Insidethe

Shadow
Network
North Korean IT Workers
and Their PRC Backers

Falsified Resumes Report striderintel.com ©Strider Technologies, Inc.

Table of contents
Page 3 Executive Summary
Page 4 Introduction
Page 6 Tactics, Techniques, and Procedures
Page 8 Risks to Western Businesses
Page 10 North Korean IT Workers Abroad
Page 12 The Role of PRC-Based Entities
Page 14 Conclusion

Falsified Resumes Report Table of Contents ©Strider Technologies, Inc. 2

Executive Summary
Using Strider’s proprietary risk methodology Using Checkpoint, Strider’s proprietary third-
and open-source data collection, this report party due diligence tool, Strider identified 35
details the tactics, techniques, and procedures affiliated organizations tied to a sanctioned
(TTPs) used by DPRK actors, including the entity—information that can help companies
use of fake identities, front companies, and avoid unwittingly enabling DPRK-linked
exploitation of global freelancing platforms. activity. To mitigate risk, businesses should
This report also maps the geographic spread adopt stronger due diligence processes,
of North Korean IT workers across China, enforce compliance with sanctions, and
Russia, Southeast Asia, Africa, and the Middle remain vigilant against increasingly
East, and highlights the role of PRC-based sophisticated threats emerging from 

entities like Liaoning China Trade Industry Co., global talent pipelines.
Ltd., which was recently sanctioned for
materially supporting DPRK cyber operations.

Falsified Resumes Report Executive summary ©Strider Technologies, Inc. 3

Introduction
Amid the growing demand for technical talent On December 12, 2024, the U.S. Department
and the rise of remote work, a less visible of Justice unveiled indictments against 14
threat has emerged within global hiring North Korean nationals for orchestrating 

networks. North Korean IT professionals, an expansive fraud campaign that spanned
operating under false or stolen identities, 
 years and continents. The individuals,
have successfully secured work with posing as remote contractors, infiltrated
companies across the U.S. and other Western hundreds of businesses by disguising their
nations. These individuals, often posing as true identities—sometimes even
freelance developers or engineers, are part 
 impersonating real people—to secure
of a strategic state-directed effort to access employment, steal funds, and funnel 

sensitive information, advance geopolitical revenues directly to Pyongyang. According 

goals, and generate revenue for the to the U.S. Department of the Treasury, up to
Democratic People’s Republic of Korea 90 percent of their earnings were used by 

(DPRK)—funds that are then used to support the DPRK government to bankroll its weapons
prohibited weapons programs and evade of mass destruction (WMD) and ballistic
international sanctions. Western businesses missile programs.
risk financial losses, intellectual property theft,
data breaches, and reputational damages
should they hire any fraudulent worker—

but the risk is especially great should they 

hire an individual from the DPRK.

Falsified Resumes Report Introduction ©Strider Technologies, Inc. 4

By January 2025, the U.S. government
intensified its crackdown. The Treasury
Department’s Office of Foreign Assets Control
(OFAC) issued sanctions targeting multiple
individuals and entities involved in this
scheme, further highlighting the extent to
which Western companies have unknowingly In a world increasingly reliant 

become conduits for DPRK state-sponsored on remote work and globalized
activities. Just days later, the FBI and talent pools, the line between
Department of Justice reinforced the gravity 
 innovation and infiltration has
of the threat with another round of indictments never been thinner.

and public service announcements, warning This report explores how North
that hiring North Korean IT workers could Korean IT operatives penetrate 

result in stolen intellectual property, data digital workforces, the systemic
breaches, and direct violations of U.S. and 
 vulnerabilities they exploit, and the
UN sanctions.
strategic, legal, and reputational risks
These schemes are not carried out in isolation. Western businesses now face.
Many of the operations detailed in U.S.
government indictments and sanctions involve
facilitators and front companies based in the
People’s Republic of China (PRC), where
North Korean operatives often reside and
access the global internet. Chinese-based
intermediaries have played a crucial role in
enabling the DPRK’s use of digital platforms,
payment systems, and employment
marketplaces—creating a cross-border
infrastructure that helps obscure the origins 

of the workers and facilitates the laundering 

of illicit proceeds.

