North Korea may have an agent within your company. Find 6 logos

They showed up on time, with a broken deadline and no questions asked.

They never turned on the camera, but it was a little weird, but didn’t break the deal.

Then they left.

No notification. No forwarding details. Just silence.

In the entire industry, some of the highest performing remote workers are disappearing without traces. For many companies, this is not a burnout issue, but a breach of trust. In more cases than you might think, the root cause can be traced back to the Democratic Republic of Korea (DPRK).

On June 30, the FBI and the Justice Department announced One of the biggest repressions of North Korea’s remote IT workers’ programTo be secretly funded by the regime. Nearly 30 “laptop farms” in 16 states in the United States were raided for suspected roles. The coordinated lawsuit includes three prosecutions, one arrest, the seizure of 29 financial accounts and the revocation of 21 websites, a daunting effort to undermine secret operations and prevent approved workers from penetrating companies around the world under false identities.

The bust marks a rare and direct strike by one of the world’s most escaped cyber rivals.

North Korea’s shadow IT labor force is more than just a sanction. It is a global for-profit operation that embeds operators within major companies into false identities, bringing funds, access and opportunities back to the regime. And, if you think you’ll find it, you probably won’t. These workers are designed to be quiet, must be skilled and trained to take advantage of blind spots in modern remote work.

The scale of this penetration is larger than many realize – the prosecution is unlikely to be the last time. At present, every company should ask: Can this be us?

Six red flags, you hired a North Korean IT worker

DPRK Tradecraft 101 is to evade detection and incorporate background. However, with correct behavioral analysis and cross-functional vigilance, patterns emerge. Here is something to watch:

1. Run a known DPRK link to IOC with your system
   Start with the public. Known metrics for compromise (IOC) related to DPRK operations are readily available. Cross-references through your email logs, ticketing systems and access records. If you find hit rate, you may have been compromised.
2. Odd hours of suspected American employees
   A remote developer claiming to be in Austin but pushing for submissions at 3 a.m. local time? That’s not busy – it’s a time zone mismatch. DPRK agents often work from China or Russia and adjust their time to avoid discovery. Looking for weird bursts of late night activities or unnatural work rhythms.
3. Use Remote Access Tools and Anonymous
   IP-KVM switch. Mouse automation tool. Anonymous VPN and remote desktop protocol. These are not only strange – they are North Korean staple food. If the remote access pattern you are seeing matches the declared user behavior or the tool that exists in simulation, do a survey.
4. Extremely low communication and interaction
   The camera is always turned off. Silently silent. No problem, no friction. In many organizations, this is considered a plus sign. However, the low engagement, especially for key roles, is a proof. DPRK operator plays invisible. This silence is usually a signal. DPRK operators are trained to remain invisible. In some cases, this quiet is not only a disconnect but also an operational cover. Several fake workers have disappeared recently, not because they exited, but because their equipment was caught in international obstacles. When someone goes black, it may not be in the ghosting – law enforcement may call on your company’s compromise system.
5. Recover or referral mode, feel too skillfulr
   Take a closer look at your recruitment pipeline. Repeated recovery. Recycling wording. Overlapping career schedules. These are signs of template characters. DPRK operators often enter or refer to other DPRK workers in the group through fake recruiters. When the candidates start to blur, it’s time to dig deeper.
6. Differences between interview and on-the-job performance
   Smashed the interview. Falling on the first day. It happened, but it was a problem when the people at work didn’t match the people interviewed. Voice changers, backups and deep strikes are all used through the show. Even quick follow-ups can show inconsistency.

I hired North Korean workers. What is now?

Step 1: Don’t panic. Step 2: Move quickly.

When sensitive customer data or intellectual property may have been exposed, your response must be immediately, coordinated and comprehensive.

Here is the next step to do:

1. Contain and isolate immediately
   Pause all access now – VPN, cloud platform, code repository and email. Isolate the equipment and save them for forensic analysis; do not wipe or reset anything. Reset all relevant credentials to prevent further access. It is important to act quickly. Every minute is calculated in preventing data theft or destructiveness.
2. A comprehensive forensic investigation
   Introducing experts has internal threats and North Korean strategies. Analyze logs in networks, clouds, endpoints, and code repositories to detect exceptional access or data deletion. What did they encounter? Where is the data flow? Looking for secret data transfers or trying to hide activities.
3. Evaluate exposure range
   Do they access customer data, IP, source code, or regulated content? Compliance exposure is assessed under GDPR, HIPAA or CCPA. The risk is not limited to theft – considering ransomware, or deeper compromises.
4. Coordinate cross-functional responses
   Introduce law, PR and human resources. Disclosure of legal advice; PR preparation for messaging; internal consequences of human resources management. The faster you coordinate, the more control you maintain.
5. Participate in external authorities
   The cycle of law enforcement, including Internet Crime Complaint Center (IC3) and Cybercrime Center of Ministry of Defense (DC3). These are not just corporate risks; they are geopolitical. Shared intelligence can enhance your position and may help prevent future violations.

Prevention beyond networks and human resources

Running is known to IOC is a start, and a clean report is good news. But North Korea’s operations move quickly. Prevention requires behavior-based visibility and tight cross-team alignment.

Pre-rental protection measures:

• Live camera interviews with IP/GeOlocation verification
• Independent verification reference and past employment
• Use scriptless technical question and answer to measure true expertise
• Involve human resources and law in safety awareness and recruitment processes

Post-driver protection measures:

• Reapply with flags that recycle data or alias
• Monitor unusual access times, remote tool usage and VPN spikes
• Tracking the level of participation – Intelligence is a signal
• Pay attention to early signs of ransomware, evasion, or data abuse

By promoting close collaboration between internal and external security, human resources, risk and legal teams, organizations can establish a resilient internal risk program that detects and mitigates threats before escalation. Prevention is the team’s efforts, and behavior is the strongest signal.

North Korea – What’s next

The latest and ongoing government action has pushed North Korea’s shadow workforce to the attention. But exposure is not eliminated. The script will continue to evolve – new names, new tools, new countries.

Modern insiders won’t always look suspicious. They look perfect. Until they disappear.

Knowing what you are looking for is the first step. It is a future mission to permanently close it.

Comments expressed on fortune.com are entirely the opinions of its author and do not necessarily reflect opinions and beliefs wealth.

Read more: