TL;DR: North Korean IT worker scams exploit remote hiring, credential-based access, and weak device trust to reach sensitive environments, extract source code, and persist for months, according to Appgate's analysis of a Wired report. The pattern shows that identity verification at onboarding is not enough when access decisions ignore device state, context, and session-level risk.
NHIMG editorial — based on content published by Appgate covering North Korean IT worker remote access scams: an analysis of how imposters use fake or stolen identities to gain legitimate access
Questions worth separating out
Q: How should security teams prevent fake remote workers from gaining broad access?
A: Use layered identity proofing, role-based provisioning, and device trust checks instead of treating hiring approval as access approval.
Q: Why do VPNs and IP filtering fail against remote worker imposters?
A: VPNs and IP filters prove connectivity, not trust.
Q: What breaks when remote access is not tied to device posture?
A: Access becomes durable even when the endpoint is unmanaged, compromised, or redirected.
Practitioner guidance
- Tighten remote hiring and access handoff controls Treat onboarding verification, identity proofing, and access provisioning as separate checkpoints.
- Bind remote access to device trust Require managed, compliant, and protected devices before allowing any connection, then keep evaluating posture after login.
- Segment access by user identity and resource Replace broad network reach with individually authorised pathways to specific applications and data sets.
What's in the full article
Appgate's full article covers the operational detail this post intentionally leaves for the source:
- The specific access-policy model behind Appgate ZTNA's identity-centric segmentation
- How real-time threat and device-health signals are used to withdraw entitlements
- Why the cloaking approach changes what a remote user can discover after initial access
- The business-risk framing around sanctions exposure, audits, and board accountability
👉 Read Appgate's analysis of North Korean IT worker remote access scams →
Remote access blind spots and fake hires: what IAM teams miss?
Explore further
Remote hiring verification is not an access control. This pattern works because organisations confuse employment screening with runtime trust. A worker can clear onboarding checks and still be hostile once access begins, which means HR verification and IAM enforcement are solving different problems. The practitioner implication is that access governance must continue after hire, not end at background check completion.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, which helps explain why trust-based access models remain brittle.
A question worth separating out:
Q: Who is accountable when a sanctioned remote worker is hired and paid?
A: Accountability extends beyond security to HR, finance, legal, and executive oversight because the issue can become sanctions exposure as well as cyber risk. Organisations need a clear ownership model for identity verification, payment controls, and access revocation so one failure does not cascade across departments.
👉 Read our full editorial: North Korean IT worker scams expose remote access blind spots