My Recent Interview of a North Korean Fake Employee

You would think with all the global press we (i.e., KnowBe4) have received because of our public announcement of how we mistakenly hired a North Korean fake employee in July 2024 (https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us), followed by our multiple public presentations (https://info.knowbe4.com/code-red-webinar and https://info.knowbe4.com/north-korea-secret-it-army), and even an encompassing whitepaper on the subject (https://www.knowbe4.com/hubfs/North-Korean-Fake-Employees-Are-Everywhere-WP_EN-us.pdf), that the North Korean fake employees would avoid applying for jobs at KnowBe4.

You would be wrong. It is apparently not in their workflow to look up the company they are trying to fool along with the words ‘North Korea fake employees’ before they apply for jobs.

We get North Korean fake employees applying for our remote programmer/developer jobs all the time. Sometimes, they are the bulk of the applicants we receive. This is not unusual these days. This is the same with many companies and recruiter agencies I talk with. If you are hiring remote-only programmers, pay attention a little bit more than usual.

Recapping the North Korean Fake Employee Industry

If you have not read up on this subject before, I encourage you to read the whitepaper (https://www.knowbe4.com/hubfs/North-Korean-Fake-Employees-Are-Everywhere-WP_EN-us.pdf). In short, North Korea has many thousands of North Korean employees deployed in a nation-state-level industrial scheme to get North Koreans hired in foreign countries to collect paychecks until they are discovered and fired.

[Note: Due to UN sanctions, it is illegal to knowingly hire a North Korean employee throughout much of the world.]

To accomplish this scheme, North Korean citizens apply for remote-only programming jobs offered by companies around the world. The North Koreans apply using all the normal job-seeking sites and tools that a regular applicant would avail, such as the company’s own job hiring website and dedicated job sites like Indeed.com.

The North Koreans work as part of larger teams, often consisting of dozens to over a hundred fake applicants. They are usually located in countries outside of North Korea that are friendly to North Koreans, such as China, Russia, and Malaysia. This is because North Korea does not have a good enough infrastructure (e.g., Internet, electricity, etc.) to best sustain the program, and it is easy for adversarial countries to detect and block North Korean Internet traffic.

The North Korean fake employees work in teams with a controlling manager. They often live in dormitory-style housing, eat together, and work in very controlled conditions. They do not have much individual freedom. Their families back home are used as hostages to keep the North Korean participants in line and working. They get jobs and earn paychecks, but the bulk of the earnings is sent back to North Korea’s government, often to fund sanctioned weapons of mass destruction programs.

The scheme is much like an assembly line workflow. The North Korean fake employee and their helpers apply for the job, interview, supply identity documents, get the job, get the related company equipment, and collect a paycheck. The North Korean applicant may do all steps in this process or farm it off to other participants, depending on the language skills of the applicant and the requirements of the job application process.

They will often use made-up “synthetic” identities, use stolen identity credentials of real people in the targeted country, or actually pay real people of Asian ancestry who live in the target country to participate. It turns out there is a burgeoning sub-industry of college-aged males of Asian ancestry who cannot wait to get paid for participating in these schemes. There are Discord channels all around the world just for this. They make a few hundred to a few thousand dollars for allowing their identity to be misused or participating in the scheme. That way, they can interview in person or take drug tests if the job requires that.

Sometimes the North Korean instigator does all the steps of the application process. Sometimes, they just get the job interview and hand it off to others with better language skills for the interview, and sometimes, they hand off the job to someone who can actually do the job (and collect a kickback percentage). How the North Korean fake employee accomplishes the hiring and job process runs the spectrum of possibilities. We have seen it all.

If they actually win the job, they will have another participant in the targeted country pick up the computing equipment sent by the employer and set it up. They are often known as “laptop farmers.” These laptop farmers have rooms full of computing equipment sitting on tables, marked with an identifier of what computer belongs to what company (to keep them straight). They power on the laptops and give the fake North Korean employee remote access to the laptop.

