Some companies see cybersecurity as a cost center. We see things a little different. LEARN MORE >
Experiencing a Breach?
BLOG
The Real Risks of Fake Remote Workers
From North Korean freelancers to crypto thieves, there’s’ a lot of shady stuff out there
JUMP TO: INTRO | THE LAPTOP FARM | REMOTE WORKERS | THE DETECTION PROBLEM | A NEW PLAYBOOK | VERIFY
The work was solid. The deadlines were met. There was just one problem: the person collecting the paycheck turned out to be a North Korean national using a stolen identity.
Sounds wild, right? But it’s a real risk; the FBI even released an alert on the topic this summer.
For Inversion6 CISO Tom Siu, stories like these represent a new frontier in cybersecurity—one where the traditional insider threats meet the new realities of remote work.
"We're dealing with a new type of hybrid insider-outsider threat," Siu said. "Remote work didn't begin with the pandemic but it exploded during COVID and the hiring/vetting processes also became very liberal.”
“Many companies have ended up in this situation when you have remote workers you've never met and maybe never even seen in person,” he added. “But they are inside your environment. And a small percentage of them aren’t who they say they are.”
The Laptop Farm Next Door
Some of the schemes are deceptively simple. A company posts a remote IT position. A candidate with an impressive resume and solid references applies for the job. Background checks come back clean. The hire is made. A company laptop ships to a residential address in Florida—or Texas or California.
What the company doesn't know is that address is a "laptop farm," where rows of company-issued machines sit on racks, all being remotely accessed by workers who may be thousands of miles away, operating under stolen identities.
The FBI has documented multiple cases of this exact scenario, with particular attention those North Korean state-sponsored workers we mentioned above, who use these tactics to generate revenue for the regime, bypassing the international economic sanctions, while stealing IP and gathering compromising information U.S. companies in the process.
In one case, a blockchain company discovered they'd hired a freelancer operating under a stolen identity, who eventually stole over $1M in cryptocurrency from the firm. Guess where the scam originated?
But what’s even weirder than a North Korean scammer posing as an IT freelancer?
They often get their work done just fine—at least for a while.
"In most cases, fraudulent workers are really doing the job; or somebody is doing it for them." Siu said. "Think of it like hiring a security guard who does his reports and stands watch every night. But they aren’t who they say they are, and they’re also picking up shiny things on the desks and putting them in their pocket as they walk around.”
Maybe they set up shop and collect the paycheck for a bit. Maybe they’ll eventually exfiltrate some valuable company data. Someday they may even break out the big guns and drop a ransomware bomb.
How Well do you Know your Remote Workers?
While alarming and attention grabbing, the North Korean issue is just one wild example of a much larger problem. Vetting practices and security procedures have not kept up with the rising tide of remote work.
"It’s really about getting to know your remote workers" Siu said. "For tech workers in particular, think about how much information is out there. Resumes on job boards, personal info on social media. It’s really not that surprising someone is out there trying to get a job as somebody else.”
This is just one of the reasons Inversion6 maintains a 100 percent U.S.-based Security Operations Center.
“These are people our client’s trust to monitor their critical infrastructure,” said Siu. “They have access to so much important operational data. To us, this level of access demands a level of verifiable trust we only get from staying stateside.”
The Detection Problem
These aren't hackers trying to attack from the outside—they're authorized users doing authorized work. Plus, the red flags can be subtle and easy to miss. Many traditional security controls just aren't built to catch this type of complicated insider threat.
Siu pointed to several indicators that might warrant a closer look: employees who seem disengaged but still productive, employees reluctant to take time off (a classic sign someone doesn't want others reviewing their work) or employees who always seem to always be active and available, even at odd hours for the corporate location.
But he is also careful not to create a climate of suspicion that could harm legitimate remote workers or foster discrimination.
"Just because someone looks or sounds different doesn't mean they're a cybersecurity threat," Siu said. "Remote work is a true benefit. It allows you to draw from talent around the country or even around the world. It just requires vigilance."
"This should be in everybody's risk index," he added. "It's a novel type of risk that needs to be watched. But that doesn’t mean you don’t draw from talent pools wherever they make sense."
A New Playbook for Remote Hiring
For Siu, addressing this threat requires more than a good SOC. It means rethinking how organizations approach both hiring and incident response.
"Many people think of incident response as a way to deal with external threats," he said. "They need to make sure that their processes are agile enough to cover these types of creative insider threats as well."
"And it's got to be a combined organizational effort," Siu said. “HR needs to be involved in basic identity vetting, so fewer suspicious candidates make it through vetting. Security operations needs to monitor for any unusual behavior patterns, such as the utilization of the corporate VPN service. Even marketing teams can often pick up on suspicious behavior in their regular interactions.”
Technical controls matter too. Least privilege access—giving users only the permissions they absolutely need—becomes critical when you can't personally verify who's actually behind the keyboard.
Siu often recommends enforcing mandatory vacation time for developers—a practice that dates back to traditional financial controls but serves a dual purpose in cybersecurity.
"Make your programmers take a short vacation," Siu said. "If they're stealing stuff, they don't want to take leave because someone else might see their code and find the backdoors they put in."
Verify, then Trust
The remote work revolution has opened up many new opportunities for companies and workers alike. It has also opened new attack vectors many organizations still haven't fully grasped.
"Bottom line, you need to be able to know who your remote workers are, where they are and what they're accessing at all times," Siu said. "And even if you trust someone explicitly, you still need to be watching social engineering to make sure they aren’t getting phished and having identities stolen and used against you.
Sounds simple, but it’s far from the norm right now.
Here’s the good news; the same security fundamentals that protect against external threats can also help here: strong authentication, least privilege access, continuous monitoring and regular security awareness training.
The real difference is the mindset and the breadth of engagement needed. Instead of assuming threats are always trying to break down the door, companies need to consider whether or not they are inadvertently inviting them inside. Cybersecurity needs to partner with HR, recruiting and pre-employment vetting to identify suspect applications.
"A lot of awareness training doesn't necessarily focus on insider threats, and when they do it’s often about disgruntled employees or someone misbehaving,” said Siu. “But these are very specific, very calculated insider threats and people need to be aware of them.
As remote work continues to reshape how companies operate, the organizations that thrive will be those that can balance openness with vigilance—trusting their teams while maintaining the controls that make that trust possible.
