Since at least 2020, intelligence and law enforcement have documented a sustained North Korean effort to place skilled IT personnel into remote roles at foreign companies. These operators use falsified or stolen identities, facilitators, and so called laptop farms to appear locally resident while they are in fact overseas. The scheme has proven capable not only of generating revenue for Pyongyang but also of yielding access to proprietary systems and sensitive data when operators are placed in privileged technical roles.

Private sector threat hunting in 2024 highlighted the operational model at scale. Analysts observed adversaries obtain legitimate remote employment, use remote monitoring and management and remote-desktop tooling to blend in, and exfiltrate code and documents from source control and cloud storage. Where defenders rely on weak prehire verification or allow unmanaged personal devices to connect to internal resources, these tactics let adversaries persist as low profile insiders.

U.S. enforcement actions in 2023 and 2024 show how the ecosystem works in practice. Arrests and indictments tied to facilitators and laptop farms demonstrated the role of third parties who receive hardware, forward payments, or create fake identities to validate these false personas. Those actions also underscore the national security stakes when adversary earnings and stolen intellectual property are repurposed to support weapons programs.

What this means for EU defence suppliers

Although much of the documented activity through mid 2024 focused on U.S. victims, the underlying mechanics are globally portable. European defence contractors and their supply chains share the same recruiting platforms, remote collaboration tools, and BYOD policies that the adversary exploits. That makes them attractive targets for talent focused collection missions as well as for operators seeking serve as entry points for later follow on intrusions. The risk is especially acute where contractors provide firmware, avionics software, flight control algorithms, or CAD files for air systems and unmanned platforms. Compromise of those assets can translate into operational and kinetic advantages for adversaries.

Tactics to watch for

  • Fabricated or stolen identities supported by false LinkedIn, GitHub, and email histories, sometimes validated by unwitting or complicit facilitators.
  • Use of remote monitoring and management and remote-desktop tooling to administer work on machines that appear to be local.
  • Laptop farms and intermediary recipients who receive company hardware and act as geographic proxies for the operator.
  • Payment flows and account patterns that obscure final beneficiaries and route compensation through intermediaries.

Practical mitigations for European defence organisations

1) Harden prehire identity verification

Insist on multi factor identity proofing before extending privileged technical access. Require live video interviews and step up checks on educational and work history for roles touching sensitive assets. Simple HR process changes have high return on investment because they close the initial deception vector used in these schemes.

2) Eliminate or strictly control BYOD for high risk roles

Where source code, firmware, or sensitive CAD files are handled, require company managed endpoints with enforced EDR, full disk encryption, and centralized logging. If remote contractors must be used, provision and manage dedicated hardware and VPN endpoints rather than permitting unmanaged personal laptops.

3) Restrict and monitor RMM and remote-desktop tooling

Treat RMM and remote-desktop applications as high risk controls. Block or proxy unapproved RMM tools, require just in time access, and correlate their usage with identity and device posture signals in identity protection systems. Hunt for unusual RMM sessions that originate from anomalous IP ranges or that are initiated by accounts with thin identity signals.

4) Contractual and supply chain hygiene

Put precise obligations into contracts with subcontractors and freelance platforms. Require provenance attestations, code escrow where appropriate, and audit rights for supplier endpoints. Perform targeted backgrounding for suppliers handling critical subsystems. Contracts should prohibit routing pay to third party facilitators and require transparency for account beneficiaries.

5) Operational detection and incident playbooks

Deploy detection rules that look for credential use from improbable geolocations, unusual repository checkouts, mass RMM connections, or exfiltration to new cloud accounts. Predefine legal and remediation playbooks that include notifying procurement, HR, and relevant national authorities when a suspected state directed remote worker is detected. Coordination between corporate incident response and national CERTs can speed containment.

Policy and cross border considerations

European governments and industry bodies should assume the adversary will pivot to jurisdictions offering lower scrutiny if enforcement increases in other regions. That means harmonising identity verification standards across NATO and EU procurement frameworks, sharing indicators of compromise, and expanding awareness campaigns for HR and procurement teams. Public private cooperation should include clear reporting channels for suspected facilitators and laptop farms and, where necessary, targeted sanctions on entities that facilitate the scheme.

Conclusion

The remote worker model is not simply a fraud against payroll systems. It is an asymmetric vector that blends cyber, financial, and human deception to reach into the software and hardware that underpin modern defence systems. European defence firms can reduce their exposure quickly by hardening identity proofing, removing unmanaged devices from sensitive workflows, limiting RMM tool usage, and adopting supply chain contractual protections. Waiting until an incident reveals an operator inside your network is an avoidable failure in basic cyber hygiene. The time to act is during hiring and onboarding, not after compromise.