK and Europe after a string of high-profile disruptions and indictments by US authorities.
Now, British firms are in the cross hairs, though many are unaware of the practice.
Crowdstrike has logged over 300 such incidents in 2024 alone, with nearly 40 per cent involving malicious insiders embedded in sectors from finance to healthcare.
These operatives routinely bypass identity verification checks, secure a job, and then deliver next to nothing – sometimes as little as four lines of code weekly – all while getting paid.
Once hired, these ‘workers’ often reroute their company-issued laptops to ‘laptop farms’ in the US, where proxy users connect the machines to the real operatives abroad.
These compromised devices are then loaded with remote access tools and browser extensions, allowing covert control from North Korea, China, or Russia.
“Treat hiring as a security-critical process”, warned Adam Meyers, Crowdstrike’s head of counter adversary operations. “Insist on live video onboarding, cross-check identities, and monitor behavioural red flags like chronic under-performance or odd login patterns.”
A global trend
The UK government recently issued its own advisory on the growing threat, urging employers to scrutinise remote applications more closely, and invest in proactive threat detection.
This escalation comes after a US federal indictment from December 2024 of 14 North Korean nationals for a multi-year scheme to defraud companies using fake IT workers – a campaign that generated an estimated $88m for the regime.
The suspects used stolen identities, paid US citizens to attend interviews on their behalf, and even attempted extortion by threatening to leak stolen intellectual property.
While some incidents code or data theft, most are simply salary draining, with the proceeds routed back to the DPRK.
The hackers even held ‘socialist competitions’ to reward the highest earners.
Crowdstrike also found that these threats are opportunistic, as hackers apply wherever there is an open role, rather than targeting specific firms.
As a result, any UK company hiring remote developers is potentially at risk.