When Korean American entrepreneur Robin Kim posted an online job listing for a senior frontend engineer to help design the user interface for his photo-editing app, he expected candidates to be experienced developers with a preference for working remotely.
What he didn’t expect, however, was that some of the applicants might be North Korean operatives working at Pyongyang’s behest to infiltrate Western companies.
Kim’s encounter two years ago with three individuals he now believes were North Koreans pretending to be software engineers based in other countries reflects a growing concern among global cybersecurity officials.
U.S. authorities say North Korea has been deploying operatives to pose as IT workers to secure remote tech jobs abroad. These agents not only earn wages that bankroll Pyongyang’s missile and nuclear weapons programs, but also introduce malware into company networks to steal cryptocurrencies or extract sensitive and proprietary data.
The scheme has become so pervasive that nearly every Fortune 500 company has unknowingly hired at least one North Korean worker, according to Charles Carmakal, chief technology officer at Google Cloud’s Mandiant, during a media briefing in April.
In response, the U.S. Department of Justice is cracking down by arresting Pyongyang’s U.S.-based accomplices, seizing financial assets and raiding locations connected to the scheme.
To understand how these operatives infiltrate Western companies, the Korea JoongAng Daily spoke with representatives from three tech firms that had interviewed or briefly employed applicants later flagged as suspected North Korean operatives.
Right names, wrong faces
For Kim, the first hint that something was amiss came from the names on the resumes: Steven Smith, Jeremy Pierce and Rodney Gilyard. “These are names most people would associate with Caucasian men,” Kim said.
But during video interviews, all three candidates appeared to be Asian men.
“I was a little taken aback, but I withheld judgment because I didn’t want to be accused of racial profiling,” Kim recalled.
Still, their accents gave him pause. “I could only tell that they weren’t native speakers of English, which I thought was only more strange since they gave me such American names,” he recalled.
Kim added that he usually recognizes Korean accents and did not initially assume the applicants were North Korean.
Others, however, were less suspicious. The chief operating officer (COO) of a San Francisco-based AI start-up that accidentally hired a suspected North Korean operative said the individual also used a Western-sounding name.
“But everyone’s from somewhere else in Silicon Valley,” the COO said. “A foreign accent, by itself, wouldn’t raise alarms.”
In this video, a man posing as Rodney Gillard, lower left, explains a code he wrote during a job interview for Robin Kim’s company in 2023. [ROBIN KIM]
Shifty behavior, red flags
Mismatched names and accents were not the only signs that the applicants were not who they claimed to be.
Job interviews at tech companies typically consist of multiple stages, including a portion where applicants elaborate on their previous work experience and another where they demonstrate their ability to perform technical tasks they are expected to fulfill in their prospective position.
It was during these technical interviews that Kim noticed that Pierce and Smith appeared ill at ease demonstrating and explaining their coding abilities.
“Gilyard was really quite good,” Kim said. “But Pierce’s and Smith’s coding abilities weren’t at the level of the experience they claimed.”
There were more unusual moments. Smith refused to turn on his camera during his technical demonstration, while Pierce froze mid-explanation for 30 seconds — though Kim could still hear voices in the background.
“It felt like he was getting help from someone nearby,” Kim said.
That suspicion of outside assistance was echoed by the COO of the AI start-up, who later discovered that different individuals had appeared in the same applicant’s interviews.
“Though we don’t record interviews as a matter of practice, we realized during our internal investigation that multiple people had represented the same applicant,” the COO said, adding that the company did not initially catch this deception because four different employees conducted the interviews.
Following the incident, the company instituted a rule requiring all candidates to keep their cameras on during virtual meetings.
Kim also found it suspicious that even the most skilled of the three applicants, Gilyard, was unable to provide details about life in Jersey City, his purported locale.
“He said there wasn’t much to do around there, which is weird because it’s right by Manhattan,” recalled Kim, who has previously lived in both New Jersey and New York.
Alarm bells go off
What ultimately confirmed Kim’s suspicions was a digital footprint.
