I. Introduction: Connecting the Headlines to Portfolio Risk

In July, the U.S. Department of Justice announced a nationwide crackdown on North Korean IT workers posing as remote employees inside U.S. companies. These weren’t freelancers just trying to make a living… they were state-sponsored operatives funneling paychecks (and in some cases, stolen data) back to the regime’s weapons program. The DOJ noted that there were thousands of fraudulent IT workers representing North Korea, but there have been more confirmed cases after the DOJ’s latest wave of arrests.

This should be on PE firms’ radar because portfolio companies are prime targets. Fast-growing businesses that rely on remote technical talent are exactly where these fraudulent hires slip through.

While the scope of the DOJ’s action grabbed headlines, the risk itself isn’t all that new. In 2024, KnowBe4, a cybersecurity firm backed by Vista Equity Partners, discovered it had accidentally hired a North Korean engineer. The individual passed technical interviews and cleared onboarding before being caught. What mattered most was how the company responded. Instead of quietly handling the incident, KnowBe4 went public despite being fully aware of the reputational risk. That decision sparked broader awareness across the community and helped raise awareness of the threat. It also was eye-opening to see that even cybersecurity companies are at risk.

This isn’t just a cybersecurity issue. There are legal and operational risks with financial and reputational impact for PE firms. This piece outlines practical steps to help portfolio companies spot and prevent these threats... without turning every interview into an interrogation.

II. The Playbook Behind the Operation

According to the DOJ, thousands of North Korean operatives have been hired as remote IT employees across hundreds of U.S. businesses… all the way from small firms to F500’s.

The playbook is straightforward: multiple fraudulent IT workers apply to the same roles, share interview prep, and rotate until one gets hired. They’re able to do this at scale by using stolen U.S. identities, fake resumes, and AI tools to mask faces and voices. They also use 3rd party recruiters to put some distance between them and the hiring team.

Once hired, a U.S. based “facilitator” usually steps in to hand all of the logistics like receiving laptops, filling out and submitting documents, and setting up access to company resources. These facilitators are regular Americans who get pulled into the scheme for some extra cash. The Wall Street Journal covered this earlier in the year and showed how the operation relies on normal people to keep it running. From there, the fraudulent IT worker logs in from abroad and does just enough to stay employed while quietly funneling paychecks back to North Korea.

This may sound like a pretty minor risk,but in many cases it doesn’t stop there. Their goal is to work multiple remote jobs at once so they understand that eventually they’ll be laid off and will move onto the next target. Towards the end of their employment, it’s common for the fraudulent IT hires to steal data that can be sold on the dark web to further fund the regime. Intellectual property, sensitive customer data, and cryptocurrency have all been stolen. Several crypto companies  learned in 2024 that they had unknowingly hired fraudulent IT workers from North Korea and suffered large losses that impacted them and their customers.

This entire scheme is built on fraud and it starts at the interview stage. Knowing what to look for in those early interactions is often the best chance to prevent it so in the next section we’ll cover the red flags that other’s have reported.

III. Interview Red Flags To Watch Out For

The good thing is that this scheme isn’t highly technical and it doesn’t require expensive cybersecurity tools to block it. These hires come in through the front door (recruiters, HR, and hiring managers) so that makes the first interview your best chance to catch something before it becomes a problem.

This could be the most important piece in this article: your hiring teams typically knows when something "feels off” in an interview. That being said, what's been observed in past cases is that people hesitate to raise those concerns. They worry about being judgemental, biased, or wrong without hard evidence... so the gut feeling sometimes gets brushed aside instead of passed along.

That’s why it’s critical to spell out the below red flags for your teams. It sends a clear signal: leadership expects and wants concerns raised,even if it’s just a gut feeling.

Visual and Audio: If the interviews feel slightly “off” then there’s probably a reason. Fraudulent IT workers use AI tools to alter their face, voice, and even accents.

• Lag between lip movement / sounds
• Odd camera behavior (frozen, glitchy, etc.)
• Unnatural blinking, blank or limited facial expressions, weird eye contact that doesn’t feel right
• Audio that sounds as if it has a filter over it: flat, inconsistent, altered in any way
• Inconsistent or odd shadows on the facial area. Overly smooth or “filtered” appearance of the face.

Scripted or Coached Responses: These candidates often arrive over-prepared. Their first answers may sound polished and impressive, but shallow when pressed for details. Some things to look out for:

• Repeated phrases or similar examples across multiple candidates
• Strong initial answers that collapse under follow-up questions (especially when asked to unpack specifics or explain how they got to an outcome)
• Long and unnatural pauses after your questions followed by overly polished answers
• This is often paired with filler words before the overly polished answers. The contrast between the hesitation and suddenly articulate sentences is a big red flag.

Behavioral and Contextual Red Flags: Even if the technical cues check out, small inconsistencies can still signal trouble. None of these are definitive on their own, but combined, they’re worth paying attention to:

• Uncomfortable with unscripted questions, small talk, or problem-solving on the fly.
• Difficulty talking about local geography, time zones, or cultural references.
• Lack of interest about the role, pay / benefits, expectations, or overall working experience at the company.  

