North Korean IT worker fraud: what identity teams missed

TL;DR: Investigators say nearly every Fortune 500 company may have unknowingly hired at least one North Korean IT operative, with 100,000+ operatives, about $500 million a year routed to Pyongyang, and valid enterprise credentials obtained from day one, according to Abnormal AI. The case shows that identity security can verify the account while still missing the person, so hiring, access, and behavioural signals must be governed together.

NHIMG editorial — based on content published by Abnormal AI: Key insights on North Korean IT worker fraud and enterprise identity abuse

By the numbers:

• 500 company has unknowingly hired at least one, ly hired at least one North Korean IT operative.
• Roughly $500 million a year is routed back to Pyongyang.

Questions worth separating out

Q: How should security teams detect fraudulent hires who have valid credentials?

A: They should correlate identity proofing, HR records, directory activity, and SaaS notification patterns rather than relying on credential validity alone.

Q: Why do normal onboarding controls miss North Korean IT worker schemes?

A: Because onboarding controls usually validate documents, workflow completion, and account issuance, not the real-world identity behind the role.

Q: What signals indicate a newly hired identity may be fraudulent?

A: Look for communication patterns that do not fit the role, unusual changes in SaaS permissions, and access behaviour that diverges from peers with similar responsibilities.

Practitioner guidance

• Separate identity proofing from access issuance Require an explicit human verification step before directory and application permissions are granted, and make the approval record distinct from the onboarding packet.
• Correlate HR, IAM, and SaaS notifications Join Workday-style, Salesforce-style, and directory events to spot unusual permission accumulation, role drift, or inconsistent account activity in the first days after onboarding.
• Baseline communication patterns for new hires Measure whether a new identity’s outbound communication graph, timing, and application usage match the declared role within the first few weeks.

What's in the full article

Abnormal AI's full research covers the operational detail this post intentionally leaves for the source:

• The indictment timeline and court-sourced details behind the nine-year sentence and the wider operative network.
• The PeopleBase-driven behavioural baseline approach used to distinguish legitimate employees from fraudulent hires.
• The specific notification patterns from Workday and Salesforce that can reveal access accumulation.
• The logistics model involving facilitators, devices, and onboarding artefacts that made the scheme scalable.

👉 Read Abnormal AI's analysis of North Korean IT worker fraud and identity abuse →

North Korean IT worker fraud: what identity teams missed?

Explore further

View Full Forum →  |  NHI Foundation Course →