North Korea’s fake IT workers targeting healthcare, finance • The Register

The North Korean IT worker threat extends well beyond tech companies, with fraudsters interviewing at a “surprising” number of healthcare orgs, according to Okta Threat Intelligence.

In research published Tuesday, the identity services provider said nearly half of the companies (48 percent) targeted by the scam fall outside the IT sector, and fraudsters are increasingly applying for remote jobs in finance, healthcare, public administration and professional services.

These scammers largely originate from North Korea – or at least funnel money back to Pyongyang after fraudulently obtaining a remote worker job, generally in a software development role.

Okta tracked more than 130 identities operated by facilitators and workers participating in the scheme, and linked these individuals to more than 6,500 initial job interviews across more than 5,000 different companies from 2021 up until mid-2025. 

“Okta assesses any given identity as DPRK-aligned based on a combination of technical indicators, behavioral patterns and first-hand employer reporting,” according to the report.

The identity and access management provider’s researchers are a bit cagey about their exact methodology, and say they are “deliberately withholding some details” about how they conducted their research “to avoid tipping off the threat actors as to how we gained visibility of their activities.” 

Plus, they note: “We anticipate that the 130 identities Okta Threat Intelligence is tracking reflect only a small sample of total active DPRK ITW activity.”

Considering that the FBI and private security firms, including Google’s Mandiant, have sounded the alarm – with Mandiant Consulting CTO Charles Carmakal saying “almost every CISO of a Fortune 500 company” he’s spoken to has a North Korean IT worker problem – those 130 identities likely reflect just the tip of the iceberg.

In addition to expanding beyond big tech, the report notes that the scam has also expanded into other countries, with about 27 percent being outside of the US. While the bulk (73 percent) are still American firms, this echoes earlier reports of job seekers increasingly targeting European employers, too.

The threat hunters confirmed that big tech firms – especially those that develop software – remain the highest-volume targets over the last five years. 

But since mid-2023, the identity verification firm tracked a “marked increase” in interviews at AI-related orgs, both “pure” AI companies and those incorporating AI into existing products, with 50 such interviews so far this year. 

“While some of this rise may simply mirror the overall boom in AI hiring, the exposure of sensitive intellectual property, model-training data, and proprietary algorithms makes this sector especially attractive for state-linked actors,” according to the report.

Okta also “surprisingly” spotted a “sustained number of DPRK-linked job interviews” in healthcare and medical-tech companies, the researchers wrote. This includes about 85 this year alone, and most of the roles focus on mobile application development, customer service systems, and electronic record-keeping platforms.

“These areas provide potential access to sensitive personally identifiable information (PII), clinical workflows, and health data infrastructure,” the report notes.

This also aligns with ransomware and other financially motivated criminals targeting hospitals and healthcare facilities. These organizations have access to the most sensitive personal data and medical records, which means that their executives are more likely to pay extortion demands to prevent the criminals from leaking this private info.

While the primary objective of the North Korean IT worker scam remains financial gain (via the scammed companies’ payrolls), some of these schemes end in data theft, extortion attempts, and ransomware-related activities.

Unsurprisingly, fraudsters are also interviewing for financial-sector roles, including traditional banks and insurance firms, plus fintech and cryptocurrency organizations.

“The roles targeted have expanded beyond software development to include back-office and financial processing roles in areas like payroll and accounting,” Okta says. “This shift indicates an understanding on the part of the DPRK that there are other types of tasks, beyond software engineering, that provide similar opportunities: a targeted entity must be prepared to hire remotely, and a DPRK knowledge worker must be able to demonstrate some level of competency to perform it.” ®