Falsified Resumes Report Introduction ©Strider Technologies, Inc. 5

Tactics, Techniques,
and Procedures
North Korean IT workers use a variety of
tactics, techniques, and procedures (TTPs) 

to achieve their objectives. These TTPs are
sophisticated and designed to obfuscate their
true origins and intentions, making them
difficult to detect and mitigate.

One reported example is Danish

electric car company Fisker, who
unknowingly hired a North Korean IT
worker in 2022. The remote worker,
Disguised Identities 
 Kou Thao, listed his address as a
house in Arizona. However, that
and Front Companies
house actually belonged to a woman
One of the primary tactics employed by 
 named Christina Chapman, who had
North Korean IT workers is the use of fake been running a laptop farm in service
identities and front companies. These of and funneling paychecks back to
individuals often operate under aliases and the DPRK. Fisker terminated the
use forged documents to gain employment 
 employee after being notified by the
in foreign firms. In many cases, they establish FBI in 2023.

front companies that appear to be legitimate 
 In another example, crypto company

IT services firms. These companies serve 
 Kraken identified a North Korean
as a cover for their operations, allowing 
 operative who had applied for a
them to interact with global clients without remote IT job using the same email
raising suspicion. address that had been flagged by 

the FBI as being a suspected 

DPRK operative.

Falsified Resumes Report Tactics, Techniques, and Procedures ©Strider Technologies, Inc. 6
Exploitation of 
 Software and App
Freelancing Platforms
Development

North Korean IT workers sometimes use A significant portion of North Korean IT

online freelancing platforms such as workers abroad are engaged in software
Upwork, Freelancer, and Fiverr. These and app development. They create
platforms provide an anonymous way to applications that are marketed to global
offer IT services to global clients. By audiences, often under the banner of
bidding on projects from Western foreign companies. These apps can
companies, these workers can earn hard sometimes include malicious code that
currency for the DPRK regime while allows North Korean operatives to
gaining access to potentially sensitive conduct surveillance or steal data from
information. The anonymity of these users. The revenue generated from
platforms makes it challenging to trace 
 these apps also contributes to the
the true identity of the workers.

regime’s coffers.

Cybercrime and Manipulation of

Ransomware
Cryptocurrency Markets

Some North Korean workers are involved The DPRK has shown a growing 

in cybercrime activities. This includes the interest in cryptocurrencies to evade
deployment of ransomware, phishing international sanctions. IT workers 

attacks, and hacking. These operations 
 are involved in the manipulation of
are often coordinated with DPRK state- cryptocurrency markets, including 

sponsored hacking groups like the Lazarus the use of malware to mine
Group. The proceeds from these cryptocurrencies, hacking of exchanges, 

cybercrimes are funneled back to the and participation in initial coin offerings 

DPRK regime, helping to fund its nuclear under false pretenses.
and missile programs.

Falsified Resumes Report Tactics, Techniques, and Procedures ©Strider Technologies, Inc. 7
Risks to Western
Businesses
The activities of North Korean IT workers 

pose several significant risks to Western
03 Intellectual Property Theft

businesses. These risks are not limited to By embedding themselves in legitimate

direct financial losses but extend to broader IT projects, these workers can gain
issues such as intellectual property theft, 
 access to proprietary software, trade
data breaches, and reputational damage. secrets, and other forms of intellectual
property. This stolen intellectual property
can be used to advance the DPRK’s
01 Regulatory and Legal Risks
technological capabilities or sold to third
Western businesses that unknowingly 
 parties, including hostile nation states
engage with North Korean IT workers and criminal organizations.

