Research

Hackers on the Company Payroll

There was a time when security teams primarily worried about hackers breaching the corporate perimeter. Today, threat actors have figured out something much simpler: why break in when you can just get hired?

Hackers on the Company Payroll

KnowB4 오신 것을 환영합니다, 존경하는 동지

The Rise of Insider-Driven Cyber Threats

Increasingly, the most effective attackers are bypassing technical defences entirely by securing legitimate employment. Gartner predicts that by 2028, one in four job applicants worldwide may represent fabricated identities.

What began as sporadic incidents has evolved into a highly organised and lucrative operation, generating hundreds of millions of dollars annually for sanctioned regimes and criminal groups. Over the past several years, threat actors have fundamentally changed their approach. Nation-states and cybercriminal organisations now leverage remote work, artificial intelligence, and identity theft to transform infiltration into a scalable inside job. Their targets range from Fortune 500 enterprises to the cybersecurity sector itself.

North Korea’s Employment Fraud Operations

According to CrowdStrike, the North Korean “Famous Chollima” crew successfully infiltrated over 320 organisations, including global technology firms and major financial institutions, earning hundreds of millions of dollars annually.

The operation gained widespread recognition in July 2024 following an incident at KnowBe4. A North Korean operative obtained a stolen U.S. identity, enhanced it with an AI-generated image, and successfully passed four video interviews, securing a role as Principal Software Engineer. Soon after receiving a company-issued MacBook, the individual attempted to load malware using a Raspberry Pi. Fortunately, KnowBe4’s security team detected the activity and intervened before any damage occurred.

The case exposed the infrastructure behind such efforts. The laptop had not been shipped to the operative’s residence, but to a so-called “laptop farm.” These appear as ordinary homes but in reality house dozens of corporate devices, remotely managed by operatives located abroad. In June 2025, FBI raids uncovered 137 corporate laptops across 21 such sites in 14 states. Far from improvised, these operations are supported by professional logistics networks.

The financial incentives are significant. Christina Chapman, sentenced to over eight years in prison, facilitated North Korean access to 309 U.S. companies between 2020 and 2023. Operating her own laptop farm, she earned over $17 million while providing access to firms such as Nike, aerospace companies, and leading technology providers.

North Korean operatives have also adopted increasingly advanced tradecraft. They deploy real-time deepfakes during interviews, enabling one person to apply for multiple roles under different identities. AI tools generate resumes optimised for applicant tracking systems, while voice cloning requires only seconds of audio. Once hired, remote access software such as AnyDesk is installed to provide full overseas control.

China’s Long-Term Insider Strategy

While North Korea relies on fabricated identities and deception, China often adopts a more patient approach: securing legitimate employment and then exfiltrating intellectual property. This method, which emphasises persistence over rapid gains, is usually more difficult to detect and potentially more damaging.

The Linwei Ding case illustrates this model. Employed as a Google software engineer in 2019, Ding simultaneously operated his own Beijing-based company while serving as CTO of another. During his tenure at Google, he stole proprietary AI research, including Tensor Processing Unit (TPU) architecture, GPU systems, and networking designs. These were the result of years of investment and millions in research costs.

Such cases are not isolated. Chinese programs, including Thousand Talents, systematically target advanced technology firms. The resulting losses amount to billions in stolen intellectual property annually.

Cybercriminals Monetise Insider Recruitment

Cybercriminal groups have also adopted insider strategies, moving beyond traditional external attacks. LockBit openly solicited corporate insiders, posting offers directly on encrypted systems:

“Would you like to earn millions of dollars? Provide us access to networks, credentials, or accounting systems and share in the proceeds.”

The DemonWare campaign took this further, offering employees $1 million in Bitcoin to deploy ransomware internally. Nigerian actors distributed malware executables via mass emails, even providing instructions for their use. Although technically unsophisticated, these campaigns demonstrated the growing normalisation of insider recruitment. 

Escalating Challenges for Defenders

Detecting these infiltrations is increasingly complex. Human-driven countermeasures, such as requesting interview candidates to obscure part of their face or answer location-specific questions, offer only temporary relief. Meanwhile, AI-powered detection systems have proven more effective. Microsoft, for example, identified “impossible travel patterns” in user behaviour, suspending thousands of accounts linked to North Korean operatives. Pindrop uncovered subtle deepfake anomalies during live interviews, while large-scale investigations in Massachusetts identified over 100 infiltrated companies through behavioural and financial analysis.

Gartner predicts that by 2026, 30% of organisations will no longer trust conventional identity verification due to deepfake risks. By 2028, one in four job applicants worldwide may represent fabricated identities.

The Era of Zero-Trust Employment

The transition from breaking in to being hired marks a fundamental shift in organisational security. Traditional background checks and interviews cannot reliably defend against AI-generated identities and advanced deception. The critical question is no longer whether an organisation has been infiltrated, but how many fabricated employees are already embedded.

This is not a collection of isolated incidents. It is a coordinated global campaign exploiting the very foundation of modern business: hiring. With remote work entrenched and AI capabilities accelerating, the threat is only intensifying.

Organisations must embrace a zero-trust employment mindset. Security cannot focus solely on the perimeter. It must assume potential compromise from within, striking a balance between rigorous verification and the collaboration required for business operations. The next phase of corporate security is not about higher digital walls, but about understanding that adversaries may already be inside, fully employed, and waiting for the right moment to act.

Subscribe by email