The North Korean IT Worker Defense Playbook: Detection Across the Hire Pipeline
A defense playbook for the largest active employment fraud scheme in 2026. Detection at application, interview, and Day 1. FBI and Treasury advisory aligned.
Full name + work email required. We'll email you a copy.
North Korean IT worker fraud is the largest active employment fraud scheme targeting US enterprises. DPRK-affiliated workers use stolen US identities to obtain remote IT and engineering roles. Wages flow back to North Korea. The scheme funds DPRK weapons programs.
The FBI, Treasury, and State Department have issued repeated advisories since 2022. Reported losses exceed $400 million annually. The actual losses are higher because most affected companies do not publicly disclose the breach.
1. The threat profile
DPRK IT workers operate through a documented playbook. The worker uses a stolen or purchased US identity belonging to a real person whose information was compromised in a prior data breach. The worker pairs the identity with a fabricated or AI-generated resume showing employment history at companies the real person never worked at.
Interviews happen over video, often with real-time deepfake video impersonating the candidate. Voice clones may be layered for additional authenticity. If hired, the worker uses a 'laptop farm' operated by a US-based intermediary — the laptop physically sits at an address in the US while the worker remotely accesses it from China or Russia.
2. Stage 1: Application
AI resume detection. Forensic analysis on resume content, formatting, and employment claim cross-referencing against The Work Number and ADP. Identity verification at submission. Government ID forensics plus biometric capture at application. Adverse media screening. Continuous screening against open-source intelligence and FBI advisory indicators. Geo-routing analysis. IP analysis on application submission, flagging anomalies aligned to FBI indicators.
3. Stage 2: Interview
Real-time deepfake video detection. Frame-level forensics during interview, detecting real-time deepfakes from Sora, Runway, Pika, Veo, and emerging models. Voice clone detection. Spectral analysis on candidate audio, detecting ElevenLabs and emerging voice synthesizers. Liveness verification. Active liveness check before interview begins. Webcam continuity monitoring. Detection of webcam disable, virtual camera substitution, or video manipulation mid-interview.
4. Stage 3: Pre-hire verification
Government ID verification cross-referenced against issuing authority. Education verification through National Student Clearinghouse. Employment verification via The Work Number, ADP, Argyle, plus direct outreach for unverifiable employers. Cross-stage biometric continuity (same person at application, interview, and offer signing). Equipment shipping address cross-referenced against candidate's stated residence.
5. Stage 4: Day 1 onboarding
Biometric of the person showing up to onboarding. Cross-referenced against application biometric. First-day network access analyzed against candidate's claimed location. Periodic re-verification through first 90 days of employment.
6. Detection accuracy
AI resume detection accuracy: 96%+. Deepfake interview detection accuracy: 95%+. NK indicator pattern match accuracy: 92%+. Cross-stage biometric continuity accuracy: 99%+. False-positive rate: under 3% (configurable per workflow).
7. Operational integration
Reference integrations exist for Workday, Greenhouse, Lever, iCIMS, Ashby, HireVue, Modern Hire, Zoom Interviews, and Microsoft Teams Interviews. The full pipeline deploys in 30 to 60 days for most enterprise customers.
8. Compliance and bias considerations
The defense pipeline operates under multiple regulatory frameworks: FBI / Treasury OFAC advisory alignment, OFCCP pre-hire identity verification, EEOC bias-tested detection per Uniform Guidelines, NYC Local Law 144 audit alignment, Illinois AI Video Interview Act, and EU AI Act high-risk AI system requirements.
9. Incident response when detection fires
When a stage-level detection fires, the response follows a structured path: hold application/interview/onboarding; senior recruiter notified; forensic review of evidence chain; if indicator pattern matches, internal security is notified and FBI tip-line submission may be initiated; otherwise manual interview with recruiter. Senior recruiter or talent acquisition leadership makes the final call on application status.
10. Customer outcomes
Enterprise tech deployments report: 12 to 47 confirmed NK IT worker attempts blocked per quarter at large enterprises; 95%+ compromised hires successfully detected at application or interview stage; 100% Day 1 identity swap attempts blocked on confirmed cases; under 4 minutes of legitimate candidate friction added to total hire pipeline time.
NK IT Worker Defense FAQ
- Is North Korean IT worker fraud really at $400M+ annually?
- Yes. The FBI and Treasury have published the figure across multiple advisories since 2023. Industry estimates suggest the actual losses are higher because most affected companies do not publicly disclose the breach.
- How does deepidv know which IPs and patterns are DPRK-affiliated?
- Detection draws on FBI advisory indicators, Treasury OFAC sanctions data, open-source threat intelligence, and deepidv's own observed patterns across enterprise deployments. The detection model updates continuously as new patterns are identified.
- What if my role is not engineering or IT?
- The pattern is concentrated in remote engineering and IT roles, but the same defense pipeline applies to any remote knowledge work role. Defense contractors and financial services companies deploy across all remote roles regardless of function.
- How does this work for international candidates legitimately based abroad?
- The detection model distinguishes between legitimate international candidates and DPRK-affiliated patterns. Legitimate candidates from non-DPRK regions pass without friction. The pattern matching is specific to DPRK affiliation indicators, not international candidacy.
- What about EEOC and bias requirements?
- Detection models are bias-tested per the Uniform Guidelines. Disparate impact analysis is part of every model release. Continuous monitoring detects fairness drift. Documentation aligned to NYC Local Law 144 and Illinois AI Video Interview Act ships with every deployment.
- Can deepidv help with FBI tip-line submissions on confirmed cases?
- The audit trail and forensic evidence chain are exportable in formats appropriate for law enforcement submission. deepidv does not directly file tips on behalf of customers. The customer's internal security or legal team handles submission per their standard procedure.
- What is the cost model?
- Per-candidate pricing with enterprise commitments. Most enterprise customers land at $15 to $40 per candidate depending on the verification stack chosen. Volume discounts at 10K+ candidate annual thresholds.
Relevant Articles
The contact center deepfake playbook
Voice clones at step-up authentication.
Apr 29, 2026
The AI verification playbook
Seven surfaces every compliance team needs to cover.
Apr 29, 2026
Sample forensic report: AI-generated paystub
Five-layer detection on a paystub caught at mortgage origination.
Apr 29, 2026
What is deepidv?
Not everyone loves compliance — but we do. deepidv is the AI-native verification engine and agentic compliance suite built from scratch. No third-party APIs, no legacy stack. We verify users across 211+ countries in under 150 milliseconds, catch deepfakes that liveness checks miss, and let honest users through while keeping bad actors out.
Learn More