Share this
Hackers on the Company Payroll
by Reflare Research Team on Sep 8, 2025 9:26:04 AM
There was a time when security teams primarily worried about hackers breaching the corporate perimeter. Today, threat actors have figured out something much simpler: why break in when you can just get hired?
KnowB4 에 오신 것을 환영합니다, 존경하는 동지
The Rise of Insider-Driven Cyber Threats
Increasingly, the most effective attackers are bypassing technical defences entirely by securing legitimate employment. Gartner predicts that by 2028, one in four job applicants worldwide may represent fabricated identities.
What began as sporadic incidents has evolved into a highly organised and lucrative operation, generating hundreds of millions of dollars annually for sanctioned regimes and criminal groups. Over the past several years, threat actors have fundamentally changed their approach. Nation-states and cybercriminal organisations now leverage remote work, artificial intelligence, and identity theft to transform infiltration into a scalable inside job. Their targets range from Fortune 500 enterprises to the cybersecurity sector itself.
North Korea’s Employment Fraud Operations
According to CrowdStrike, the North Korean “Famous Chollima” crew successfully infiltrated over 320 organisations, including global technology firms and major financial institutions, earning hundreds of millions of dollars annually.
The operation gained widespread recognition in July 2024 following an incident at KnowBe4. A North Korean operative obtained a stolen U.S. identity, enhanced it with an AI-generated image, and successfully passed four video interviews, securing a role as Principal Software Engineer. Soon after receiving a company-issued MacBook, the individual attempted to load malware using a Raspberry Pi. Fortunately, KnowBe4’s security team detected the activity and intervened before any damage occurred.
The case exposed the infrastructure behind such efforts. The laptop had not been shipped to the operative’s residence, but to a so-called “laptop farm.” These appear as ordinary homes but in reality house dozens of corporate devices, remotely managed by operatives located abroad. In June 2025, FBI raids uncovered 137 corporate laptops across 21 such sites in 14 states. Far from improvised, these operations are supported by professional logistics networks.
The financial incentives are significant. Christina Chapman, sentenced to over eight years in prison, facilitated North Korean access to 309 U.S. companies between 2020 and 2023. Operating her own laptop farm, she earned over $17 million while providing access to firms such as Nike, aerospace companies, and leading technology providers.
North Korean operatives have also adopted increasingly advanced tradecraft. They deploy real-time deepfakes during interviews, enabling one person to apply for multiple roles under different identities. AI tools generate resumes optimised for applicant tracking systems, while voice cloning requires only seconds of audio. Once hired, remote access software such as AnyDesk is installed to provide full overseas control.
China’s Long-Term Insider Strategy
While North Korea relies on fabricated identities and deception, China often adopts a more patient approach: securing legitimate employment and then exfiltrating intellectual property. This method, which emphasises persistence over rapid gains, is usually more difficult to detect and potentially more damaging.
The Linwei Ding case illustrates this model. Employed as a Google software engineer in 2019, Ding simultaneously operated his own Beijing-based company while serving as CTO of another. During his tenure at Google, he stole proprietary AI research, including Tensor Processing Unit (TPU) architecture, GPU systems, and networking designs. These were the result of years of investment and millions in research costs.
Such cases are not isolated. Chinese programs, including Thousand Talents, systematically target advanced technology firms. The resulting losses amount to billions in stolen intellectual property annually.
Cybercriminals Monetise Insider Recruitment
Cybercriminal groups have also adopted insider strategies, moving beyond traditional external attacks. LockBit openly solicited corporate insiders, posting offers directly on encrypted systems:
“Would you like to earn millions of dollars? Provide us access to networks, credentials, or accounting systems and share in the proceeds.”
The DemonWare campaign took this further, offering employees $1 million in Bitcoin to deploy ransomware internally. Nigerian actors distributed malware executables via mass emails, even providing instructions for their use. Although technically unsophisticated, these campaigns demonstrated the growing normalisation of insider recruitment.
