The most dangerous person your company ever hired passed every interview.

They had a clean résumé. Strong references. They answered the technical questions correctly. A recruiter spoke with them four times over video. A background check came back clear.

And then the laptop you shipped to their home address was plugged into a rack of ninety other laptops in a stranger's house in Arizona — and driven, in real time, by a software engineer working for the government of North Korea.

This is not a story about a firewall that failed. No system was bypassed. No password was stolen in the way you are imagining. There was no breach, in the conventional sense, at all.

The intruder did not break into the company.

The company interviewed the intruder, checked the intruder's references, negotiated the intruder's salary, and mailed the intruder a computer.

This is Fragment Zero, Case File forty-six. The North Korean Coworker. And the job posting that became an attack surface.

To understand how this works, you have to abandon the image you have of a hacker.

There is no hooded figure in a basement. There is no malware on a USB stick slipped into a parking lot. The operation at the center of this case file is something stranger and, in a way, far more elegant. The Democratic People's Republic of Korea — a country with limited internet access for its own citizens, under some of the heaviest economic sanctions in the world — discovered that the single most valuable export it could produce was labor. Specifically, remote software labor.

The premise is simple. Around the world, thousands of companies hire engineers they will never meet. The interview is a video call. The onboarding is a shipped laptop. The work is commits in a repository and tickets in a queue. The colleague exists, for all practical purposes, as a name, a face on a screen, and a bank account.

North Korea looked at that arrangement and saw an opening. If a worker is only ever a name, a face, and a bank account — then all three can be manufactured.

United States intelligence and the Department of Justice describe a structured program. The workers are real, highly trained DPRK nationals — many of them based not inside North Korea but in China and in Russia, where the internet works and the oversight does not. They are organized into teams with revenue quotas. They apply for legitimate remote jobs at Western companies using the identities of real people, or fabricated ones, or identities they have effectively rented.

They are good at the work. That is the part that unsettles the people who have investigated this. These are not scammers who fail upward. They pass technical screens because they can actually do the job. They ship working code. They attend the stand-up meetings. They get good performance reviews.

And every paycheck, routed through a chain of intermediaries, ends up funding the weapons program of a nuclear-armed state.

The first problem the program had to solve was identity.

A remote employer in the United States will, at some point, ask for a real name, a real Social Security number, and a real bank account. So the operation acquired them. In some cases the identities were stolen outright. In others — and this is the detail that turns the story domestic — real Americans were recruited, knowingly or not, to lend their names to the paperwork.

Investigators have documented people in the United States who discovered that, on paper, they were employed at companies they had never heard of, by workers they had never met, on the other side of the planet.

The photograph was the next problem. A video interview needs a face. So the operatives turned to the tools everyone now has. Stock photographs, enhanced and altered with artificial intelligence. Composite headshots assembled to match a fabricated name. In the interviews themselves, reports describe coached scripts, real-time translation, large language models drafting answers to behavioral questions in a side window — and, in the more advanced cases, attempts at live face manipulation on the video feed itself.

The recruiter on the other end of that call has thirty minutes and a hiring target. They are not a counterintelligence officer. They are looking for someone who can answer the questions and seems like they will be pleasant to work with.

The operatives could do both.

But there was one thing the identity could not fake. Location.

When a company in Texas ships a laptop to a new hire, and that laptop connects every morning from an address in northern China, the illusion collapses immediately. Payroll systems, security tools, and tax authorities all expect a domestic employee to be domestically present.

So the program built a piece of physical infrastructure inside the United States. Its nickname, among investigators, is the laptop farm.

A laptop farm is exactly what it sounds like. A person living in the United States agrees — for a fee — to receive the company laptops shipped to fake employees. They keep the laptops powered on, connected to a home internet line, and racked on a shelf. Installed on each one is remote-access software. From thousands of miles away, the actual worker logs in and operates the machine as though they were sitting in that American living room.

The laptop is in Arizona. The hands are in Asia. The paycheck deposits into an account that drains, through cryptocurrency and shell companies, back to the regime.

In twenty twenty four, the Department of Justice put a name and an address to one of these farms.

In Litchfield Park, Arizona, prosecutors charged a woman named Christina Chapman with running one of the largest laptop farms ever documented in the United States. Inside her home, investigators described dozens of laptops — by some reporting, around ninety — each one a company-issued machine for a remote worker who did not exist as advertised.

The scale of what flowed through that single house is the part that is difficult to absorb. According to the Department of Justice, the operation Chapman facilitated touched more than three hundred American companies. Among them: Fortune Five Hundred corporations. A major television network. An aerospace and defense manufacturer. A carmaker. A Silicon Valley technology firm. These were not careless startups. These were some of the most security-conscious organizations in the country.

