Flare And IBM X-Force Uncover The Infrastructure Behind North Koreas Global IT Worker Fraud

New report based on proprietary threat intelligence reveals how the North Korean regime mobilizes thousands of skilled IT professionals to infiltrate organizations worldwide

MONTREAL, March 18, 2026 (GLOBE NEWSWIRE) -- Flare, the leader in Threat Exposure Management, today released new joint research with IBM X-Force, an elite global team of hackers, cyber defenders, threat intelligence analysts, and security researchers, titled Inside the North Korean Infiltrator Threat. This report provides rare visibility into the day-to-day operations of North Korean IT workers, detailing the tactics, techniques, and procedures (TTPs) they use to infiltrate organizations and extract both financial resources and sensitive information across North America and Western Europe.

Heightened federal enforcement actions, including multiple indictments over the past year, have exposed the expanding scale and sophistication of a global threat: North Korean nationals securing positions as remote IT contractors and full-time technology employees inside unsuspecting companies worldwide. North Korean IT workers (sometimes abbreviated as NKITW, DPRKITW, or ITW) are increasingly becoming a cornerstone of North Korea’s government strategy to deploy workers overseas and extract salaries for regime revenue generation.

“Defending against North Korean IT worker infiltration isn’t just a cybersecurity issue — it requires coordinated action across HR, security, hiring managers, and interview teams,” said a threat intelligence researcher at Flare. “This report offers a critical understanding of this evolving threat to the global business ecosystem, so that organizations can know what to look for and prevent infiltration from operators.”

Key Takeaways from the Report

• Internal North Korean systems identified: The report uncovered internal platforms, including “RB Site” and “NetkeyRegister,” that appear to function as management dashboards for tracking work, registering devices, and distributing software—showing these operations are centrally organized, not informal side hustles.
• Western collaborators help them stay inside companies longer: Some operatives recruit Western individuals, often through LinkedIn or GitHub, to use their identities, receive company laptops, and complete hiring paperwork. This makes it easier for them to get hired and remain embedded for extended periods.
• Debunking the myths behind the operation: While often assumed to be forced labor, a surprising finding was that North Korean IT workers typically function as full-time remote professionals, maintaining standard working hours and daily responsibilities.
• A detailed look at their daily workflow: Internal timesheets and training materials show how workers track job applications, manage freelance bids, and receive coaching on how to land remote roles, revealing a highly structured, repeatable process.
• Distinct communication patterns: The use of IP Messenger for internal chats and heavy reliance on Google Translate, often drafting messages in English and translating back into Korean to check accuracy, provides insight into how they operate and communicate.
• A structured, multi-role operation: The ecosystem includes recruiters, facilitators, IT workers, and collaborators/brokers, each with defined responsibilities in securing jobs and maintaining access.
• Money is the primary driver: While some teams have engaged in data theft or other malicious activity, the core objective is steady revenue generation from remote employment.
• Operations span multiple DPRK entities: Rather than being tied to a single government unit, IT worker teams appear to operate across various state bodies, party organizations, and front companies, making the threat broad and diffuse.

“North Korean IT workers are slipping through hiring and identity gaps in ways many organizations still underestimate,” said Josh Chung, strategic cyber threat analyst, IBM X-Force. “This report sheds light on how these operators embed themselves and offers practical direction to help security teams uncover and stop them.”

Mitigation Strategies

The report also offers mitigation strategies that organizations can implement before and after hiring, including: rigorous identity verification, scrutinizing resume and interview inconsistencies, watching for signs of AI manipulation or proxy collaborators, and requiring in-person interactions where possible. After employment begins, teams should monitor for behavioral red flags, suspicious VPN or remote access tools, and DPRK-linked software while maintaining regular live engagement with remote employees.

To view the full report, visit Flare’s website.

About Flare

Flare is the leader in Threat Exposure Management, helping global organizations detect high-risk exposures found on the clear and dark web. Combining the industry’s best cybercrime database with a ridiculously intuitive user experience, Flare enables customers to reclaim the information advantage and make cyber crime irrelevant. For more information, visit https://flare.io. To experience the platform firsthand, start a free trial at https://try.flare.io/free-trial/. Join our Discord community and explore Flare Academy to stay up-to-date on the latest in threat intelligence.

Media Contact
Geena Pickering
Look Left Marketing
flare@lookleftmarketing.com

A photo accompanying this announcement is available at https://www.globenewswire.com/NewsRoom/AttachmentNg/9acca975-f39b-4682-9292-d6a066e2271a