Escalating Challenges for Defenders
Detecting these infiltrations is increasingly complex. Human-driven countermeasures, such as requesting interview candidates to obscure part of their face or answer location-specific questions, offer only temporary relief. Meanwhile, AI-powered detection systems have proven more effective. Microsoft, for example, identified “impossible travel patterns” in user behaviour, suspending thousands of accounts linked to North Korean operatives. Pindrop uncovered subtle deepfake anomalies during live interviews, while large-scale investigations in Massachusetts identified over 100 infiltrated companies through behavioural and financial analysis.
Gartner predicts that by 2026, 30% of organisations will no longer trust conventional identity verification due to deepfake risks. By 2028, one in four job applicants worldwide may represent fabricated identities.
The Era of Zero-Trust Employment
The transition from breaking in to being hired marks a fundamental shift in organisational security. Traditional background checks and interviews cannot reliably defend against AI-generated identities and advanced deception. The critical question is no longer whether an organisation has been infiltrated, but how many fabricated employees are already embedded.
This is not a collection of isolated incidents. It is a coordinated global campaign exploiting the very foundation of modern business: hiring. With remote work entrenched and AI capabilities accelerating, the threat is only intensifying.
Organisations must embrace a zero-trust employment mindset. Security cannot focus solely on the perimeter. It must assume potential compromise from within, striking a balance between rigorous verification and the collaboration required for business operations. The next phase of corporate security is not about higher digital walls, but about understanding that adversaries may already be inside, fully employed, and waiting for the right moment to act.
Share this
- August 2025 (1)
- July 2025 (1)
- June 2025 (1)
- May 2025 (1)
- April 2025 (1)
- March 2025 (1)
- February 2025 (1)
- January 2025 (1)
- December 2024 (1)
- November 2024 (1)
- October 2024 (1)
- September 2024 (1)
- August 2024 (1)
- July 2024 (1)
- June 2024 (1)
- April 2024 (2)
- February 2024 (1)
- January 2024 (1)
- December 2023 (1)
- November 2023 (1)
- October 2023 (1)
- September 2023 (1)
- August 2023 (1)
- July 2023 (1)
- June 2023 (2)
- May 2023 (2)
- April 2023 (3)
- March 2023 (4)
- February 2023 (3)
- January 2023 (5)
- December 2022 (1)
- November 2022 (2)
- October 2022 (1)
- September 2022 (11)
- August 2022 (5)
- July 2022 (1)
- May 2022 (3)
- April 2022 (1)
- February 2022 (4)
- January 2022 (3)
- December 2021 (2)
- November 2021 (3)
- October 2021 (2)
- September 2021 (1)
- August 2021 (1)
- June 2021 (1)
- May 2021 (14)
- February 2021 (1)
- October 2020 (1)
- September 2020 (1)
- July 2020 (1)
- June 2020 (1)
- May 2020 (1)
- April 2020 (2)
- March 2020 (1)
- February 2020 (1)
- January 2020 (3)
- December 2019 (1)
- November 2019 (2)
- October 2019 (3)
- September 2019 (5)
- August 2019 (2)
- July 2019 (3)
- June 2019 (3)
- May 2019 (2)
- April 2019 (3)
- March 2019 (2)
- February 2019 (3)
- January 2019 (1)
- December 2018 (3)
- November 2018 (5)
- October 2018 (4)
- September 2018 (3)
- August 2018 (3)
- July 2018 (4)
- June 2018 (4)
- May 2018 (2)
- April 2018 (4)
- March 2018 (5)
- February 2018 (3)
- January 2018 (3)
- December 2017 (2)
- November 2017 (4)
- October 2017 (3)
- September 2017 (5)
- August 2017 (3)
- July 2017 (3)
- June 2017 (4)
- May 2017 (4)
- April 2017 (2)
- March 2017 (4)
- February 2017 (2)
- January 2017 (1)
- December 2016 (1)
- November 2016 (4)
- October 2016 (2)
- September 2016 (4)
- August 2016 (5)
- July 2016 (3)
- June 2016 (5)
- May 2016 (3)
- April 2016 (4)
- March 2016 (5)
- February 2016 (4)