As previously mentioned these signs might not mean much individually. We all know a glitchy video call or vague answer isn’t exactly unusual. But when the signs add up and form a pattern, that deserves some additional scrutiny.

III. Red Flags During Onboarding and Early Employment

The first few weeks of onboarding are often the best time to catch inconsistencies. It’s not just about watching performance… it’s about how a new hire mixes with the team, how they handle standard onboarding steps, and whether their access / activity line up with expectations.

‍Device and Access Logistics: How company-issued equipment is delivered and set up is one of the clearest and most consistent red flags in fraudulent IT hire cases.

• Requests to ship laptops to names or addresses that don’t match HR records. (A common excuse is that the employee claims to be “on vacation” and needs it sent elsewhere)
• Delays or unusual excuses during device setup, which may mean the laptop is being forwarded to another location.
• Repeated requests to reset MFA or re-enroll devices (often at odd hours) which can suggest the laptop is being shared.

‍
HR and Administrative Records: Sometimes the first inconsistencies show up in paperwork and benefits enrollment rather than in technical systems. None of these are definitive on their own, but combined they can be helpful.

• No engagement with benefits enrollment. Many legitimate employees decline coverage for valid reasons, but a complete lack of response or interest is still worth documenting.
• Incomplete or delayed employment paperwork (I-9s, W-4s, background forms) that arrive slowly or with vague, inconsistent details.
• Unusual payroll requests, such as directing salary payments to third-party accounts or virtual payment services under a different name.

Performance and Communication Patterns: New hires often need time to settle in, but certain behaviors stand out when viewed alongside other signals:

• Noticeable swings in work quality / speed. This can be broken down into two buckets.
• If the work quality varies a lot, almost as if different people handle different tasks, then it might be a good indicator of exactly that.
• It’s also been observed that workers will let tasks pile up (because they’re working other jobs) and then rapidly take care of them without any instruction or assistance.
• Minimal interaction with managers or teammates. Instead of asking questions about processes or policies (which most genuine new hires do), these individuals often avoid unnecessary conversations.

Individually each of these can be explained away but together… they form patterns that shouldn’t be ignored. Fraudulent IT contractors count on companies treating these as one-off issues. Giving HR, IT, and operations teams a shared picture of the red flags makes it far harder for those patterns to go unnoticed. Now that we’ve discussed what to look out for, let’s discuss changes you can make to your hiring and onboarding processes.

IV. Practical Changes for HR and Hiring Teams

You don’t need to change your entire hiring process to prevent malicious candidates from making it through. A few specific changes can go a long way toward shutting the door before they get inside.

Interview Process Enhancements: The interview is often the only live interaction you’ll have with remote candidates before making the decision. A few tactical changes to your process can make it harder to pull off for North Korean operatives.

• Make it clear in the written job posting that interviews include video and real-time ID checks. This is an immediate deterrent before they even apply. Confirm with legal / HR this is allowed, but if allowed, it’s worth considering because it just adds too much friction for bad actors.
• Add casual location-based questions to the first interview. Simple variations that come off as normal small talk like “What time is it for you right now?” or “remind me the capital of [state they claim to live in]?” can help confirm locations.
• Incorporate live coding or technical assessments that rely on screenshare. More importantly, ask them to talk through their thought process as they do the task. This makes it significantly harder for candidates to cheat their way through a task.
• Ask candidates to walk through recent projects using visuals or documents they’ve created. Fraudulent candidates often refer to past projects but can’t produce anything to show their work.

HR / Onboarding Enhancements: The interview process can’t catch everything. A few light-touch checks during onboarding creates a valuable second line of defense without asking too much from your teams. These should be framed as routine hygiene steps (not accusations) and viewed in context with other signals.

• Confirm addresses for equipment. Make sure the employee’s address on file matches where the laptop is being shipped. Document any changes or reroutes.
• Track benefits decisions. Note whether employees enroll in health, dental, or retirement plans. Declining coverage isn’t unusual (many are on a spouse’s or family plan), but it’s still worth tracking as part of a broader pattern.
• Verify payroll details. Confirm that bank accounts receiving salary payments are in the employee’s name and tied to the expected region. Document exceptions, such as joint accounts, and avoid routing pay to third parties or virtual platforms without review.
• Create a “quiet audit” process for remote hires that checks standard onboarding records (I-9s, benefits, device activation, MFA enrollment, etc.) against location and identity information. Apply the same process consistently to avoid bias.
• 30-day remote hire check-ins. Schedule a light touchpoint with new remote employees a month into the role. This supports engagement, surfaces onboarding issues, and provides a natural opportunity to validate fit.

The key is escalation. HR and front-line managers should have a low-friction path to raise concerns without needing hard proof. A documented suspicion is enough to pass the baton to IT or security, who can then confirm or rule out issues using technical evidence. Let’s look at how technical teams can catch these details (login patterns, remote access tools, network behavior, etc.).

