0.0
The most dangerous person your company ever hired
3.16
passed every interview.
5.559
They had a clean resume, strong references.
8.98
They answered the technical questions correctly.
11.699
A recruiter spoke with them four times over
14.24
video.
15.119
A background check came back clear.
17.82
And then the laptop you shipped to their
19.839
home address was plugged into a rack of
21.96
90 other laptops in a stranger's house in
24.42
Arizona
24.719
and driven, in real time, by a software
27.699
engineer working for the government of North Korea.
31.88
This is not a story about a firewall
34.1
that failed.
35.0
No system was bypassed.
37.1
No password was stolen in the way you
39.439
are imagining.
40.359
There was no breach in the conventional sense
42.859
at all.
44.299
The intruder did not break into the company.
47.32
The company interviewed the intruder, checked the intruder's
50.679
references,
51.299
negotiated the intruder's salary,
53.38
and mailed the intruder,
54.719
a computer.
55.979
This is Fragment 0, Case File 46,
59.76
the North Korean co-worker,
61.439
and the job posting that became an attack
63.84
service.
64.98
To understand how this works,
67.019
you have to abandon the image you have
69.28
of a hacker.
70.48
There is no hooded figure in a basement.
73.38
There is no malware on a USB stick
75.98
slipped into a parking lot.
78.06
The operation at the center of this case
80.459
file is something stranger,
82.079
and, in a way, far more elegant.
85.06
The Democratic People's Republic of Korea,
87.599
a country with limited internet access for its
90.7
own citizens,
91.599
under some of the heaviest economic sanctions in
94.219
the world,
94.859
discovered that the single most valuable export it
97.9
could produce was labor.
99.579
Specifically, remote software labor.
102.54
The premise is simple.
104.78
Around the world, thousands of companies hire engineers
107.939
they will never meet.
109.2
The interview is a video call.
112.019
The onboarding is a shipped laptop.
114.719
The work is commits in a repository and
117.799
tickets in a queue.
119.239
The colleague exists, for all practical purposes,
122.359
as a name, a face on a screen,
124.959
and a bank account.
126.34
North Korea looked at that arrangement and saw
129.199
an opening.
130.08
If a worker is only ever a name,
132.539
a face, and a bank account,
134.62
then all three can be manufactured.
138.719
United States Intelligence and the Department of Justice
141.879
describe a structured program.
143.759
The workers are real, highly trained DPRK nationals,
148.52
many of them based not inside North Korea,
151.479
but in China and in Russia,
153.379
where the internet works and the oversight does
155.96
not.
156.419
They are organized into teams with revenue quotas.
159.599
They apply for legitimate remote jobs at Western
162.34
companies
162.819
using the identities of real people, or fabricated
166.12
ones,
166.58
or identities they have effectively rented.
168.96
They are good at the work.
171.139
That is the part that unsettles the people,
173.74
who have investigated this.
175.56
These are not scammers who fail upward.
178.159
They pass technical screens because they can actually
181.06
do the job.
182.039
They ship working code.
183.9
They attend the stand-up meetings.
185.879
They get good performance reviews.
188.259
And every paycheck, routed through a chain of
191.479
intermediaries,
192.599
ends up funding the weapons program of a
195.219
nuclear-armed state.
197.219
The first problem the program had to solve
199.68
was identity.
201.539
A remote employer in the United States
203.74
will, at some point, ask for a real
205.86
name,
206.4
a real social security number, and a real
208.74
bank account.
209.58
So the operation acquired them.
211.78
In some cases, the identities were stolen outright.
214.919
In others, and this is the detail that
217.18
turns the story domestic,
219.02
real Americans were recruited, knowingly or not,
221.979
to lend their names to the paperwork.
224.74
Investigators have documented people in the United States
227.319
who discovered that, on paper,
229.639
they were employed at companies they had never
232.159
heard of,
232.819
by workers they had never met, on the
235.219
other side of the planet.
236.539
The photograph was the next problem.
238.9
A video interview needs a face.
240.979
So the operatives turned to the tools everyone
243.659
now has.
244.9
Stock photographs, enhanced and altered with artificial intelligence,
248.62
composite headshots assembled to match a fabricated name.
252.28
In the interviews themselves, reports describe coached scripts,
256.579
real-time translation, large language models
259.18
drafting answers to behavioral questions in a side
261.92
window,
262.22
and, in the more advanced cases,
264.56
attempts at live face manipulation on the video
267.06
feed itself.
268.12
The recruiter on the other end of that
270.259
call has 30 minutes and a hiring target.
273.04
They are not a counterintelligence officer.
