Okta: 130+ DPRK Identities Linked to 6,500 Interviews at 5,000 Companies

Research from Okta indicates North Korea has scaled its illicit IT-worker (ITW) program well beyond U.S. “big tech,” turning remote hiring pipelines across industries and countries into revenue and access channels. Okta reports broad targeting across finance, healthcare, public administration, and professional services in addition to technology, noting activity in the U.S. and a growing share of operations elsewhere. As Okta puts it, “Okta Threat Intelligence tracked over 130 identities operated by facilitators and workers participating in the DPRK ITW scheme. We linked these actors to over 6,500 initial job interviews across more than 5,000 distinct companies up until mid-2025.” North Korean workers are obtaining interviews—and in some cases roles—across dozens of sectors worldwide, following an early emphasis on cryptocurrency and blockchain employers. Okta also cautions that “Targeted entities in those countries now face a mature, experienced threat that has achieved the necessary success to have been granted a level of ‘creative freedom’ over targeted verticals and the tools, techniques, and procedures they use to gain employment.”

The scheme relies on front-end deception and a distributed support network to initiate contact with employers at scale. Candidates submit polished applications for remote roles, often using borrowed or falsified identities, and cycle through multiple interviews in parallel—this approach reaches Fortune 500 firms and many mid-market organizations. Okta attributes this workforce to sustained state direction: “For at least the past five years, the heavily-sanctioned DPRK has mobilized individuals by the thousands into neighbouring countries, tasking them with gaining illicit employment in developed countries opens in a new tab.” Facilitators assist with identity paperwork, connectivity, and payments, while workers adapt to each hiring pipeline’s demands (live coding, portfolio reviews, and reference checks) to pass initial screens. To protect collection visibility and avoid tipping off the operators, Okta notes that certain methodological details are being withheld, though its findings were validated with peers, law enforcement, and impacted enterprises.

Victimology now spans technology, fintech and traditional financial services, healthcare and med-tech, government and public administration, and professional services, with job targeting that extends well beyond core software roles. The scheme maintains a continued focus on software engineering while showing increased applications to finance operations (e.g., payment processing) and a “marked” rise in artificial intelligence roles; Okta observes AI-oriented interviews tracking the sector’s hiring boom. Healthcare-aligned technology positions (mobile apps, customer systems, electronic records) raise clear risks to sensitive data if a hire progresses. Government exposure surfaces both directly (interviews with U.S. state and federal agencies and some foreign governments) and indirectly through contractors and IT service firms that embed staff across multiple client networks. Okta stresses that “Notably, there are surface similarities between DPRK IT Workers and non-DPRK ‘overemployment’ workers such as remote work patterns, financial motivations, deception techniques and geographic origins,” a resemblance that can blur early screening decisions.

The objectives remain mixed but mutually reinforcing: steady payroll revenue, insider vantage within commercial networks, and optionality for theft and leverage when pressure mounts. Okta describes a campaign maturing through experience in the U.S. market and expanding to other geographies—roughly a quarter of targets fall outside the U.S., with sustained activity in the U.K., Canada, and Germany. While the primary driver is income, Okta documents incidents involving data exfiltration and extortion and warns that units “will increasingly look to ransomware, data theft and extortion tactics as they are pressured to maintain historical levels of revenue generation.” Taken together, the reporting points to a long-running placement operation that treats “any remote role” as fair game so long as interviews and day-to-day work can be completed off-site. The scale and persistence of applications, coupled with the workforce’s accumulated experience, suggest a durable program: “Targeted entities in those countries now face a mature, experienced threat that has achieved the necessary success to have been granted a level of ‘creative freedom’ over targeted verticals and the tools, techniques, and procedures they use to gain employment,” and organizations should assume attempts will continue across most sectors.