Do you have foreign spies on your payroll? It is more likely than you might think.

Introduction

On January 23, 2025, the U.S. Department of Justice announced the indictment of five individuals, including two North Korean nationals, for operating a sophisticated scheme where North Korean operatives posed as U.S.-based remote IT workers to deceive American companies. The operation lasted for over six years, involved 64 U.S. companies and funneled more than $866,000 to the Democratic People’s Republic of Korea (DPRK).

These funds were laundered through Chinese bank accounts, ultimately supporting North Korea’s weapons programs. The investigation uncovered the use of U.S.-based "laptop farms," where company-provided devices were manipulated to create the illusion of local employment while enabling North Korean operatives to access corporate networks from abroad. This case underscores the escalating risks U.S. companies face from external and internal cyber threats.

In this White Paper, we’ll explore how companies can protect themselves against these covert risks. From understanding the tactics used by foreign spies to adopting more thorough and robust pre-employment screening practices, we’ll examine actionable strategies that safeguard your workforce, your clients, and your reputation. Because when it comes to insider threats, vigilance isn’t just important—it’s essential.

Other Notable Cases and Government Alerts

This recent indictment is not an isolated incident but part of a broader trend of foreign adversaries exploiting U.S. businesses.

·      In December, 2024, fourteen North Korean nationals were indicted for using fake identities to obtain U.S. based jobs. Numerous companies were deceived into paying over $88 million in wages which were funneled through Chinese banks to fund north Korean military programs. The Department of Justice press release stated, “While we have disrupted this group and identified its leadership, this is just the tip of the iceberg. The government of North Korea has trained and deployed thousands of IT workers to perpetrate this same scheme against U.S. companies every day.”

·      In August 2024, federal authorities arrested a Nashville man for operating a "laptop farm" that facilitated North Korean nationals’ fraudulent employment in U.S. tech companies. Using stolen identities and AI-manipulated photos, these operatives accessed sensitive corporate systems, earning significant revenue for the DPRK regime.

·      A May 2024 case involved an Arizona woman raised $6.8 million through schemes that placed North Korean IT workers in over 300 U.S. companies, leveraging compromised identities and falsified documentation.

·      The FBI and other agencies have repeatedly warned about the risks posed by foreign IT workers, particularly from North Korea and China. In May 2022, a tri-agency public advisory highlighted tactics such as pseudonymous online profiles, VPNs, and stolen credentials used by DPRK operatives. Updated guidance issued in October 2023 and May 2024 emphasized the increasing sophistication of these schemes, including the use of AI for identity spoofing and remote desktop protocols to bypass security controls.

·      In November 2024, the New York Department of Financial Services (DFS) issued a cybersecurity advisory emphasizing the threats posed by remote technology workers with ties to the DPRK. The advisory outlined risks including the use of false identities, VPNs, and device diversion, urging businesses to implement enhanced hiring practices, including thorough background investigations.

Corporate espionage and insider threats are not confined to multinational corporations or government agencies. Today, businesses of all sizes are vulnerable, particularly in industries where trust, discretion, and access to sensitive information are required. Cybersecurity measures may block external hackers, but what about the threat within—someone with authorized access who uses it for malicious intent?

In a recent interview with NPR, Mike Casey, Director of the United States National Counterintelligence Center stated, "It's not just the Russians stealing secrets from the State Department anymore, it's everybody trying to steal all sorts of intellectual property, going after critical infrastructure. The list goes on and on.  The scale is impressive and terrifying.”

The stakes are higher than ever. The rise in global competition, increased geopolitical tensions, and the push for innovation have made proprietary data a valuable target for espionage. Foreign actors, including governments and state-sponsored entities, are leveraging insiders to gain access to intellectual property, trade secrets, and confidential client information.

For many organizations, the risks posed by these internal threats remain dangerously underestimated. While companies will spend billions on software and technology to protect against outside threats, they often fail to allocate resources to protect the weakest link in their line of defense: their own employees, contractors, and other insiders. Many firms rely upon inexpensive, quick and ineffective background checks which may be adequate for verifying information but are completely inadequate to uncover intentional deception and fraud.

According to Cybersecurity Insiders’ recent 2024 Insider Threat Report:

· 83% of organizations reported at least one insider attack in the last year.

· 32% of the organizations that dealt with insider threats in the last year reported the average cost to fully recover was between $100,000 and $499,000.

· 21% of respondents reported much steeper costs, ranging between $1 million and $2 million.

The Threat Landscape: Evolving Risks in a Digital World

Recent cases of foreign actors infiltrating Western companies under false pretenses illustrate the severe consequences of inadequate vetting processes. The implications of such vulnerabilities extend beyond financial losses and can include reputational harm and client distrust.

