What is IT worker infiltration?

IT Worker infiltration refers to a scheme in which malicious actors place fraudulent or compromised individuals into legitimate employment positions within target organizations, more specifically in technology roles. The individuals placed in these roles often present convincing credentials. They may hold real qualifications, pass background checks using fabricated or stolen identities, and perform their job duties competently, all while pursuing a hidden agenda. In many cases, the "worker" is not even physically present in the country. They operate remotely, sometimes using technology like IP address spoofing or even hiring local proxies to physically show up for ID verification or on-site requirements.

Who is behind these schemes?

The most well-documented example of state-sponsored ITW infiltration comes from North Korea. Since at least 2022, the U.S. Department of Justice, the FBI, and cybersecurity agencies have issued multiple warnings about thousands of North Korean IT workers operating under false identities to gain employment at Western companies. The Verizon 2026 Data Breach Investigations Report confirmed the scale and sophistication of this threat, noting that "using stolen identities, the ITWs were able to acquire jobs and operate out of regionally hosted laptop farms run by local accomplices. This setup allowed the actors to pass the interview process and perform the jobs without requiring a physical presence in the area."

The DBIR also noted that some industry sources have suggested these workers may be facilitating further access for state-sponsored groups. The scale of identity fraud involved is also documented in that report, "ITWs leveraged an estimated 15,000 possible stolen identities, with the typical ITW leveraging around three to five identities at any given time."

Research published by the Microsoft Defender Security Research Team adds important technical detail to how these actors operate. Their analysis of a North Korea-aligned threat actor tracked as Jasper Sleet found that these operatives use generative AI to analyze job postings, extracting role-specific language, required skills, certifications, and tooling expectations and then use those insights to construct fake personas and submit convincing job applications. The goal is not just to get an interview, but to pass screening and complete onboarding as a legitimate hire.

Some organizations have begun to find ways to detect these infiltrators. Amazon, for instance, revealed it thwarted more than 1,800 North Korean "remote worker" infiltration attempts by identifying a unique 110 ms keystroke input lag, a telltale artifact of remote-controlled sessions operating across long distances.

Case study: The DOJ's nationwide crackdown

In a law enforcement operation, the Justice Department announced coordinated, nationwide actions to combat North Korean remote information technology workers. The DOJ actions included two indictments, an arrest, searches of 29 known or suspected laptop farms across 16 states, and the seizure of 29 financial accounts and 21 fraudulent websites. North Korean actors, assisted by individuals in the United States, China, the UAE, and Taiwan, successfully obtained employment at more than 100 U.S. companies.

According to the DOJ press release, U.S.-based facilitators "created front companies and fraudulent websites to promote the bona fides of the remote IT workers, and hosted laptop farms where the remote North Korean IT workers could remote access into U.S. victim company-provided laptop computers." Hardware KVM (keyboard-video-mouse) switches were used to give overseas operatives full remote control of company-issued laptops hosted at facilitators' residences, mimicking legitimate local use to deceive employers.

One indictment in the District of Massachusetts detailed a scheme run by U.S. national Zhenxing "Danny" Wang and co-conspirators that generated more than $5 million in revenue. The group compromised the identities of more than 80 U.S. persons to secure remote positions at over 100 companies, including Fortune 500 firms. Shell companies were created to provide some legitimacy, with financial accounts routing salary payments to overseas co-conspirators. U.S. facilitators collectively pocketed at least $696,000 for their role in the scheme.

The DOJ confirmed that one operative remotely accessed a California-based defense contractor's files containing technical data controlled under the International Traffic in Arms Regulations (ITAR), export-controlled U.S. military technology. A separate indictment in the Northern District of Georgia detailed North Korean operatives stealing virtual currency worth approximately $900,000 by modifying smart contract source code after gaining their employers' trust.

FBI Assistant Director Roman Rozhavsky stated in the press release, "North Korean IT workers posing as U.S. citizens fraudulently obtained employment with American businesses so they could funnel hundreds of millions of dollars to North Korea's authoritarian regime." The case makes clear that by the time law enforcement can act, the access has already been granted and the data has already been stolen.

