The Ghost Employee: Department 53 and the North Korean Remote Workforce
THE GHOST EMPLOYEE
Department 53 and the North Korean Remote Workforce
July 15, 2024. Clearwater, Florida. 9:55 PM Eastern time.
A security alert fires inside the monitoring systems of KnowBe4 — a cybersecurity training company with over fifty million users across fifty-four thousand organizations. The alert flags anomalous activity on a newly provisioned workstation.
The workstation was delivered earlier that day to a newly hired Principal Software Engineer. He had passed four video interviews. His references had checked out. His background investigation had come back clean.
The engineer is twenty-five minutes into his first shift.
He is installing malware on the workstation, delivered via a Raspberry Pi connected to the same network.
His photograph is a stock image modified by artificial intelligence. His name belongs to a real American he has never met. His actual physical location is either within North Korea, or across the border in northeastern China.
This is not an isolated incident. KnowBe4 is a company that teaches other organizations how to detect exactly this kind of threat.
They were not the first target. They were not the hundredth.
This is a case file about a labor market with an adversary embedded inside it.
The Democratic People's Republic of Korea has, since approximately 2011, pursued information technology as a strategic national priority.
The directive originates with Kim Jong Un's ascent. Under sanctions that isolate the regime from global trade, conventional revenue streams have narrowed. Cyber operations — theft, espionage, fraud — have expanded to fill the gap.
The specific program in this case is operated by a unit designated Department 53.
Department 53 dispatches trained IT personnel abroad — primarily to China and Russia — and tasks them with obtaining remote employment at Western companies under fabricated identities. The workers do not immigrate. They do not file visa applications. They operate continuously from outside the target country.
According to South Korea's National Intelligence Service, the number of personnel in North Korea's cyber divisions grew from six thousand eight hundred in 2022 to eight thousand four hundred in 2024. The increase tracks the expansion of remote work norms after the pandemic.
U.S. government estimates place the collective annual earnings of this workforce at over five hundred million dollars. Individual operators can generate up to three hundred thousand dollars per year — sometimes by holding multiple simultaneous positions at different American companies.
Most of the revenue is laundered through Chinese accounts and routed back to Pyongyang. It funds the regime directly. Including, according to U.S. Treasury designations, its weapons of mass destruction programs.
The Federal Bureau of Investigation classifies this scheme as an active national security threat.
It has been operating at scale since at least 2018.
The mechanics proceed in six stages.
Stage one: identity fabrication.
The operator acquires the personal information of a real American citizen — usually through identity theft channels available on the dark web. Full legal name. Social Security number. Date of birth. Employment history. In one federal case, a single operation compromised the identities of more than eighty Americans.
The operator then constructs a professional identity on top of the stolen one. A LinkedIn profile with fabricated job history. A GitHub account with code that is often scraped or cloned. A passable photograph — frequently a stock image edited through generative AI to make reverse-image searches fail.
Stage two: the application.
The operator applies to remote-only positions, typically software engineering, frontend development, or full-stack roles. Some applications are routed through staffing agencies. Some go direct.
Stage three: the interview.
Most American employers conduct video interviews for remote positions. The operator attends with camera on. Pre-rehearsed responses. In more sophisticated cases, face-substitution technology is used to map a synthetic or live image onto the operator's face in real time.
According to the cybersecurity firm SentinelOne, approximately one thousand job applications received by the company in recent years have been linked to suspected North Korean operators. According to Mandiant, now a unit of Google Cloud, nearly every Fortune 500 chief information security officer interviewed on the topic has acknowledged that their company has, knowingly or unknowingly, hired at least one.
Stage four: the shipment.
Upon hire, the company issues a laptop — typically a MacBook. The operator provides a U.S. shipping address. The address is never the claimed residence.
It is a facilitator's home or commercial location.
This is the laptop farm.
The laptop farm is the operation's physical anchor.
A typical facility is a residence or small commercial space somewhere in the United States, operated by a facilitator — often a U.S. citizen, sometimes compensated, sometimes only partially aware of the full structure. Inside, dozens of employer-issued laptops are connected to a single local network. Each laptop is configured for persistent remote access.
The operator — physically in North Korea or across the Chinese border — connects via VPN or commercial remote desktop software into the laptop at the farm. From the employer's perspective, the employee's session originates from a residential U.S. IP address, during U.S. business hours, on a company-issued device.
