Insider Risk Lessons from the DPRK IT Worker Crackdown

In a week of unprecedented enforcement, the U.S. Department of Justice made headlines by executing a nationwide crackdown against the North Korean “remote IT worker” scheme. Authorities raided 29 “laptop farms” in 16 states, seized nearly 200 computers, froze financial accounts, and made the first public arrests in a years-long investigation. But despite this powerful show of force, we are only at the beginning: out of six Americans believed to have enabled these operations, only two have been charged, and just one is in custody.

If history and the Chapman case are any guide, many more indictments are coming. Christina Chapman, the Arizona woman whose guilty plea in February 2025 first brought this scheme into the spotlight, wasn’t arrested until months after federal agents raided her home in October 2023. This pattern makes clear that law enforcement is quietly gathering evidence, and the web of U.S.-based facilitators, shell companies, and financial “mules” is only starting to unravel.

A trove of new intelligence

With Chapman’s cooperation and the evidence seized during these raids, we are likely on the cusp of uncovering the deepest look yet into North Korea’s global workforce operations. These aren’t isolated “lone wolf” actors. The DOJ’s indictments describe a sprawling ecosystem: American and foreign facilitators, Chinese and Taiwanese coconspirators, and a relentless North Korean regime leveraging U.S. infrastructure and stolen identities to funnel revenue, and sensitive technology back to Pyongyang.

The numbers are staggering

According to the DOJ and reporting in Wired, more than 80 stolen American identities were used to land jobs at over a hundred U.S. companies, with facilitators accessing the personal data of at least 700 Americans. North Korean operatives targeted not just financial gain, but also technology theft: in one case, a California defense contractor had ITAR-controlled, AI-related data exfiltrated. In another, North Korean insiders embedded at crypto startups stole more than $900,000 in digital assets, demonstrating how far-reaching and damaging this blended insider threat has become.

As DTEX’s Michael Barnhart told Wired, the real “soft underbelly” of these schemes isn’t in the sophistication of the attacks, but in the U.S.-based infrastructure that made them possible. Laptop farms, shell companies, and KVM switches all existed on American soil, often with the help of unwitting—or complicit—U.S. citizens.

Why it matters now

By targeting the U.S.-based “laptop farms” and facilitators, law enforcement is attacking the supply chain behind North Korea’s tech infiltration, not just the foot soldiers. But this is just the start: for every arrest made public, there are likely dozens more coming, and the true scale of North Korea’s global IT operations may only now be coming into focus.

If you’re a business leader or security professional, the most important question this week isn’t, “Have we been targeted?” It’s, “Would we even know?”

With more than 80 confirmed identity theft victims and only a single arrest so far, it’s almost certain more infiltrators are still operating—and some may be inside your organization right now.

Ask yourself:

• Did an employee or contractor suddenly go dark, miss meetings, or disappear during the week of the raids?
• Do you have clear visibility into where every remote device is located, who’s managing them, and how access is provisioned and monitored?
• Are you relying on background checks or “good behavior” as proof of trustworthiness, or do you have behavioral and technical controls that can spot the absence of engagement or suspicious remote activity?

The fallout from this week will continue for months, as investigations widen and more names are made public. Organizations should expect a surge of new intelligence about how these North Korean networks operate, and a wave of practical lessons for defending against a threat that now feels both global and personal. 

Below are five practical steps any organization can take to protect themselves right now.

1. Insider threats are coordinated

North Korean actors did not work alone; they relied on networks of U.S. and overseas facilitators, fake companies, and tools like KVM switches to enable remote access.
Action: Map your supply chain: vendors, contractors, and devices. Ensure you have visibility and chain-of-custody for all endpoints.

2. Background checks can’t catch ghosts

More than 80 stolen or synthetic identities were used. Traditional checks often miss these threats.
Action: Incorporate live video interviews, verify environmental consistency, and require post-hire video re-verification for remote staff.

3. Silence and “compliance” are not the same as trustworthiness

Many “model” workers were actually embedded operatives; never engaging, always on time, always quiet.
Action: Train managers to report patterns of low engagement and review them in context, not just for performance, but as potential security red flags.

4. Your attack surface includes every device and dollar

Laptop farms, shell companies, and shadow payments made these scams possible. Another common tactic: when an insider’s access is at risk of being exposed, the “IT worker” may report that their laptop was stolen. This not only explains sudden inactivity, but also buys time for the operators and potentially covers their tracks.
Action: Audit device locations and vendor payments. Monitor for unusual access or unexplained invoices, especially with new or remote hires. Treat reports of lost or stolen equipment from remote staff as potential security events, not just routine IT requests, and investigate accordingly.

5. Early detection lowers risk

The longer a threat lingers, the greater the damage. According to the 2025 Cost of Insider Risks Global Report, incidents resolved in under 31 days cost $10.6M on average, compared to $18.7M for those lasting over 91 days. The earlier an issue is detected, the lower the impact, financial and otherwise.
Action: Establish playbooks for sudden disengagement. Preserve logs and devices, and coordinate with legal and federal authorities as soon as possible.

Closing thoughts

The North Korean IT worker crackdown highlights a fundamental shift in the threat landscape, where insider risks emerge not just from within, but through complex external networks woven into organizations. As internal and external threats converge, fueled by evolving technologies like AI and deepfakes, organizations must adopt integrated strategies that blend behavioral insights, supply chain vigilance, and collaborative intelligence. Additionally, as North Korea adapts and shifts to items such as subcontracting and middle management to hide behind front companies, being able to differentiate between Nation State and criminal activity will become muddled and more difficult. Behavioral monitoring, validation, and verification will continue to be paramount going forward as we see lines blur.

The recent law enforcement actions are only the beginning; future threats will likely be more subtle and sophisticated. Preparing today ensures organizations can confidently navigate this evolving landscape, detecting and mitigating risks before they escalate.

For support in bolstering your defenses against DPRK IT workers, learn more in DTEX’s Insider Threat Advisory on the subject.