Potential Exposure:

1. Corporate Espionage: Theft of sensitive data by insiders remains a persistent challenge. For instance, a former IT employee at a U.S. company stole trade secrets worth $120 million to start a competing company in China.

   
   

2. Regulatory Scrutiny: Government regulators have increasingly scrutinized companies’ disclosures and security measures to prevent insider threats, as seen in a recent case where a financial firm was fined $500,000 for security lapses.

   
   

3. U.S. Sanctions & Enforcement: The U.S. Treasury’s OFAC can impose financial sanctions, criminal charges, and civil penalties on individuals and entities.

   
   

4. Criminal Repercussions for U.S. Individuals. Individuals within U.S. businesses who fail to adequately protect against these risks can face:

   1. Up to 20 years in prison for willful violations.

   2. Fines up to $1 million or twice the transaction amount.

      
      

5. Banking Exclusions. Financial institutions may lose access to U.S. banking systems if found to be facilitating DPRK transactions.

   
   

6. Stolen Identities and Fraudulent Applications: Fraudsters leverage stolen identities to secure high-level roles, gaining unauthorized access to sensitive client and company data.

   
   

7. Insider Threats and Data Theft: Operatives embedded in firms have stolen proprietary information and demanded ransoms, disrupting operations.

   
   

8. National Security Risks: Missteps in hiring can inadvertently support adversaries, including state-sponsored actors, by exposing critical industries.

   
   

Advisory from the New York Department of Financial Services

In November 2024, the New York Department of Financial Services (DFS) issued a cybersecurity advisory emphasizing the threats posed by remote technology workers with ties to the Democratic People’s Republic of Korea (North Korea). This advisory is particularly relevant for financial firms operating in New York and provides critical guidance for mitigating the risks of foreign threat actors. However, the advisory should be used as a guide for all employers since the threat of foreign actor corporate espionage extends well-beyond New York.

Key Threats Identified by DFS:

• Use of False Identities: North Korean threat actors frequently use stolen or fabricated identities to secure remote IT positions. These identities may be supported by U.S.-based co-conspirators who assist with documentation, account creation, and pre-employment screenings.

  
  

• VPN and Proxy Usage: These actors use virtual private networks (VPNs) to disguise their true locations, often appearing to be based in the U.S.

  
  

• Device Diversion and Remote Access: Companies are asked to ship devices to alternate locations where threat actors remotely access systems. Once embedded, these actors use native tools to blend into normal activity and avoid detection.

  
  

Among the recommended steps discussed in the advisory are enhanced hiring practices, including conducting thorough background investigations and identity verification, requiring multiple official documents and scrutinizing social media accounts.

Implications for Financial Firms:

The DFS advisory highlights the evolving tactics of foreign threat actors and underscores the importance of rigorous hiring practice. For financial firms, failure to address these threats can lead to regulatory penalties, reputational damage, and significant financial losses.

The Role of Thorough Background Investigations

Thorough background investigations are a cornerstone of risk management. Unlike quick, superficial background checks, in-depth investigations are specifically designed to uncover fraud, deception, and discrepancies that might otherwise go unnoticed.

In additional to criminal record checks and other public record searches, effective background investigations should include the following elements:

1. Employment Verification

• Objective: Validate the candidate’s stated work history, roles, and responsibilities.

  
  

• Focus Areas:

  • Gaps in Employment: Identify unexplained periods that may conceal prior absence from the U.S., disciplinary actions or terminations. Most background checks do not search for these gaps. Employers should always inquire about gaps in employment.

  • Inaccurate Dates and Titles: Confirm accurate timelines and job titles, which can expose fabricated credentials or exaggerated qualifications.

  • Undisclosed Employments: Search for employers that the candidate failed to disclose on their application documents. In many cases, candidates will seek to hide prior employers where the employment relationship was unsatisfactory or where the candidate engaged in multiple employments simultaneously.

  • Periods of Concurrent Employments: Check employment histories for instances where the individual worked for multiple employers simultaneously. Holding multiple jobs at the same time is a red flag for many potential employment issues including laptop farms.

  • Fake verifications: Always use official channels to confirm employment information such as an employer office number. Employers should not accept verifications through emails or mobile phone numbers.

    
    

• Case in Point: As shown in Thuro case studies, in-depth investigations have uncovered instances where applicants falsified employment histories or used fraudulent references. For example, one investigation revealed a candidate leveraging falsified employment history from major firms to obtain a position at a Big 4 accounting firm. This was only detected through RAI’s meticulous verification process and the client was saved from a potential hiring disaster. At the time we conducted our background investigation, the individual was employed at another large accounting firm.

  
  

2. Educational Verification

• Objective: Confirm the authenticity of degrees, certifications, and attendance records.