Using this scheme, North Korea has illegally “earned” hundreds of millions of dollars to fund its illegal weapons programs over the last few years.

There have been North Korean fake remote part-time contractors for over a decade, but the fake full-time remote employees took off when COVID-19 created a ton more of fully remote “work-from-home” jobs. There is far more money to be made. If your company offers high-paying, remote-only programmer/developer jobs, you are likely receiving fake job applications from North Koreans. It is rampant. Hundreds to thousands of companies around the world likely have North Korean fake employees working for them right now. It is common.

If you are concerned about detecting and stopping North Korean fake Employees, read our whitepaper: https://www.knowbe4.com/hubfs/North-Korean-Fake-Employees-Are-Everywhere-WP_EN-us.pdf. ?

Our North Korean Fake Employee Interview

We regularly get applications from North Korean fake employees. We routinely reject most of them. Occasionally, we accept a few and interview the fake employees to learn more about them and to keep up on any possible developing trends. Luckily, so far, North Korea does not seem to be changing their tactics that much from our original postings. The signs and symptoms of a North Korean fake employee we described last year still apply today. They are apparently still having great success with them. If you and your hiring team are educated about these schemes, it is fairly easy to recognize and mitigate them. You just have to know and look for the signs and symptoms.

We recently interviewed “Mario” supposedly from Dallas, Texas. Here’s a part of his resume.

We have hidden Mario’s last name and contact information because it is the name of a real American who is likely unaware that his identity has been hijacked and used in this scheme and we don’t want hiring companies to accidentally be given the rogue contact info and think they have a real employee candidate.

Mario said he was an American citizen who was born and raised in Dallas. Despite this, he had a fairly strong Asian accent (likely North Korean). The Mario who showed up for our Zoom interview had the same voice as the Mario we interviewed over the phone during the first stage of the application process. Sometimes, they are different.

We had three KnowBe4 people on the Zoom call, including myself.

Over the next 45 minutes, we asked all sorts of questions that would be asked of any developer candidate. Whenever we asked a question, Mario would hesitate, spend 5-15 seconds repeating our question, and then come back with the perfect answer…most of the time. It was clear that Mario or someone participating with him was typing the question subject into a Google search or AI engine and repeating the results.

Mario started off by saying how he had a special interest in social engineering (you do not say) and security culture. He mentioned “security culture” over and over. I soon realized that if you go to our main website, we say “security culture” all over the place. He was repeating phrases he found on our website. But he was very friendly and smiling, and his English was heavily accented, but not super hard to understand most of the time. I would say that based solely on this first part of the interview, if we were unaware of what was going on, we all would have liked what he said and how he responded. He was friendly and smiley, and we liked him.

Mario claimed on his resume and in person to have programmed for Amazon, Salesforce, and IBM. He supposedly has the exact advanced programming skills we had advertised. I wish all job applicants knew as well how to best match what we advertised in a job ad with what they responded with. ?During his initial statements, he said he had a personal interest in cryptography and security. When it came time for me to ask technical questions, I used his mentioned interests as the basis for my questions.

I started off by asking if he had ever done post-quantum cryptography and if he had implemented it in his past projects. He hesitated, repeated the question, and then gave me an excellent dissertation on post-quantum cryptography, including mentioning NIST (which is probably the top search result you will get when researching post-quantum cryptography) and a list of the various post-quantum cryptography standards.

I asked him if his previous projects were all using post-quantum cryptography. He said, “Yes”, which is absolutely untrue. Almost no American company is currently implementing post-quantum cryptography. Strike one.

I asked what post-quantum encryption standard he liked to use most. He said Crystals-Dilithium. It is a digital signature algorithm, not encryption. He frequently mixed up encryption algorithms, like AES, with hashes (e.g., SHA-2) and digital signatures (e.g., Diffie-Hellman). Strike two for someone who is really into cryptography and regularly uses post-quantum cryptography.