All telemetry is clean.
The facilitator's role is structural. Receive shipments. Power the devices. Handle occasional on-site IT tasks. Process paychecks through shell companies into accounts controlled by co-conspirators abroad.
In April 2026, a federal court in Massachusetts sentenced two New Jersey residents — Kejia Wang and Zhenxing Wang, no relation — to nine years and seven and a half years in prison, respectively. Their operation placed North Korean workers at more than one hundred U.S. companies, including Fortune 500 firms and at least one unnamed defense contractor. It generated approximately five million dollars for the DPRK regime. They were compensated roughly seven hundred thousand dollars in fees.
In July 2025, the same program prosecuted Christina Marie Chapman, a forty-four-year-old Arizona woman. Chapman ran a laptop farm from her home for three years. Her operation touched more than three hundred American companies and funneled over seventeen million dollars to North Korea. She pleaded guilty and received a sentence of one hundred two months.
Chapman's operation compromised the personal identities of at least sixty Americans.
Her house was, for three years, connected by fiber optic to a nuclear weapons program on the other side of the world.
Return to Clearwater. Return to the twenty-five-minute window.
KnowBe4's security operations center, alerted by automated detection, reached out to the new employee to inquire about the anomalous activity. The employee responded that he was following a router troubleshooting guide. That it may have caused a false alarm.
KnowBe4's security team requested a live call. The employee said he was unavailable. Shortly after, he became unresponsive.
At 10:20 PM Eastern time, his workstation was contained.
KnowBe4 made the incident public in a detailed blog post authored by its chief executive, Stu Sjouwerman. The post described the specific technical action taken by the operator. "He used a raspberry pi to download the malware."
The malware was an infostealer. Its target was credential data left in browser sessions — residual authentication tokens from the laptop's prior provisioning. The operator's intent was to harvest what remained on the machine before it had been fully secured for him.
No customer data was exposed. The operator was terminated before gaining broader access.
But the operator had cleared every pre-employment control. Background check. Identity verification. Four video interviews with four different members of the team.
All of them had spoken with someone who did not exist.
The United States Department of Justice has, as of this recording, unsealed at least four major indictments related to the scheme. More than twenty-nine laptop farms have been searched across sixteen states. The FBI has issued public advisories in May 2022, October 2023, May 2024, and throughout 2025.
The enforcement pressure has not caused the operation to contract.
A researcher at KnowBe4 compared the economics to the drug trade. For every facilitator arrested, two are already available to replace them. The supply of U.S.-based co-conspirators — whether financially motivated or partially deceived — exceeds prosecutorial throughput.
The structural reason is labor market asymmetry.
Remote hiring is a global, asynchronous process. Identity verification at most American companies remains a domestic, synchronous one. A stolen Social Security number will pass an automated credit check. A purchased LinkedIn endorsement looks identical to an organic one. A laptop shipped to a U.S. zip code presents as a laptop in the United States.
The operators do not defeat these systems.
They pass through them exactly as designed.
Many of them also do the job.
A significant portion of North Korean operators deliver legitimate software engineering work. Their American employers receive functional code, met deadlines, and acceptable performance reviews. The exfiltration of salary is the entire operation. The exfiltration of data, when it happens, is a secondary harvest.
The question that cannot be answered from public information is how many operators remain employed inside American companies at this moment.
Mandiant's assessment — that nearly every Fortune 500 chief information security officer has admitted to at least one known case — establishes a floor, not a ceiling. The admitted cases are those that were detected. The undetected cases remain, by definition, in payroll systems.
No encryption defeats this attack. No network segmentation closes it. No firewall recognizes an employee who was legitimately hired.
The defensive surface is human resources.
The case file remains open.
As of April 2026, two of the most recently indicted facilitators are serving federal sentences in Massachusetts. Nine additional individuals connected to the same operation remain at large. The U.S. State Department is offering a five-million-dollar reward for information leading to the arrest of those still outside custody.
Department 53, in Pyongyang, continues to operate.
Fragment Zero will track the case file.
The next time an American company posts a remote software engineering role — approximately one in a thousand applications will originate from a unit of the North Korean government.
The defensive question is not whether an organization will encounter this operation.
It is whether the organization will notice.