  
  

• Focus Areas:

  • Verification of Degrees: Ensure claimed credentials were earned from accredited institutions. Always use an official source for verifications and NEVER rely solely upon candidate-supplied information or a verification from an unknown cell phone user or email recipient.

  • Timelines: Identify inconsistencies in attendance dates or degree completion timelines, which may suggest falsified educational claims. While some slight inaccuracies may prove to be innocent mistakes, larger inaccuracies may be an attempt to hide periods of incarceration, absence from the workforce or unsatisfactory employment periods.

    
    

• Case in Point: RAI’s investigations regularly reveal discrepancies in educational claims that would have been missed by database-reliant providers. Such scrutiny ensures firms can trust the qualifications of their hires, especially for roles requiring specific credentials. Falsified educational credentials are a common tactic for foreign threat actors and others with nefarious intent.

3. Identity Verification

• Objective: Authenticate the candidate’s identity using secure methods.

  
  

• Advanced Techniques:

  • Biometric Verification: Match facial scans to submitted identification documents to confirm authenticity.

  • Liveness Detection: Use real-time biometric interaction to ensure the presence of a live person, mitigating risks from AI-generated or static image fraud.

  • AI-Driven Fraud Detection: Cross-reference multiple data sources to flag anomalies in identity claims.

    
    

• Case in Point: Quick background checks often fail to detect identity fraud, as demonstrated in Thuro’s case studies where individuals assumed false identities to gain employment at U.S. firms. Thuro’s advanced identification technology prevented potential catastrophes by exposing these deceptions.

  
  

4. The Critical Role of Ongoing Employment Monitoring

Ongoing employment monitoring is a critical best practice to mitigate risks, particularly in cases where individuals or networks reuse the same fraudulent identities across multiple jobs. Spy networks, like those involving North Korean IT workers, have exploited this vulnerability by using shared or fabricated identities to operate undetected for extended periods.

Why Ongoing Monitoring is Critical:

1. Dynamic Risk Landscape: Employee risks can evolve after hiring, including changes in financial status, criminal activity, or affiliations that may raise red flags.

   
   

2. Identity Reuse and Sharing: Fraudulent actors often share or reuse identities, which ongoing checks can help identify through repeated patterns across multiple employment contexts.

   
   

3. Access Oversight: Regular monitoring ensures employees’ access levels remain appropriate for their roles and can detect anomalous behavior indicative of insider threats.

   
   

Recommendations for Employers:

1. Implement Scheduled Rechecks: Conduct comprehensive background reviews every 12-24 months for employees in sensitive or high-risk roles.

   
   

2. Train HR and Compliance Teams: Educate staff on identifying and responding to signs of identity fraud or shared employment credentials.

   
   

3. Collaborate Across Sectors: Join industry groups or initiatives focused on fraud detection and prevention.

5. The Importance of Social Media Checks in Combating Corporate Espionage

Corporate espionage often hinges on the exploitation of weak links within an organization—individuals whose motivations, affiliations, or vulnerabilities make them susceptible to external influence. In an era where social media has become a window into personal and professional lives, it is an invaluable tool for identifying potential risks, particularly in combating insider threats and espionage.

Social media checks provide insights that go beyond traditional background screenings. They uncover patterns of behavior, affiliations, and activities that may not surface in criminal record checks or employment verifications. These insights are crucial for detecting warning signs of potential corporate espionage risks, such as:

1. Undisclosed Affiliations: Social media activity can reveal affiliations with competitors, foreign governments, or organizations that pose a conflict of interest. A seemingly innocuous connection on LinkedIn or a group membership on Facebook may indicate a deeper relationship that warrants investigation.

   
   

2. Behavioral Red Flags: Posts or interactions that suggest dissatisfaction with current employment, financial instability, or susceptibility to coercion are critical indicators of vulnerability. These traits can make employees targets for external actors seeking to exploit their access.

   
   

3. Digital Footprints of Espionage Activity: Social media platforms often leave a digital trail of unusual activities, such as frequent contact with individuals in high-risk regions, sharing sensitive information, or engaging in encrypted communication. These patterns can signal a need for closer scrutiny.

   
   

4. Reputational Concerns: Corporate espionage isn’t just about stealing trade secrets—it’s also about reputation management. Social media can expose posts or behaviors that compromise a company’s values or ethics, indirectly threatening its standing and trustworthiness.

   
   

Leveraging Social Media Checks Effectively

The New York Department of Financial Services (DFS) has recognized the importance of social media checks, recommending them as a critical component of thorough pre-employment screening practices. By integrating these checks into their hiring and monitoring protocols, organizations can proactively identify and mitigate risks associated with espionage.