may find themselves in violation of

international sanctions. These sanctions 04 Data Breaches 

are designed to isolate the DPRK regime and Espionage

and cut off its access to global financial

systems. Companies found to be in North Korean IT workers are often
violation of these sanctions can face involved in projects that provide access
hefty fines, legal action, and restrictions to sensitive data. This data can include
on their ability to operate internationally.
personal information, financial records,
and corporate secrets. The workers can
02 Reputational Damage
exfiltrate this data and transmit it back to
the DPRK, where it can be used for
The association with North Korean IT espionage purposes. The data can also
workers can lead to reputational damage be sold on the dark web, leading to
for Western businesses. If it is discovered significant financial and reputational
that a company has inadvertently hired damage for the affected companies.
North Korean operatives, even through
legitimate channels like freelancing
platforms, the company could face 

public backlash and potential legal
consequences. This risk is particularly
acute for firms operating in sensitive
industries such as defense, finance, 

and technology.

Falsified Resumes Report Risks to Western Businesses ©Strider Technologies, Inc. 8

05 Financial Losses 

from Cybercrime

Western businesses are increasingly

targeted by cybercrime activities linked 

to North Korean IT workers. To mitigate these risks, Western
Ransomware attacks, in particular, 
 businesses must be vigilant in
have become a significant threat. 
 their hiring practices, particularly
These attacks can result in substantial when engaging with freelancers
financial losses, both from the ransom or third-party IT service providers.
payments and the costs associated 
 Enhanced due diligence, robust
with recovering from the attack. The
involvement of North Korean IT workers
cybersecurity measures, 

in these activities adds an additional layer and adherence to international
of complexity, as the proceeds are used sanctions are crucial in protecting
to fund a hostile regime. against the threats posed by
North Korean IT workers.

Falsified Resumes Report Risks to Western Businesses ©Strider Technologies, Inc. 9

North Korean IT
Workers Abroad
Many North Korean IT workers are dispatched
abroad—particularly to countries like the PRC,
People’s Republic of China

Russia, parts of Southeast Asia, Africa, and The PRC’s vast digital economy and close
the Middle East—where they work under front geographical proximity to the DPRK make it 

companies or use aliases. By understanding an ideal base of operations for North Korean 

where these hubs are located, organizations IT workers. They often operate in major cities
can prioritize deeper vetting for vendors, like Dalian, Shenyang, and Beijing. They are
freelancers, or subcontractors operating 
 typically employed by PRC firms or joint
from these regions. ventures, sometimes even setting up front
companies. These IT workers exploit the
relatively lax regulatory environment to 

engage in cyber activities, often targeting
Western companies.

Falsified Resumes Report North Korean IT Workers Abroad ©Strider Technologies, Inc. 10
Russian Federation
Africa and the Middle East

Russia, particularly the Far Eastern regions, North Korean IT workers also operate in
hosts a substantial number of North Korean IT countries like Nigeria, Kenya, and the United
professionals. Russia's complex relationship Arab Emirates. In these regions, they often
with the West and its challenges with engage in activities ranging from software
international sanctions make it a conducive development to more nefarious cyber activities
environment for North Korean operatives. like hacking and ransomware deployment.
These workers often secure employment in These workers take advantage of the limited
Russian tech firms or collaborate with Russian cybersecurity infrastructure in these regions 

cybercriminal networks. The Russian to operate with relative impunity.
government’s increasingly close relationship
with the DPRK provides a degree of protection
and operational freedom for these workers.

Southeast Asia

Malaysia, Vietnam, and Cambodia are known

to host North Korean IT workers who exploit
the burgeoning tech industries and the
relatively loose regulatory environments to
conduct their operations. They often work in IT
outsourcing firms, sometimes even setting up
their own businesses. The focus in these
countries is typically on software development,
website design, and other IT services that can
be easily exported to global markets.

Falsified Resumes Report North Korean IT Workers Abroad ©Strider Technologies, Inc. 11
The Role of 

PRC-Based Entities

Strider’s research is powered by our Liaoning China Trade Industry Co., Ltd

unmatched global data. Using advanced AI (Liaoning China Trade) is a PRC-based

technology, Strider collects and processes company that has shipped equipment to

open-source data in more than 100 languages Department 53 of The Ministry of The People’s

from 65,000 unique sources worldwide— Armed Forces (Department 53), enabling it to

totaling more than 16 billion documents. This conduct its IT worker activities abroad. These

breadth and depth of data enables Strider to shipments include computers, graphics cards,

uncover complex global threat networks. HDMI cables, and network equipment.

