Global talent has benefited from remote work, but there are risks involved as well This article explores suspicious hires linkedin. . On LinkedIn, North Korean IT workers affiliated with the Democratic People's Republic of Korea (DPRK) are impersonating qualified professionals.

In an attempt to infiltrate businesses and steal information or money, they use fake profiles to apply for jobs. Since 2023, cybersecurity companies like Mandiant and Recorded Future have monitored this trend, with a notable increase in 2025. These agents seek out lucrative remote positions in cloud engineering, IT support, and software development. They use identities that have been stolen from Asian, European, and American workers.

Verified work email addresses (such as companyname.com) and LinkedIn badges for employment or skill are frequently displayed in profiles. Applications appear authentic as a result. After being hired, employees can install malware, siphon cryptocurrency, or access company networks.

U.S. cybersecurity agencies issued a public service announcement (PSA) alerting people that DPRK IT workers apply for remote positions using the real LinkedIn accounts of people they have impersonated. The stolen profiles are exactly the same as fraudulent resumes. Businesses need to confirm beyond LinkedIn.

The Operation of the Impersonation Scam Hackers from DPRK begin by breaking into personal accounts. They purchase data from dark web marketplaces or send phishing emails. Infostealers are tools that steal work history, photos, and LinkedIn credentials. In order to avoid detection, operators then "piggyback" on these accounts with little modification.

They create resumes in English from secure places like China or Russia. They use phony GitHub repos or cloned portfolios to support their claims of experience at companies like Google or AWS. VPNs are used for interviews in order to conceal IP addresses from North Korea.

They use deepfake video tools for Zoom and AI voice changers for calls. Priorities change once inside. They use Dropbox to exfiltrate data, deploy Cobalt Strike beacons for remote control, or map networks using programs like BloodHound.

This resulted in three companies stealing $100 million worth of cryptocurrency in 2024. In one instance, a victim lost $2 million as a result of ransomware planted by a phony "senior dev." Odd VPN patterns, Korean-language artifacts in code commits, or payments to untraceable wallets are examples of detection clues. While many accounts go unnoticed, LinkedIn flags some.

Defending Your Business Against DPRK Dangers Companies should take immediate action, according to SEAL Org. Start by implementing stringent hiring procedures. Video interviews must verify that there are no deepfakes during the live presence.

For identity verification outside of LinkedIn, use services like Persona or Clear. Segment networks come in second. Zero-trust models grant new remote hires restricted access.

Anomalies, such as odd data outflows, are tracked by programs like Microsoft Defender and CrowdStrike. Third, provide staff training. Red flags that HR must look for include resumes with flawless English but cultural mismatches or a reluctance to share screen captures in real time. Don't trust LinkedIn links; check emails directly.

Governments are reacting. Sanctions target DPRK fronts like "Wonderkid Solutions," and the U.S. FBI issued alerts in January 2026 asking businesses to report suspicious hires. LinkedIn has partnered with companies to scan profiles and now mandates two-factor authentication. This fraud takes advantage of people's trust in remote work.

By staying vigilant, companies can hire safely and block nation-state threats.