275.779
They are looking for someone who can answer
277.86
the questions
278.36
and seems like they will be pleasant to
280.399
work with.
281.139
The operatives could do both.
284.86
But there was one thing the identity could
287.879
not fake.
289.199
Location.
290.379
When a company in Texas,
292.22
ships a laptop to a new hire,
294.0
and that laptop connects every morning from an
296.519
address in Northern China,
297.939
the illusion collapses immediately.
300.8
Payroll systems, security tools, and tax authorities
303.939
all expect a domestic employee to be domestically
306.759
present.
307.639
So the program built a piece of physical
310.18
infrastructure inside the United States.
312.759
Its nickname, among investigators, is the laptop farm.
316.819
A laptop farm is exactly what it sounds
319.86
like.
320.199
A person living in the United States agrees,
323.74
for a fee,
324.54
to receive the company laptops shipped to fake
327.8
employees.
328.8
They keep the laptops powered on, connected to
332.12
a home internet line,
333.54
and racked on a shelf.
335.519
Installed on each one is remote access software.
339.019
From thousands of miles away,
341.22
the actual worker logs in and operates the
344.06
machine
344.379
as though they were sitting in that American
346.6
living room.
347.74
The laptop is in Arizona.
350.199
The hands are in Asia.
351.72
The paycheck deposits into an account that drains,
355.079
through cryptocurrency and shell companies,
357.459
back to the regime.
359.22
In 2024,
361.06
the Department of Justice put a name and
363.36
an address to one of these farms.
365.24
In Litchfield Park, Arizona,
367.959
prosecutors charged a woman named Christina Chapman
371.079
with running one of the largest laptop farms
373.819
ever documented in the United States.
376.459
Inside her home,
377.939
investigators described dozens
380.199
of laptops.
380.959
By some reporting,
382.36
around 90.
383.6
Each one a company-issued machine
385.959
for a remote worker who did not exist
388.459
as advertised.
389.6
The scale of what flowed through that single
392.48
house
392.92
is the part that is difficult to absorb.
395.74
According to the Department of Justice,
397.759
the operation Chapman facilitated
399.72
touched more than 300 American companies,
402.62
among them Fortune 500 corporations,
405.819
a major television network,
407.819
an aerospace and defense manufacturer,
410.199
a carmaker,
411.54
a Silicon Valley technology firm.
413.879
These were not careless startups.
416.139
These were some of the most security-conscious
418.62
organizations in the country.
420.56
The revenue traced through the scheme exceeded $17
423.66
million,
424.92
routed toward the Democratic People's Republic of Korea.
428.319
Chapman, prosecutors said,
430.04
did the unglamorous work that made the illusion
432.56
hold,
433.36
receiving the machines,
434.959
keeping them online,
436.1
and forging the payroll documents that kept the
438.199
paychecks moving.
438.879
She pleaded guilty and was sentenced in 2025.
442.8
One House, 300 companies,
445.68
a nuclear weapons program.
449.0
The most instructive case did not happen to
452.579
a careless company.
453.579
It happened to a security company.
456.519
NoB4 trains other organizations to recognize social engineering.
461.379
It is, in a sense,
463.279
a company whose entire product is suspicion.
466.5
In July of 2024,
468.42
it hired a remote principal software engineer.
471.939
The candidate had gone through four video interviews.
475.24
The face matched the identity on file.
477.959
The background check was clean.
480.24
The face, it would later turn out,
482.8
was a stock photograph enhanced with artificial intelligence
486.12
to match a stolen American identity.
489.699
NoB4 did what every remote employer does.
493.319
It shipped a Mac workstation to the address
496.18
the new hire had given.
497.5
The address was a laptop farm.
500.5
And here the story compresses into a few
503.06
minutes.
503.699
Almost immediately after the device came online,
506.819
NoB4's own security operations center watched it begin
510.399
doing things
511.12
a new employee's laptop should never do.
514.019
Loading malicious software,
515.7
manipulating session histories,
517.44
behaving like a foothold rather than a workstation.
520.299
The team isolated the machine within the hour.
523.019
The new hire stopped responding.
525.34
No data was stolen.
526.86
The company had, essentially,
529.1
caught the operation in the first 25 minutes
531.899
of its existence
532.74
and then did something unusual.
534.759
It published the entire account, in detail,
537.799
as a warning to everyone else.
539.94
Because the uncomfortable lesson was this,
542.44
a company that teaches the world to spot
544.659
impostors
545.379
had hired one, through the front door,
547.419
with a clean background check and four interviews.