Using our global organization data, Strider Department 53 is an entity subordinate to the

identified potential PRC intermediaries who DPRK Ministry of National Defense that is

may be using fraudulent identities to ship known for generating revenue through front

equipment for DPRK remote workers.

companies in various sectors, including

information technology (IT) and software

Strider identified a PRC-affiliated organization development.
referenced in a U.S. Department of Treasury’s

Office of Foreign Assets Control (OFAC)

Sanctions notice issued on January 16, 2025.

Falsified Resumes Report The Role of PRC-Based Entities ©Strider Technologies, Inc. 12
OFAC’s sanctions terms state that “all property Further investigation into Liaoning China 

and interests in property of the designated Trade using Checkpoint, Strider’s proprietary
persons described above that are in the United third-party due diligence platform, identified 

States or in the possession or control of U.S. 35 additional organizations linked to the
persons are blocked and must be reported to company through organizational and personal
OFAC. In addition, any entities that are owned, connections. Strider’s data strongly indicates
directly or indirectly, individually or in the that these 35 organizations are affiliated with
aggregate, 50 percent or more by one or more Liaoning China Trade and therefore could 

blocked persons are also blocked.” OFAC be materially supporting Department 53. 

designates Liaoning China Trade for having This network presents a significant risk to
materially assisted, sponsored, or provided Western businesses, which may unknowingly
financial, material, or technological support for, engage with or rely on entities connected to
or goods or services to or in support of, North Korean operations, exposing them to
Department 53, a person whose property and potential sanctions violations and serious
interests in property are blocked pursuant to reputational harm.
E.O. 13687.

Three of the identified 35 organizations are:

01
Open-source data
Open-source data 03 indicates that this
indicates that this company is registered
company is registered in in the PRC as a
the PRC as a wholesaler wholesaler of
and retailer of textiles, cosmetics, personal
building materials, daily hygiene products,
necessities, electronics, clothing, and daily
and more; an organizer of necessities. However,
cultural and artistic this differs slightly from
exchange activities; and how the company is
the import and export of advertised online—as
technology. a producer and
wholesaler of
commercial induction
cookers, bathroom
mirror cabinets, and
backpacks.

Open-source data indicates that this

02 company is registered in the PRC as a
wholesaler of mineral products, building
materials, and chemical products.

Image 1: Screenshot of organizations with affiliation to Liaoning China Trade in Strider’s Checkpoint tool.

Falsified Resumes Report The Role of PRC-Based Entities ©Strider Technologies, Inc. 13
 striderintel.com

Conclusion
This investigation underscores how PRC- While the DPRK’s use of this tactic has been
based front companies are facilitating the highly publicized, the threat of fraudulently
global operations of fraudulent North Korean 
 identified workers is far more widespread and
IT workers. By providing false business systemic. Strider has also uncovered cases of
affiliations, laundering earnings, and securing remote workers from the PRC, India, and
access to international platforms, these Pakistan using fake identities, fabricated work
entities serve as critical enablers of a broader histories, and falsified credentials to secure
illicit ecosystem. The scope and scale of this employment within Western businesses, often
network is far greater than most Western gaining access to sensitive systems and data.
companies realize, exposing them to In response to this growing threat, Strider will
heightened security, compliance, and be launching a new tool designed to help
reputational risks. Addressing this network organizations detect and flag falsified resumes
requires coordinated vigilance across public during the hiring process, strengthening
and private sectors. workforce integrity and reducing the risk of
state-sponsored threats.

For access to the list of these organizations affiliated with

Liaoning China Trade, or for more insight into information
detailed in this report and future Strider tools, reach out to 

our team via email at [email protected].

Falsified Resumes Report Conclusion ©Strider Technologies, Inc. 14