0.0
July 15, 2024, Clearwater, Florida, 9,055 p
5.66
.m.
6.04
Eastern Time.
7.62
A security alert fires inside the monitoring systems
11.039
of NoB4,
12.4
a cybersecurity training company with over 50 million
15.88
users across 54,000 organizations.
19.859
The alert flags anomalous activity on a newly
22.98
provisioned workstation.
24.14
The workstation was delivered earlier that day to
27.78
a newly hired principal software engineer.
30.3
He had passed four video interviews.
32.679
His references had checked out.
34.5
His background investigation had come back clean.
37.579
The engineer is 25 minutes into his first
40.939
shift.
42.92
He is installing malware on the workstation, delivered
46.5
via a Raspberry Pi connected to the same
48.96
network.
50.0
His photograph is a stock image modified by
53.5
artificial intelligence.
54.14
His name belongs to a real American he
58.06
has never met.
59.28
His actual physical location is either within North
62.74
Korea or across the border in northeastern China.
66.56
This is not an isolated incident.
69.04
NoB4 is a company that teaches other organizations
71.7
how to detect exactly this kind of threat.
75.039
They were not the first target.
76.54
They were not the hundredth.
78.399
This is a case file about a labor
80.14
market with an adversary embedded inside it.
82.739
The Democratic...
84.14
The Democratic People's Republic of Korea has, since
86.68
approximately 2011,
88.7
pursued information technology as a strategic national priority.
93.48
The directive originates with Kim Jong-un's assent.
96.459
Under sanctions that isolate the regime from global
99.2
trade, conventional revenue streams have narrowed.
102.299
Cyber operations, theft, espionage, fraud have expanded to
107.18
fill the gap.
108.299
The specific program in this case is operated
111.019
by a unit designated Department 53.
121.619
To Demonstrate this the Korean Department線
130.5
ccl
142.719
Expertsare
142.759
are
144.139
from 6,800 in 2022 to 8,400
148.759
in 2024.
151.08
The increase tracks the expansion of remote work
153.78
norms after the pandemic.
156.06
U.S.
156.78
government estimates place the collective annual earnings of
159.86
this
160.02
workforce at over $500 million.
162.96
Individual operators can generate up to $300,000
166.259
per year, sometimes by holding
168.68
multiple simultaneous positions at different American companies.
172.34
Most of the revenue was laundered through Chinese
175.46
accounts
175.96
and routed back to Pyongyang.
178.08
It funds the regime directly, including, according to
181.4
U.S.
181.74
Treasury designations, its weapons of mass destruction programs.
185.879
The Federal Bureau of Investigation classifies this scheme
189.659
as an
190.259
active national security threat.
192.46
It has been operating at scale since at
194.84
least 2018.
196.219
The mechanics proceed in six stages.
199.28
Stage 1.
201.3
Identity Fabrication.
202.34
The operator acquires the personal information of a
206.3
real American citizen,
207.74
usually through identity theft channels available on the
211.099
dark web.
211.919
Full legal name.
214.139
Social security number.
215.62
Date of birth.
217.259
Employment history.
218.759
In one federal case, a single operation compromised
222.039
the identities of more than 80
223.979
Americans.
225.459
The operator then constructs a professional identity on
228.84
top of the stolen one.
230.399
A LinkedIn profile with fabricated information.
232.319
A fabricated job history.
233.46
A GitHub account with code that is often
236.099
scraped or cloned.
237.34
A passable photograph, frequently a stock image, edited
240.68
through generative AI to make
242.58
reverse image searches fail.
245.039
Stage 2.
246.0
The Application.
247.62
The operator applies to remote-only positions, typically
251.479
software engineering,
252.96
front-end development, or full-stack roles.
255.879
Some applications are routed through staffing agencies.
259.1
Some go direct.
261.04
Stage 3.
262.319
The Interview.
263.43
Most American employers conduct video interviews for remote
266.62
positions.
267.5
The operator attends with camera on.
270.29
Pre-rehearsed responses.