How the attack unfolds

Microsoft Defender Security Research has mapped the infiltration lifecycle into three distinct phases;

• Pre-Recruitment. Before submitting an application, threat actors conduct structured reconnaissance. Microsoft's research found that Jasper Sleet operatives accessed the external career portals of target organizations, including HR platforms like Workday, to survey open roles and map out recruitment workflows.
• Recruitment. Once in contact with a hiring team, these actors rely on email and video conferencing platforms for interview scheduling and communication. Microsoft's research notes that suspicious communications originating from known threat actor infrastructure can surface at this stage, as can anomalies in hiring documentation workflows such as offer letter signing. This is the window in which organizations have the best opportunity to flag fraudulent candidates before granting any access.
• Post-Recruitment. If the operative is successfully hired, a legitimate account is created for them as part of standard onboarding. Microsoft's research observed that following onboarding, newly created accounts showed sign-ins and payroll configuration activity originating from known threat actor infrastructure. Once inside, these actors gain access to the full suite of internal tools which include document storage, communications platforms, email, and cloud environments. Microsoft noted an increase in impossible travel alerts on newly hired accounts in their first months of employment, a behavioral pattern consistent with operatives accessing systems remotely from locations inconsistent with their claimed identity.

Why is this hard to detect?

Several factors make ITW infiltration difficult to identify, especially during the hiring process:

• Remote work has removed friction points. Before the normalization of remote work, physical presence, in-person interviews, and office environments provided natural checks against identity fraud. However, now, an entire employment lifecycle can happen without any physical verification.
• Credentials can be fabricated. Fraudulent workers can present convincing LinkedIn profiles, GitHub histories, and references that are either fake or belong to co-conspirators. AI-generated content makes it easier to produce convincing portfolios and communication.
• They are genuinely productive. Infiltrators often do their jobs. They deliver code, meet deadlines, and participate in team meetings. This competence delays suspicion and deepens trust, giving them more time and access to pursue their actual objectives. The 2026 DBIR noted that some organizations were even surprised to find that some of their top-performing new recruits were misrepresenting their identities.
• HR and hiring teams are not trained for this threat. The 2026 DBIR states that the human element was present in 62% of breaches, a figure that shows how people remain the critical vulnerability.

The damage

Depending on the level of access obtained, a malicious insider can steal intellectual property including source code, research, product roadmaps, or customer data; conduct reconnaissance for a future cyberattack by an external team; sabotage systems during critical moments such as product launches or financial reporting periods; or extort the organization by threatening to expose sensitive data if their identity is investigated.

The DOJ's case makes clear these are not hypothetical risks. Operatives in the Massachusetts case accessed ITAR-controlled defense technology. Those in the Georgia case modified smart contract source code to siphon nearly $1 million in virtual currency.

What organizations can do

The 2026 DBIR is specific in its guidance, calling for "additional scrutiny to backgrounds, resumes and information provided by applicants; verifying identity through multiple touchpoints during the hiring process; making sure your insider threat and security awareness programs discuss these new types of threats." Microsoft Defender Security Research also recommends monitoring behavioural anomalies across multiple data sources throughout the hiring and onboarding process.

Building on this, organizations should also consider strengthening identity verification by using third-party services that require live video, government ID cross-referencing, and biometric checks. The DOJ case showed how 80 compromised U.S. identities were assembled and deployed across a single scheme.

Implement cameras-on video interview policies across all rounds and, where possible, conduct at least one in-person or proctored session before granting system access. Limit access during probationary periods, new hires should start with limited permissions that expand based on demonstrated need.

Monitor behavior. Microsoft specifically flags impossible travel alerts and anomalous sign-in activity on newly hired accounts as early indicators of infiltration. Insider threat detection tools that flag unusual data access patterns, file transfers, or off-hours activity can surface problems before they become breaches. Watch for post-hire payroll anomalies. Microsoft's research found that threat actors updated payroll details from known malicious infrastructure shortly after onboarding, and the DOJ case corroborates this.

Lastly, vet third-party contractors, applying the same scrutiny to contractors as to full-time employees. Train hiring managers and HR teams to recognize the red flags, which can include, reluctance to appear on camera, inconsistencies in background details, IP addresses that don't match claimed locations, and payments routed through unusual channels.

Read also: How freelance platforms enable cybercrime

FAQs

Can small businesses and startups also be targeted, or is this mainly a risk for large corporations?

Yes, smaller companies are often easier to infiltrate because they have fewer verification resources and less mature insider threat programs.

How long does an infiltration last before it is discovered?

Infiltrations often go undetected for months or even years, because the operatives continue performing their job duties competently to maintain cover.

Are there industries outside of tech that are being targeted?

Yes, finance, defense contracting, healthcare, and any sector handling valuable intellectual property or sensitive data can be targeted.