V. What IT and Security Teams Should Look For

Once a new employee has access to the company’s systems, it’s less about speculation and more about evidence. The good news is these fraudulent IT contractors aren’t trying to run advanced espionage operations. Most rely on simple workarounds and automation to stay employed across multiple companies while funneling salaries back to North Korea. With basic monitoring in place, they’re usually caught within 30–45 days of onboarding. That being said… without those basic controls in place they can linger for a year or more.

User Behavior / Authentication Patterns: These are the earliest technical signs of an issue that suggests someone else is behind the keyboard. ‍

• Impossible travel alerts. These are logins from geographically impossible locations within short timeframes (e.g., Chicago at 9:00 a.m., Tokyo at 9:30 a.m.)
• Multiple logins at the same time from different IP addresses. This is a strong sign more than one person is using the device.
• Repeated MFA resets or re-enrollments (particularly at unusual hours) often linked to shared devices.
• Connections to the employee laptop using Remote Monitoring and Management (RMM) tools, Keyboard-video-mouse over IP (IP-KVM) devices, VPNs, VPS, or proxies. These are not typical for regular employees but necessary for someone abroad.
• Installation of “mouse jigglers” or anti-screen-lock software shortly after receiving a company laptop, typically used to keep devices “awake” so they can be accessed remotely at any time.

Technical Indicators of Compromise (IOCs): Beyond behavior, there are concrete technical markers that can be fed directly into your security stack. IOCs include IP addresses, domains, file hashes, and tools tied to confirmed North Korea-linked activity. Adding these to EDR, SIEM, or threat intel feeds allows you to automatically find any suspicious activity.

We’re not going to list every IOC here…. those are better pulled directly from trusted sources. Several government advisories maintain updated lists, including:

‍

VI. Action Plan for Private Equity Firms

The goal for PE firms shouldn’t be to do a complete overhaul how your portco’s hire.  It’s to make sure the ones most at risk understand the threat and know what to watch for. ‍

Identify Higher-Risk Portfolio Companies: Start with fast-growing portcos and ones that hire heavily in remote IT roles (software engineering, DevOps, infrastructure). Include any companies that rely on offshore recruiters or contractors. These are the most likely entry points.

Put the issue on the agenda: Carve out a few minutes in your leadership check-ins and ask whether HR / IT has seen unusual patterns. Point them to this briefing or CISA’s advisories so they know what red flags to look for.

Provide simple tools: Share checklists for hiring, onboarding, and IT monitoring. These aren’t new procedures… they’re reference points to give HR and IT teams confidence in raising concerns.

Coordinate at the fund level: Track escalations centrally through compliance or ops. This not only helps identify repeat patterns across companies but also ensures consistency in how issues are handled.‍

Encourage escalation without friction: You don’t need mandatory training across the portfolio, but the topic should come up when meeting with leadership teams. Include a short discussion on this threat for companies that fit the risk profile. Ask if HR or IT has seen anything unusual. Point them towards this article or CISA’s public resources so they know what to watch for and how to escalate concerns.

At the end of the day you should make sure your portfolio companies aren’t oblivious to this risk and that they have an idea of what to do when something feels off.

VII. Practical Checklists for HR, Ops, and IT Teams

‍Checklist 1 – Suggested Hiring & Interview Process Changes (HR &Hiring Managers)‍

☐ Require video interviews with real-time ID checks where legally permitted.
☐ Ask unscripted, location-based questions to confirm claimed location.
☐ Require at least one live, screenshared technical task for IT roles, with candidates explaining their approach.
☐ Ask candidates to show work from recent projects — actual documents, code snippets, or visual deliverables they personally created.
☐ Look for over-prepared, coached answers that fall apart under deeper questioning.
☐ Watch for visual/audio anomalies that may indicate AI deepfake tools.

‍Checklist 2 – Onboarding & Early Employment Monitoring (HR & Ops)‍

☐ Verify shipping address for company devices matches employee records; document changes.
☐ Track benefits enrollment; follow up on non-enrollment.
☐ Confirm payroll accounts are in the employee’s name and expected location.
☐ Avoid sending pay to third-party accounts or virtual payment platforms unless approved/documented.
☐ Add “quiet audit” to compare onboarding records to claimed location and ID.
☐ Schedule one-month remote hire check-ins to gauge engagement and fit.

‍Checklist 3 – Ongoing IT & Security Monitoring (IT & Security Teams)‍

☐ Monitor for “impossible travel” logins or simultaneous logins from different IPs.
☐ Flag repeated MFA resets or re-enrollments early in tenure.
☐ Detect connections via RMM tools, IP-KVMs, VPNs, VPS, or suspicious proxies.
☐ Watch for installation of mouse jiggler or anti-lock software.
☐ Incorporate DPRK IOCs into security tools for automatic alerting.

‍