272.06
In more sophisticated cases, face substitution technology is
276.56
used to map a synthetic or live
278.54
image onto the operator's face in real time.
281.949
According to the cybersecurity firm SentinelOne, approximately 1
286.22
,000 job applications received by
288.68
the company in recent years have been linked
291.04
to suspected normalization.
292.319
The company has been in the business since
293.439
the beginning of its existence.
293.439
According to Mandiant, a company that has been
295.819
a major source of information for the
295.819
According to Mandiant, now a unit of Google
296.86
Cloud, nearly every Fortune 500 chief information
300.3
security officer interviewed on the topic has acknowledged
303.639
that their company has,
305.3
knowingly or unknowingly, hired at least one.
308.959
Stage 4.
310.3
The Shipment.
311.6
Upon hire, the company issues a laptop, typically
314.879
a MacBook.
315.779
The operator provides a US shipping address.
318.36
The address is never the claimed residence.
321.139
The company's clients are often the same.
322.3
They're either a facilitator's home or commercial location.
325.86
This is the laptop farm.
327.66
The laptop farm is the operation's physical anchor.
331.38
A typical facility is a residence or small
334.24
commercial space, somewhere in the United
336.339
States, operated by a facilitator, often a US
340.199
citizen, sometimes compensated, sometimes
342.98
only partially aware of the full structure.
345.8
Inside, dozens of employer-issued laptops are connected
349.6
to a single local network.
351.339
Each laptop has a separate network.
352.279
Each laptop is configured for persistent remote access.
355.139
The operator, physically in North Korea or across
358.959
the Chinese border, connects via VPN
361.579
or commercial remote desktop software into the laptop
365.279
at the farm.
366.3
From the employer's perspective, the employee's session originates
370.5
from a residential US IP
372.06
address during US business hours on a company
375.399
-issued device.
376.579
All telemetry is clean.
379.98
Stage 5.
380.819
The Facilitator.
381.259
The facilitator's role is to provide a service.
382.279
It is structural.
383.3
Receive shipments.
384.8
Power the devices.
386.439
Handle occasional on-site IT tasks.
389.319
Process paychecks through shell companies into accounts controlled
392.92
by co-conspirators
394.22
abroad.
395.12
In April 2026, a federal court in Massachusetts
399.199
sentenced two New Jersey residents, Kajiya
402.66
Wong and Zhenxing Wong, no relation, to nine
406.379
years and seven and a half years in
408.459
prison,
408.86
respectively.
409.68
The two were sentenced to four years in
411.079
prison.
411.079
The court's court is set to sentence Kajiya
412.06
Wong and Zhenxing Wong to nine years and
412.259
seven
413.479
years in prison while Kajiya Wong is sentenced
416.18
to 10 years and eight and a half
419.0
years in
419.24
prison.
420.519
Kajiya Wong and Zhenxing Wong lived together in
422.24
southern LA's transformation latitude.
422.24
Kajiya Wong tuning out, living alone, making fuerte
422.42
knowing that he was a criminal, keeps
423.72
C communicates with her peers at UO.
424.42
A avete dezenes.
425.319
When it comes to dubbing, nothing matters and
426.899
they are10 years younger than玉heere.
432.139
The most interesting part of all debuting is
434.12
that the captain, Stant, worked for the Tetra.
437.959
He was spent doing his hair and today
440.399
think of Maisel and write games in his
440.48
hair with
440.839
personal values.
441.74
Her operation touched more than 300 American companies
445.279
and funneled over $17 million to North Korea.
449.16
She pleaded guilty and received a sentence of
451.779
102 months.
453.779
Chapman's operation compromised the personal identities of at
457.579
least 60 Americans.
459.68
Her house was, for three years, connected by
462.439
fiber optic to a nuclear weapons program on
465.16
the other side of the world.
466.819
Return to Clearwater.
468.54
Return to the 25-minute window.
471.74
No B-4's security operations center, alerted by
474.839
automated detection, reached out to the new employee
477.779
to inquire about the anomalous activity.
480.839
The employee responded that he was following a
483.5
router troubleshooting guide, that it may have caused
486.3
a false alarm.