The revenue traced through the scheme exceeded seventeen million dollars, routed toward the Democratic People's Republic of Korea. Chapman, prosecutors said, did the unglamorous work that made the illusion hold — receiving the machines, keeping them online, and forging the payroll documents that kept the paychecks moving. She pleaded guilty and was sentenced in twenty twenty five.

One house. Three hundred companies. A nuclear weapons program.

The most instructive case did not happen to a careless company. It happened to a security company.

KnowBe4 trains other organizations to recognize social engineering. It is, in a sense, a company whose entire product is suspicion. In July of twenty twenty four, it hired a remote principal software engineer. The candidate had gone through four video interviews. The face matched the identity on file. The background check was clean.

The face, it would later turn out, was a stock photograph enhanced with artificial intelligence to match a stolen American identity.

KnowBe4 did what every remote employer does. It shipped a Mac workstation to the address the new hire had given. The address was a laptop farm.

And here the story compresses into a few minutes. Almost immediately after the device came online, KnowBe4's own security operations center watched it begin doing things a new employee's laptop should never do — loading malicious software, manipulating session histories, behaving like a foothold rather than a workstation. The team isolated the machine within the hour. The new hire stopped responding.

No data was stolen. The company had, essentially, caught the operation in the first twenty-five minutes of its existence — and then did something unusual. It published the entire account, in detail, as a warning to everyone else.

Because the uncomfortable lesson was this: a company that teaches the world to spot impostors had hired one, through the front door, with a clean background check and four interviews. If it could happen to them, the number of companies it had already happened to — quietly, undetected — was not small.

This is the turn that makes the case file matter.

For most of its history, corporate cybersecurity has been built around a wall. The threat is outside. The defenders are inside. You harden the perimeter, you watch the door, you assume the people who already have badges are supposed to be there.

The North Korean IT worker program inverts that completely. It does not attack the wall. It applies for a position inside the wall, and waits to be handed a badge. The attack surface is not a server. It is the job posting.

And once inside, the access is total by design. A software engineer is supposed to read the source code. They are supposed to have credentials, repository access, a seat in the internal chat, a view of the architecture. Everything a foreign intelligence service would want to steal is simply handed to the new developer on their first day, because that is what the job requires.

When one of these workers is discovered and fired, investigators have documented a final move. Some of them, on the way out, exfiltrate the source code and the data they had legitimate access to — and then demand a ransom not to leak it. The employee becomes the extortionist. The hire becomes the breach.

The United States government has spent years trying to map this.

The Federal Bureau of Investigation, the Department of Justice, the State Department, and the Treasury have issued joint advisories telling employers what to look for. A remote worker who will not turn on their camera. An address that does not match the bank account. A request to send the laptop somewhere other than the employee's listed home. A sudden change of payment details to a new account or a payment platform. Reluctance to ever appear in person.

The Treasury has sanctioned the front companies — firms operating out of China and Russia that exist to place these workers and launder their wages. The Justice Department has indicted the financial facilitators who move the money through cryptocurrency and shell accounts, and has seized laptop-farm websites and dozens of bank accounts in disruption operations stretching across multiple American states.

The cybersecurity firm Mandiant, now part of Google, tracks the activity under a designation: a cluster of operatives the researchers numbered rather than named. Others call the broader effort by a nickname that captures it precisely. Wagemole. A mole that draws a wage.

By the assessments of United Nations experts, the IT worker program brings the regime somewhere between a quarter of a billion and six hundred million dollars a year. In a single Justice Department case, prosecutors traced roughly eighty-eight million dollars over about six years.

That is not pocket money for a sanctioned state. That is a program.

So here is where this case file leaves you.

Somewhere in the world right now, a recruiter is reviewing a strong application for a remote engineering role. The résumé is clean. The candidate interviews well. They can do the work — genuinely, demonstrably, well. They are asking only that the laptop be shipped to a particular address, and that the first paycheck go to a particular account.

Most of those candidates are exactly who they say they are. That is what makes this so difficult. The program does not rely on the company being foolish. It relies on the company being normal — on doing the ordinary, reasonable things that every remote-first business in the world now does without a second thought.

The vulnerability was never a piece of software. It was the assumption that the person on the other end of the video call is a person, and not a window.

For decades, organizations asked the same defensive question. How do we keep the wrong people out of our systems? The North Korean coworker forces a different and far harder question.

What if we already let them in, and signed their offer letter, and wished them a good first day?

This has been Fragment Zero, Case File forty-six. The North Korean Coworker.

The empty desk was never empty. We just could not see who was sitting at it.