What to do if your company discovers a North Korean worker in its ranks
Terminating their employment is the easy part. The rest is complicated.
When enterprises discover they have inadvertently hired North Korean information technology workers, they face a cascade of urgent decisions involving sanctions law, cybersecurity protocols, and law enforcement cooperation that can expose them to significant legal and financial risks.
Incident response experts and cybersecurity lawyers explained how enterprises can navigate these risks Monday at Google’s Cyber Defense Summit in Washington, D.C. The challenges have grown more prominent as cybersecurity firms track what they describe as an organized employment scheme designed to generate revenue for North Korea’s weapons programs.
“Their primary goal is revenue generation, often from multiple employers at once, to fund their weapons of mass destruction program,” Mike Lombardi, who leads North Korean-focused incident response work at Mandiant, said during a panel discussion on the issue.
While North Korean IT workers ultimately funnel their earnings back to the regime, cybersecurity experts emphasize that the workers themselves are primarily motivated by securing paychecks rather than causing immediate corporate damage. Because of this, experts emphasized Monday how companies need all of their departments — like human resources, security, and legal — to watch for warning signs when hiring and to work together if they discover a suspicious worker on their team.
Detection through HR anomalies
Evan Wolff, a cybersecurity lawyer and partner who co-chairs Akin Gump’s privacy and tort practice, emphasized that initial detection often occurs during routine vetting processes. “A lot of these cases seem more HR than cyber at first,” Wolff said.
Key indicators include email addresses that lack credentials with known data brokers, LinkedIn profiles with recycled resumes, and an applicant’s reluctance to appear on video during interviews. Matthew Welling, a partner in Crowell & Moring’s cyber practice, noted that mismatched personal information often provides the first clues.
“A big part of this is spotting pieces of information that don’t fit together — for example, if the address on their ID doesn’t match the address where they want things sent, that’s often a giveaway,” Welling said.
Caroline Brown, a Crowell & Moring partner specializing in international trade and national security, said investigations sometimes reveal more complex patterns. “We saw one IT worker employed at several places at once, looking for their next job, possibly using their employer’s systems to do so,” Brown said.
Immediate sanctions exposure
The legal implications can become apparent quickly once a North Korean is suspected to be employed inside an organization. Brown, who previously worked at the Justice Department’s National Security Division and the Department of Treasury’s Office of Foreign Assets Control (OFAC), explained the strict liability that can come with violating U.S. sanctions.
“North Korea is under a comprehensive embargo — no dealings with U.S. persons or companies, directly or indirectly,” Brown said. “Finding out you’ve made a payment to them could be an additional violation, even strict liability, meaning you don’t need to know you did it; you’re still liable.”
The timing of discovery creates additional complications for things like payroll processing. When asked about scenarios where companies discover a rogue employee mid-week but have payroll scheduled for Friday, Brown responded that the situation becomes “very fact-specific and is about risk tolerance.”
“If you process a payment and it turns out to be for a North Korean, your payment processor — a U.S. financial institution — has violated sanctions, which may also expose you as the cause of that violation,” Brown said.
Strategic response decisions
Unlike typical cybersecurity incidents, these cases sometimes involve staying in communication with the suspected workers to facilitate evidence collection and device recovery. Welling noted that the threat actors’ behavior differs from expectations.
“More often than not, they’re very cooperative, trying to get one more paycheck or severance, even arranging for someone to return the laptop for money,” Welling said. “The key is to keep the interaction alive: tell them you’re having technical issues, keep communication open, and stay in touch.”
Lombardi confirmed this approach to CyberScoop, stating that “most of the time, we just want to get the laptop back.” He explained that maintaining the ruse can be essential for forensic analysis, particularly when evidence is stored locally on devices rather than in centralized systems.
The cooperative nature of these workers when discovered reflects their primary motivation. “By and large, we see that their motivation is to remain employed,” Lombardi said. “Even if things fall apart, the worker will usually comply, to try to stretch out payments or maintain a relationship, not go nuclear.”
Law enforcement and regulatory coordination
One of the biggest decisions companies face is when and how to involve federal authorities. Welling, who previously worked at the Department of Homeland Security, noted the FBI’s effectiveness in these cases.
“As someone who spent four years at Homeland Security, I don’t always love the FBI, but in this case they’re extremely effective and can work proactively with affected clients to stop this pre-employment,” Welling said.
There is no legal requirement to notify law enforcement, but Wolff noted that “sharing information with the FBI is helpful, and as the relationship lengthens or the money paid increases, the risk grows.”
Brown also highlighted the benefits of voluntary self-disclosure to OFAC. “More companies are doing so, which preserves mitigation credit — a 50% reduction in penalties — if OFAC were to penalize you,” she said.
The disclosure decision becomes more complex when the FBI initiates contact. “It depends on what the cooperation agreement is with the FBI and whether they’ve already told OFAC about the incident,” Brown said.
Wolff emphasized that whatever the appetite is for getting outside parties involved, an organization should test those plans through tabletop exercises. He explained that even companies that hold cybersecurity-focused tabletops “don’t cover this kind of case” and stressed the importance of including HR personnel in planning a response.
“One challenge is that nobody tells you ‘this person is definitely North Korean’ early on, so you’re piecing together information, often through HR investigations rather than standard cyber incident response,” Wolff said.
The panel members agreed that the threat continues to evolve and expand. Welling characterized it as an enduring challenge: “This isn’t a threat that’s going away. If anything, more groups are picking up the playbook.”