After arranging a reference call with someone who claimed to be Gilyard’s former manager — and who spoke with an identical accent — Kim ran the applicant’s IP address through a verification service.
“When I saw the report, alarm bells went off in my head,” he said. “The IP address was associated with known scams and cybercriminal activity.”
![The resume of a man going by the name of Rodney Gilyard that was received by Robin Kim. [ROBIN KIM]](https://koreajoongangdaily.joins.com/data/photo/2025/07/29/d6ee381c-5650-4daa-926b-90aa0ec4bb04.jpg)
Kim decided not to hire Gilyard shortly thereafter, but he was only able to put his finger on his suspicions after reading a cybersecurity report on the tell-tale patterns of North Korean cyber operatives, which matched what he saw during the interviews.
At the AI start-up, cybersecurity checks also played a key role in uncovering the deception. A day after the new hire began work, the company received an alert that the worker’s IP address matched that of a so-called laptop farm in New Mexico tied to North Korean cyber operations.
“We terminated his employment that day,” the COO said.
The final confirmation came in a call from a man in Texas, who was confused after receiving a welcome package from the company.
“It turned out the applicant had stolen this man’s identity,” the COO said. “He had no idea it was being used this way.”
Laptop farms
This pattern aligns with recent warnings from U.S. officials. According to the Justice Department, the North Korean government pays Americans to install remote access tools on company-issued laptops and host the machines in their homes. By controlling the computers from afar, the North Korean operatives can appear as domestic workers.
Sometimes, the U.S.-based accomplices ship the laptops to countries like Russia and China, where North Korean agents can operate with greater ease.
On Thursday, an American woman was sentenced to over eight years in prison for hosting laptop farms in houses in Arizona and Minnesota that enabled North Korean agents to pose as domestic IT workers at more than 300 U.S. companies.
The woman, Christina Chapman, admitted to stealing the identities of 68 U.S. citizens. According to U.S. officials, Chapman stored the laptops on labeled shelves, each linked to a different company and stolen identity. She was charged alongside three North Korean nationals affiliated with the regime’s Munitions Industry Department.
Officials say the money generated by these remote positions directly supported North Korea’s weapons programs.
Last week, the U.S. Treasury also imposed sanctions targeting a North Korean trading company and three individuals for their involvement in helping the regime evade sanctions and generate revenue through fraudulent IT worker schemes.
Better scrutiny needed
As remote work becomes increasingly common following the Covid-19 pandemic, experts warn that the risk of inadvertently hiring North Korean cyber operatives has only grown for companies.
Dan Stone, a product manager at the professional networking company Icebreaker, said that his company’s website has witnessed an uptick in suspected North Korean IT workers and other hostile state actors “sending connection requests en masse in order to create the illusion of legitimacy and pass themselves off as genuine jobseekers.”
Small and mid-sized companies, he added, are especially vulnerable as they often lack the means to verify applicants and end up “deciding whether to hire workers based on their technical abilities.”
Stone estimates that between 500 and 1,000 Web3 jobs are being filled each month by North Korean operatives, many juggling multiple roles.
“There’s actually a high level of awareness regarding this problem,” he said. “But often, companies don’t want to know if they’re hiring a North Korean operative and are willing to look the other way because they have work that needs to get done.”
Stone further emphasized that digital hiring trends have outpaced digital verification means.
“We’ve evolved into a highly digital society, but we’ve not evolved the corresponding tools to verify whether online profiles are trustworthy,” he noted, adding that “the fact that we don’t have these tools is being used against us.”
He recommended that companies look beyond candidates’ technical skills and ask them more detailed questions about their lives to verify their backgrounds. He also suggested that employers should ask people they know and trust to vouch for job seekers.
Still, he acknowledged that advancing AI tools may soon render even rigorous screenings ineffective. “We’re already seeing AI used to alter voices and appearances on video,” Stone said. “Even if you ask better questions, AI can help them tell better lies.”
BY MICHAEL LEE [lee.junhyuk@joongang.co.kr]
