A Virginia cybersecurity firm uncovered a vast North Korean employment scheme after deliberately hiring a suspected operative and tracking his activities for three months, revealing a network funneling millions to the communist regime’s weapons programs while stealing American corporate secrets.

The Perfect Worker Who Wasn’t

The man known as Jo appeared to be an ideal candidate for Nisos, a corporate security company. He worked from 5 a.m. until late at night, six days weekly, juggling three jobs while applying to 50 more positions daily. During a June video interview for an artificial intelligence role, Jo claimed he lived in Palm Beach Gardens, Florida. When Nisos executives asked about a nonexistent hurricane, Jo hesitated before answering. Minutes later, when asked to share his screen, he abruptly disconnected. The company had already suspected Jo’s true identity and decided to hire him as part of an elaborate investigation.

Network of Deception Revealed

By shipping Jo a monitored laptop, Nisos gained unprecedented access to what investigators believe was a Democratic People’s Republic of Korea IT team. The three-month investigation exposed at least 20 North Korean operatives who collectively applied to 160,000 positions at American companies. The workers, likely based in China, were employed by five U.S. companies during the monitoring period. Evidence pointed to an American citizen operating from two suburban Florida homes who allegedly assisted the network. The FBI declared these schemes increasingly malicious, with the Justice Department calling the issue code red.

National Security Threat

For a decade, North Korea has placed remote workers at U.S. companies to funnel money back to the regime and steal sensitive information, according to federal agencies. These workers’ salaries help evade sanctions and fund weapons of mass destruction and ballistic missile programs. The schemes involve hundreds of American companies, thousands of workers, and generate hundreds of millions annually. Jared Hudson, Nisos chief technology officer, called the investigation a dream scenario for analysts who typically never get real-time access to suspected operations.