550.139
If it could happen to them,
551.659
the number of companies it had already happened
553.74
to,
554.1
quietly, undetected, was not small.
556.86
This is the turn that makes the case
559.299
file matter.
560.5
For most of its history,
562.279
corporate cybersecurity has been built around a wall.
565.5
The threat is outside.
567.7
The defenders are inside.
569.98
You harden the perimeter.
571.679
You watch the door.
573.12
You assume the people who already have badges
575.899
are supposed to be there.
577.74
The North Korean IT worker program inverts that
581.12
completely.
581.84
It does not attack the wall.
583.84
It applies for a position inside the wall
587.039
and waits to be handed a badge.
589.299
The attack surface is not a server.
591.94
It is the job posting.
594.019
And once inside,
595.72
the access is total by design.
598.059
A software engineer is supposed to read the
600.82
source code.
601.62
They are supposed to have credentials,
603.799
repository access,
605.299
a seat in the internal chat,
606.94
a view of the architecture.
608.559
Everything a foreign intelligence service would want to
611.139
steal
611.399
is simply handed to the new developer
613.84
on their first day
614.34
because that is what the job requires.
616.94
When one of these workers is discovered and
619.299
fired,
619.899
investigators have documented a final move.
622.879
Some of them, on the way out,
624.879
exfiltrate the source code
626.539
and the data they had legitimate access to
629.159
and then demand a ransom not to leak
631.759
it.
632.2
The employee becomes the extortionist.
634.799
The hire becomes the breach.
638.279
The United States government
639.94
has spent years trying to map this.
642.32
The Federal Bureau of Investigation
643.84
the Department of Justice
645.62
the State Department
646.72
and the Treasury
647.62
have issued joint advisories
649.2
telling employers what to look for.
651.08
A remote worker who will not turn on
653.059
their camera.
653.72
An address that does not match the bank
655.559
account.
656.059
A request to send the laptop somewhere
657.86
other than the employee's listed home.
660.019
A sudden change of payment details
661.7
to a new account or payment platform.
664.059
Reluctance to ever appear in person.
666.399
The Treasury has sanctioned the front companies.
669.5
Firms operating out of China and Russia
671.659
that exist to place these workers
673.659
and launder their wages.
675.379
The Justice Department has indicted
677.659
the financial facilitators
679.12
who move the money through cryptocurrency
681.399
and shell accounts
682.34
and has seized laptop farm websites
684.799
and dozens of bank accounts
686.72
in disruption operations
687.82
stretching across multiple American states.
691.36
The cybersecurity firm Mandiant,
693.659
now part of Google,
694.899
tracks the activity under a designation,
697.48
a cluster of operatives
698.96
the researchers numbered rather than named.
701.44
Others call the broader effort
703.2
by a nickname that captures it precisely.
705.98
Wage mole.
707.059
A mole that draws a wage.
709.259
By the assessments of United Nations experts,
712.44
the IT worker program brings the regime
715.399
somewhere between a quarter of a billion
717.519
and $600 million a year.
720.58
In a single Justice Department case,
723.1
prosecutors traced roughly $88 million
725.98
over about six years.
728.7
That is not pocket money for a sanctioned
731.299
state.
731.74
That is a program
733.2
and not a program.
735.019
So here is where this case file leaves
737.299
you.
738.179
Somewhere in the world right now,
740.2
a recruiter is reviewing a strong application
742.799
for a remote engineering role.
745.139
The resume is clean.
747.1
The candidate interviews well.
749.299
They can do the work.
751.959
Genuinely, demonstrably well.
753.96
They are asking only that the laptop
756.279
be shipped to a particular address
757.86
and that the first paycheck go to a
760.179
particular account.
760.899
Most of those candidates
762.879
are exactly who they say they are.
765.059
That is what makes this so difficult.
767.5
The program does not rely
769.1
on the company being foolish.
770.96
It relies on the company being normal.
773.32
On doing the ordinary, reasonable things
775.919
that every remote first business in the world
778.759
now does without a second thought.
781.24
The vulnerability was never a piece of software.
784.34
It was the assumption that the person
786.519
on the other end of the video call
788.279
is a person and not a window.
790.179
For decades, organizations asked the same defensive question.
794.879
How do we keep the wrong people out
796.86
of our systems?
797.779
The North Korean coworker forces a different
800.44
and far harder question.
802.519
What if we already let them in
804.639
and signed their offer letter
806.259
and wished them a good first day?
809.919
This has been Fragment Zero, Case File 46.
813.419
The North Korean coworker.
815.379
The empty desk was never empty.
818.0
We just could not see who was sitting
820.159
there.
820.179
Sitting at it.
