Cybersecurity experts have warned that a long-running, insider-threat campaign from North Korea is planting remote workers at Australian organisations to divert salary earnings into the regime’s weapons program.
US authorities – particularly the Federal Bureau of Investigation (FBI) – have been chasing the scheme and its operatives since at least May 2022, when the FBI first sounded the alarm over North Korean IT workers securing roles at international companies.
Since then, members of the country's regime have continued to avoid sanctions by securing jobs under false pretences.
They conduct cyberespionage and syphon earnings to the Democratic People’s Republic of Korea’s (DPRK) weapon scheme.
Now, behavioral intelligence firm Dtex has warned the scheme poses a national security issue to Australia.
Dtex founder Mohan Koo told The Age numerous Australian firms were already compromised.
“I would say, dozens [are compromised] right now,” Koo said.
“[That’s] a pretty safe bet, but this can quite quickly explode.”
Further, Dtex research found the global operation involves “thousands” of undercover agents.
Speaking with Information Age, Jamie Lindsay, Dtex vice president of technology, said the threat had become “more widespread, more deliberate and harder to detect”.
“Technology, financial services, defence technologies, AI, quantum and other advanced industries are the priority targets,” said Lindsay.
“Those roles often provide access to valuable intellectual property, sensitive systems and trusted environments.
“But the risk does not stop there.
“Any sector that relies on remote-friendly roles, specialist contractors or third-party access can be exposed.”
Fake interview for fake worker
Dtex’s announcement came after the firm helped expose one of the scheme’s operatives during a staged, remote job interview on 60 Minutes.
While posing as a recruiter for an Australian development role, Nick McKenzie fronted a suspected facilitator believed to be prominently linked to the DPRK’s schemes.
Though the fake interviewee confidently asserted his value as an IT worker, he fell apart when grilled about his knowledge of New York where he claimed to have previously studied.
.jpg)
The fake applicant stumbled into a nationally broadcast trap. Source: 60 Minutes.
Notably, the application used a resume from a real US citizen named Aaron Pierson – a man believed to be a potential ‘laptop farmer’ who receives and hosts the corporate PCs sent to successful applicants under the scheme.
Pierson, a black American, bared no resemblance to the applicant McKenzie was faced with on Zoom.
.jpeg)
The applicant did not match Pierson’s resume picture. Source: Github.com
When pressed about the blatant discrepancy in their appearance, the DPRK applicant simply said they were “not too interested any more” and abandoned the call.
Lindsay said the interviewee’s bizarre error likely pointed to “a lapse in a high-volume process rather than a one-off mistake”.
“These operations are built for speed and scale, not perfect persona-building,” he said.
“Identities, résumés and other credentials are often reused or rotated in ways that can produce obvious inconsistencies.
“The objective is usually to get past employers with weak awareness or light vetting, not to survive deep scrutiny.”
AI tactics
While the scheme has long used deepfake software to doctor profile pictures or alter applicants’ appearances in video meetings, Lindsay said AI and related tools were now being used to make fraudulent candidates look credible “much earlier” in the process.
This included drafting “stronger resumes”, creating more polished online profiles, and achieving “more convincing” interview performances.
“Remote hiring is under particular strain because tools like voice synthesis, noise suppression and real-time response aids can make it harder to verify who is actually on the call,” Lindsay said.
“In some cases, third parties are also being used to create more distance between the applicant and the organisation.”
Mike Burgess, head of the Australian Security Intelligence Organisation (ASIO), corroborated that Australia was indeed at risk, and his agency had identified undercover operatives targeting Australian firms.
“This is a very real concern,” Burgess told 60 Minutes.
Dtex investigators estimated DPRK-linked IT workers generate approximately $864 million annually worldwide – a figure which could likely be “far higher” given the scale and reach of the networks involved in the scheme.
A threat not to be mocked
Jamieson O’Reilly, founder of information security company Dvuln, told Information Age although the DPRK's hacking capability has a “long history of being mocked in cybersecurity circles”, the state’s threat actors “do not get the respect they deserve as capable operators”.
“When it comes to their social engineering, there have been some genuinely blundering moments on camera… but think about what they've achieved financially despite those stumbles,” said O’Reilly.
“Several major crypto exchanges have been compromised over the past decade, allegedly funnelling billions back into state coffers.
“You don't pull that off by being incompetent.”
O’Reilly said Australian organisations can mitigate their risk by ensuring recruiters and human resources use “structured verification workflows for remote contractors”.
“Video interviews alone are insufficient,” he said.
“Require government ID verification through a trusted third party, use live contextual challenges during interview, and cross-reference applicants’ work history with something verifiable.”
