In an alarming investigation into employment fraud perpetrated by North Korean operatives, researchers from the human risk management firm Nisos have discovered that these scammers inundated numerous U.S. companies with an extraordinary number of job applications during the years 2024 and 2025. Their approach utilized identity theft and cutting-edge artificial intelligence tools to penetrate the American technology sector.

From December 2024 through September 2025, Nisos revealed that two dozen North Korean operatives submitted a staggering 166,893 job applications. This extensive effort led to over 21,000 interviews starting from April 2025, and ultimately resulted in 76 job offers. Despite the high volume of applications and interviews, the overall success rate of this fraudulent operation remains alarmingly low, sitting at just below 1%.

In a manner characteristic of the regime, these operatives employed stolen identities and fabricated employment histories, alongside social engineering tactics and AI-enhanced interview tools, to deceive employers in the United States. Nisos reported that a significant breakthrough in this investigation began in June 2025 when a suspicious applicant sought a lead remote AI architect position within the firm. Rather than discontinuing the hiring process, researchers decided to implement a “pre-employment diligence investigation.” They asked focused questions designed to gauge the authenticity of the applicant, who turned out to be using an AI-generated resume in an attempt to masquerade as a qualified Florida-based AI architect and senior-level stack developer.

The sophistication of the North Korean operations appeared systematic, with a hierarchical chain of command in place. This structure comprised various roles: administrators, managers, team leads, and operatives, each of whom managed up to four different personas. Communication and coordination of malicious actions were conducted via private Discord servers and a customized Vercel dashboard, allowing operatives to track metrics such as applications submitted and interviews conducted in real time.

Furthermore, the investigation highlighted that these operatives utilized popular platforms such as Google Meet, Zoom, and Microsoft Teams for their communications, indicating a dispersed operational structure rather than a centralized base of operations. The tech sector emerged as the primary target, accounting for 42.6% of job offers extended. Consulting firms constituted 13.1%, while healthcare and financial organizations were each targeted at 8.2%. A notable 72% of the job offers were directed toward developer and engineering positions, ranging from entry-level roles with salaries around $55,000 to senior positions that could pay as much as $230,000.

To enhance their chances of success, operators purchased identity packages through online forums like Telegram. They referenced a broker known as @accountproviderforyou, who offered comprehensive identity packages, including a legitimate U.S. ID card, Social Security number, and a selfie, all for $120. Other fraudulent documents, such as ID cards and bank statements, were available for prices ranging from $50 to $70. The acquisition of such materials can significantly elevate the likelihood of securing employment. Additionally, the operatives often discussed acquiring LinkedIn and other unspecified profiles to enhance their credibility.

The investigation uncovered extensive evidence of AI utilization throughout the hiring process. Operatives reportedly utilized tools like ChatGPT to rehearse their responses prior to interviews, tailor their resumes according to job specifications, and generate consistent responses that fit their assumed identities. On occasion, American facilitators—operatives recruited to serve as a cover—participated in interviews as the candidate while coordinating with other operatives who supplied responses using support systems initially set up for remote access.

Researchers noted that facilitators also outsourced work to third-party bidders in countries such as India, Kenya, or Nigeria after securing jobs. This layered operation indicated an elaborate strategy designed to exploit legitimate employment opportunities while maintaining anonymity and operational security. As this disturbing pattern of fraudulent activity continues to unfold, it poses significant challenges for companies in identifying and mitigating risks associated with hiring processes skewed by such sophisticated deceit.