I asked what size an AES cipher key would need to be to be considered post-quantum. This seemed to throw him for a loop, and he wasted more time than usual. He replied, 128-bits. This is wrong. AES keys have to be 256-bits or longer to be considered resilient against quantum cryptography. Strike three on the technical questions. He wrongly answered every technical question I asked.

At this point, I decided to throw out a random bad fact that any normal U.S. candidate should be able to spot and correct.

I said, “Bill Gates, CEO of Microsoft, says that all future programming will be done by AI agents. What do you think?”

Bill Gates has not been the CEO of Microsoft since 2008, but most people outside the industry would likely think Bill Gates was still the CEO because that is how the media often references him…as the “former” CEO of Microsoft. He is still a cultural icon associated with Microsoft. This is the type of mistake that a North Korean employee who does not have great access to the Internet would make.

And sure enough, Mario repeated the fact that Bill Gates was the CEO of Microsoft (instead of the current CEO, Satya Nadella). Mario did give a great answer on agentic AI and programming using AI agents. If he were a real employee, I would give his answer top points…well, except for not noticing my CEO switch-a-roo.

Finally, with the technical part of the interview over, we switched to the “personal” questions. If you are concerned that you may have a North Korean fake employee candidate on your hands, it cannot hurt to think of and ask for cultural references that anyone in your country or region should readily know, but that would be harder for a foreigner with limited knowledge of the culture to understand.

One of my co-interviewers asked him what he did in his free time. This seemed to surprise him. My co-worker asked if he liked any sports. He said he loved badminton, which he probably did not realize that although super popular in Asian cultures, it is not a top sport if you grew up in Dallas, TX, or nearly anywhere in America. Sure, there are plenty of people who play badminton (especially Americans of Asian-American ancestry), but it is an unlikely response out of all the possible responses you could offer.

I asked how excited he was that the Cowboys won the AFC. I figured he would not know that the Dallas Cowboys got creamed and did not win the AFC. ?For one, they are in the NFC and not the AFC conference division. He again hesitated…but then seemed to get that I was mentioning the Dallas Cowboys and that they had been eliminated from contention. I was surprised that this did not trip him up as much as I thought it would.

My co-worker said he was going to visit Dallas soon and did the candidate have any favorite food spots. Mario said his mother’s cooking. I thought that was a great response so he did not have to look up any restaurants in Dallas.

My co-worker persisted asking the candidate if they had any restaurants to recommend. Mario did not. I offered up the “book repository” (one of the most famous tourist sites in Dallas) where people are dying to eat the “Nashville hot chicken.” Mario wholeheartedly agreed with my recommendation.

My co-worker asked the candidate if there was anywhere he would want to travel. In our hidden Slack channel, my co-worker said that when he asked this question of North Korean candidates, their eyes always lit up and they got excited. Sure enough, Mario, began to excitedly describe his dreams of visiting Paris and South Africa.

I think it was at this point that we all began to have some empathy. Yes, we were dealing with a fake job candidate who was trying to steal our money (or worse), but in reality, this was a young man likely forced to do what he was doing, destined never to receive any big salary or visit those dreamed of vacation destinations. It is strange, but I think we started to feel a little ashamed at conducting a fake interview. So, we stopped and asked if he had any questions.

The normal job candidate would likely ask more about the job, tool used, benefits, and things like that. Mario had no questions other than how many other people we were interviewing and how he was doing in the job interview.

We ended the job interview. We had not picked up any new tactics or information, other than noticing that a lot of the North Korean fake employee candidates lately had been claiming to have been born and raised in Dallas, TX, and all with heavy accents. However, the last fake employee interview switched from a heavy Asian accent from the initial phone interview to a savvy Pakistani person whom we interviewed on Zoom (he must have been the hired handoff for the interview).

I have now spoken with many dozens of other employers who have either almost hired a North Korean fake employee or hired them. It is not rare. And sometimes the fake employees, when discovered, switch to a ransomware encryption scheme or steal your company’s confidential data and ask for a ransom, so it is not always just about getting the paycheck.

Employers beware.