The Billion Dollar Hiring Scam Funding North Korea

Feb 26, 2026

Evan Gordenker, Director-level investigator of DPRK operations and AI security, reveals how North Korea embeds fabricated identities and accomplice networks into legitimate hiring pipelines. He discusses deepfakes, interview stand-ins, and AI-assisted deception. He also covers how roles are chosen, facilitator infrastructures, detection gaps in HR and security, and the shift from wage theft to extortion.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

INSIGHT

Mechanized State Workforce Funding The Regime

The DPRK IT worker program is a mechanized, long-running state operation that coerces and trains technically skilled people to generate revenue for the regime.
Evan Gordenker describes middle-school math selection, English/computer training, and apartment blocks in China/Russia where operators log in and work for regime profit.

INSIGHT

Generative AI Is Core To Their Tradecraft

DPRK operators heavily leverage generative AI across the lifecycle: writing emails, code, and producing real-time audio/video deepfakes to pass interviews.
Gordenker notes accent-changing and real-time deepfakes are already used to mask origins and will persist.

INSIGHT

Remote Ban Won't Stop The Scam

'We don't hire remote' is a false comfort: DPRK exploits contracting, laptop farmers, and accomplices to gain in-office verification then provide remote access.
Examples include surge hiring for projects and paying locals to boot company laptops and enable remote control.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

North Korea has turned your hiring pipeline into a revenue machine. And most organizations have no idea.

Evan Gordenker, Director of AI Security and DPRK Operations at Unit 42, has led more than 160 investigations into sophisticated threat actors, including the North Korean IT worker networks quietly embedded inside global companies. He joins David Moulton to unpack how this operation actually works, why common assumptions about remote work leave organizations exposed, and what security and HR teams can do to detect and disrupt it.

You'll learn:

- How DPRK operatives use deepfakes, fabricated identities, and real accomplice networks to pass interviews and land jobs at global companies

- Why "we don't hire remote" is a dangerous assumption that no longer holds

- What signals HR and SOC teams should look for, before and after someone is hired

- How the threat has evolved from quiet wage theft to active extortion of former employers

- What government collaboration and cross-border intelligence sharing can realistically accomplish

Evan contributed to the UN Sanctions Monitoring Team report on North Korean operations and brings a rare combination of technical depth and geopolitical fluency to this problem. Having lived and worked across the US, EU, and Japan, he brings cultural context that matters when investigating a threat with global reach. His investigations have produced some of the most detailed profiles of DPRK operators in the security community.

This episode is essential listening if you're: a security leader building out your insider threat program, an HR or talent acquisition leader who hasn't yet connected with your security team, or a threat intelligence analyst tracking how nation-state programs fund themselves.

Related Episodes:

- From Code to Compromise — Covers North Korean threat actors using fake job interviews to target developers via malicious IDE extensions. A strong companion to this episode's look at the broader IT worker scheme.

-Inside the Mind of State-Sponsored Cyberattackers — A deeper look at how nation-state operations are structured and why they're so hard to disrupt.

#NationStateThreat #InsiderRisk

About Threat Vector

Threat Vector by Palo Alto Networks is your premier podcast for security thought leadership. Join us as we explore pressing cybersecurity threats, robust protection strategies, and the latest industry trends.

The podcast features in-depth discussions with industry leaders, Palo Alto Networks experts, and customers, providing crucial insights for security decision-makers.

Whether you're looking to stay ahead of the curve with innovative solutions or understand the evolving cybersecurity landscape, Threat Vector equips you with the knowledge needed to safeguard your organization.

Palo Alto Networks

Palo Alto Networks enables your team to prevent successful cyberattacks with an automated approach that delivers consistent security across the cloud, network, and mobile.⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠http://paloaltonetworks.com.⁠