To maximize the effectiveness of social media background checks, companies should adopt the following practices:

1. Implement Targeted Screening: Focus on identifying specific risks such as undisclosed conflicts of interest, ties to competitors, or behaviors that compromise security. Customizing searches to align with industry-specific risks ensures relevance and efficiency.

   
   

2. Partner with Compliance-Focused Providers: Social media screening requires a balance between extracting actionable insights and respecting privacy and legal constraints. Partnering with providers like Thuro assists in compliance with regulations such as the Fair Credit Reporting Act (FCRA) while delivering detailed and accurate reports.

   
   

3. Incorporate Continuous Monitoring: Social media activity is dynamic, meaning that risks can emerge post-hire. Continuous monitoring allows organizations to track behavioral changes or emerging red flags in real time, enhancing their ability to respond to evolving threats.

   
   

4. Train Decision-Makers: HR and compliance teams must be equipped to interpret social media findings responsibly, avoiding biases while acting decisively on legitimate concerns.

   
   

A Critical Tool in Combating Espionage

Social media checks are no longer optional—they are essential in a world where digital footprints can expose both opportunities and threats. By incorporating these checks into pre-employment and ongoing risk management practices, organizations can better safeguard against the internal vulnerabilities that corporate espionage exploits. Thuro specializes in compliance-driven social media screening solutions, ensuring that companies not only detect risks but also act on them responsibly and effectively. When it comes to protecting your workforce, intellectual property, and reputation, vigilance on social media is a critical line of defense.

Best Practices for Protecting Your Business

To mitigate risks from laptop farms and insider threats, businesses should adopt a proactive and comprehensive security strategy:

1. Strengthen Hiring and Onboarding Processes:

   • Implement robust identity verification, including biometric or fingerprint logins.

   • Use platforms like E-Verify to confirm employment eligibility.

   • Educate HR staff on the red flags associated with fraudulent IT worker schemes.

     
     

2. Enhance Network Monitoring and Access Controls:

   • Enforce the principle of least privilege, limiting access to sensitive systems.

   • Disable local administrator accounts and prohibit unauthorized remote desktop software.

   • Monitor network traffic for anomalies, particularly during non-business hours.

     
     

3. Implement Insider Threat Detection Programs:

   • Establish a counterintelligence (CI) team to identify and neutralize threats.

   • Regularly audit third-party vendors’ hiring practices to ensure compliance with security standards.

     
     

4. Promote Employee Awareness and Reporting:

   • Train employees on cybersecurity best practices and the risks posed by insider threats.

   • Encourage reporting of suspicious activities, such as anomalous login patterns or data transfers.

     
     

5. Collaborate with Government Agencies:

   • Partner with the FBI and other agencies to stay informed about emerging threats.

   • Report incidents promptly to the FBI’s Internet Crime Complaint Center (IC3).

     
     

6. Regularly Update Security Protocols:

   • Conduct periodic penetration testing to identify vulnerabilities.

   • Stay updated on the latest threat intelligence and adjust security measures accordingly.

     
     

Conclusion: Safeguarding Client Trust Through Diligence

With over seven decades of experience serving the world's largest firms, Thuro has developed a proven methodology that combines advanced verification tools, deep investigative techniques, and ongoing monitoring to mitigate insider threats. Our investigations have consistently uncovered hidden deceptions, from fabricated employment histories to stolen identities, protecting our clients from operational, financial, and reputational disasters.

By leveraging our expertise, Thuro assists companies in reducing risks posed by insider threats by ensuring that:

• Insider Threats Are Neutralized: Our robust processes identify and mitigate risks posed by individuals with malicious intent or fraudulent credentials.

• Client Data Is Secure: From trade secrets to privileged information, we safeguard what matters most by verifying the integrity of those with access.

• Compliance Standards Are Met: With a commitment to regulatory excellence, RAI helps firms avoid penalties and maintain stakeholder trust.

  
  

The threat of laptop farms and insider schemes orchestrated by foreign adversaries is a clear and present danger to U.S. businesses. The recent indictments and advisory updates highlight the sophistication and persistence of these threats. By adopting rigorous hiring practices, enhancing network security, and fostering collaboration with government agencies, businesses can protect themselves from becoming unwitting enablers of economic espionage. The stakes are high, but with proactive measures, organizations can safeguard their assets and contribute to the broader effort to neutralize these threats.

Kevin Prendergast is the President at Thuro, a corporate investigative firm serving clients since 1953. Kevin oversees the compliance program at Thuro and works with clients and their counsel in developing legally compliant corporate investigation programs. Kevin graduated from the Cleveland Marshall College of Law and has been licensed to practice law since 1987. He is a member of the Professional Background Screeners Association and he holds advanced FCRA Certification from the PBSA. Thuro is accredited by the PBSA and is a member of the Better Business Bureau. You can contact Kevin at kprendergast@thuro.ai.