TL;DR: Investigators say nearly every Fortune 500 company may have unknowingly hired at least one North Korean IT operative, with 100,000+ operatives, about $500 million a year routed to Pyongyang, and valid enterprise credentials obtained from day one, according to Abnormal AI. The case shows that identity security can verify the account while still missing the person, so hiring, access, and behavioural signals must be governed together.
NHIMG editorial — based on content published by Abnormal AI: Key insights on North Korean IT worker fraud and enterprise identity abuse
By the numbers:
- 500 company has unknowingly hired at least one, ly hired at least one North Korean IT operative.
- Roughly $500 million a year is routed back to Pyongyang.
Questions worth separating out
Q: How should security teams detect fraudulent hires who have valid credentials?
A: They should correlate identity proofing, HR records, directory activity, and SaaS notification patterns rather than relying on credential validity alone.
Q: Why do normal onboarding controls miss North Korean IT worker schemes?
A: Because onboarding controls usually validate documents, workflow completion, and account issuance, not the real-world identity behind the role.
Q: What signals indicate a newly hired identity may be fraudulent?
A: Look for communication patterns that do not fit the role, unusual changes in SaaS permissions, and access behaviour that diverges from peers with similar responsibilities.
Practitioner guidance
- Separate identity proofing from access issuance Require an explicit human verification step before directory and application permissions are granted, and make the approval record distinct from the onboarding packet.
- Correlate HR, IAM, and SaaS notifications Join Workday-style, Salesforce-style, and directory events to spot unusual permission accumulation, role drift, or inconsistent account activity in the first days after onboarding.
- Baseline communication patterns for new hires Measure whether a new identity’s outbound communication graph, timing, and application usage match the declared role within the first few weeks.
What's in the full article
Abnormal AI's full research covers the operational detail this post intentionally leaves for the source:
- The indictment timeline and court-sourced details behind the nine-year sentence and the wider operative network.
- The PeopleBase-driven behavioural baseline approach used to distinguish legitimate employees from fraudulent hires.
- The specific notification patterns from Workday and Salesforce that can reveal access accumulation.
- The logistics model involving facilitators, devices, and onboarding artefacts that made the scheme scalable.
👉 Read Abnormal AI's analysis of North Korean IT worker fraud and identity abuse →
North Korean IT worker fraud: what identity teams missed?
Explore further
Identity proofing is not the same as employee legitimacy. This case shows that a system can authenticate a hire and still fail to verify the person behind the role. The control stack accepted the onboarding artefact, but the underlying employment relationship was fraudulent from the start. For identity programmes, that means human identity assurance and fraud detection are no longer separable concerns. Practitioners should treat proof-of-personhood and access issuance as linked governance decisions.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: What should organisations change after a large-scale labour fraud scheme?
A: They should separate employment legitimacy checks from access decisions, add behavioural monitoring for new hires, and review whether HR, IAM, and SaaS telemetry are being analysed together. The right response is not only tighter onboarding. It is a governance model that can detect when a real credential is attached to the wrong person.
👉 Read our full editorial: North Korean IT worker fraud exposes identity blind spots in hiring