487.699
No B-4's security team requested a live
490.48
call.
491.24
The employee said he was unavailable.
493.399
Shortly after, he became unresponsive.
496.72
At 10,020 p.m.
498.459
Eastern Time, his workstation was contained.
501.74
No B-4 made the incident public in
503.98
a detailed blog post authored by its chief
506.199
executive, Stu Schauerman.
508.139
The post described the specific technical action taken
511.18
by the operator.
512.32
He used a Raspberry Pi to download the
514.84
malware.
516.68
The malware was an info-stealer.
519.159
Its target was credential data left in browser
521.799
sessions, residual authentication tokens from the laptop's prior
525.679
provisioning.
526.5
The operator's intent was to harvest what remained
529.179
on the machine before it had been fully
531.419
secured.
531.74
No customer data was exposed.
535.399
The operator was terminated before gaining broader access.
539.019
But the operator had cleared every pre-employment
541.98
control, background check phenotype, identity verification, four video
546.82
interviews with four different members of the team.
549.82
All of them had spoken with someone who
552.58
did not exist.
553.899
The United States Department of Justice has, as
557.08
of this recording, unsealed at least four major
560.0
indictments related to the scheme.
561.72
More than 29 laptop farms have been searched
564.879
across 16 states.
566.5
The FBI has issued public advisories in May
569.74
2022, October 2023, May 2024.
574.379
The enforcement pressure has not caused the operation
577.36
to contract.
579.08
A researcher at No B-4 compared the
582.139
economics to the drug trade.
584.0
For every facilitator arrested, two are already available
587.82
to replace them.
589.139
The supply of U.S.-based co-conspirators is
591.7
increasing.
591.72
Whether financially motivated or partially deceived exceeds prosecutorial
597.139
throughput.
597.879
The structural reason is labor market asymmetry.
602.919
Remote hiring is a global, asynchronous process.
606.98
Identity verification at most American companies remains a
611.039
domestic, synchronous one.
612.759
A stolen Social Security number will pass an
615.759
automated credit check.
617.08
A purchased LinkedIn endorsement looks identical to an
620.58
organic one.
621.259
A laptop shipped to a U.S.
623.44
zip code presents as a laptop in the
625.639
United States.
626.779
The operators do not defeat these systems.
630.019
They pass through them exactly as designed.
633.1
Many of them also do the job.
635.32
A significant portion of North Korean operators deliver
639.019
legitimate software engineering work.
641.659
Their American employers receive functional code, met deadlines,
645.94
and acceptable performance reviews.
648.24
The exfiltration of salary is the entire process.
651.24
The exfiltration of data when it happens is
655.159
a secondary harvest.
657.039
The question that cannot be answered from public
659.799
information is how many operators remain employed inside
663.34
American companies at this moment.
666.24
Mandiant's assessment that nearly every Fortune 500 chief
669.899
information security officer has admitted to at least
672.759
one known case establishes a floor, not a
675.899
ceiling.
676.419
The admitted cases are those that were detected.
679.0
The undetected cases remain, by definition, in payroll
682.679
systems.
684.94
No encryption defeats this attack.
687.539
No network segmentation closes it.
689.96
No firewall recognizes an employee who was legitimately
693.539
hired.
694.46
The defense of surface is human resources.
697.779
The case file remains open.
700.08
As of April 2026, two of the most
703.7
recently indicted facilitators are serving federal sentences in
707.299
Massachusetts.
707.659
Nine additional individuals connected to the same operation
711.7
remain at large.
712.94
The U.S.
713.86
State Department is offering a $5 million reward
716.46
for information leading to the arrest of those
718.94
still outside custody.
720.82
Department 53 in Pyongyang continues to operate.
726.6
Fragment Zero will track the case file.
728.899
The next time an American company posts a
731.84
remote software engineering role, approximately one in a
736.46
thousand applications will be reported.
737.639
The defense of question is not whether an
743.72
organization will encounter this operation.
747.74
It is whether the organization will notice.
