Infiltrating the Infiltrators: Inside the Florida “Laptop Farm” and the DPRK’s Failed Strike on a Cyber Firm
Ddos 
Conceptual network diagram of DPRK scam | Image: Nisos
In an attempt to infiltrate the cybersecurity industry itself, a suspected North Korean (DPRK) IT worker recently targeted Nisos, a firm that specializes in identifying exactly these types of insider threats. The investigation, detailed in a new research report, reveals a sophisticated web of stolen identities, AI-generated personas, and a physical “laptop farm” hidden in a Florida residence.
The operative applied for a remote Lead AI Architect role, posing as a Florida-based expert. However, Nisos used a combination of pre-employment OSINT (Open-Source Intelligence) and targeted interview questions to dismantle the ruse.
The investigation identified several tell-tale tactics, techniques, and procedures (TTPs) common to the DPRK remote work scheme:
- Infrastructure Obfuscation: The operative connected via Astrill VPN IP addresses and used a VoIP phone number to mimic a local Florida presence.
- AI-Enhanced Resume: The candidate’s resume was a “mirrored” version of the job description. As the report states: “The operative likely used an AI chatbot to create his resume as the resume repeated many of the skills mentioned in the Lead AI Architect job description”.
- Identity Theft: The persona was built using the PII (Personally Identifiable Information) of a real Florida resident, including their name, university, and previous employer.
The ruse began to crumble during the virtual interview. Researchers noted that the operative frequently looked away from the camera, seemingly waiting for an AI chatbot to generate responses. To confirm their suspicions, interviewers asked a “fake” question about a fictitious “Hurricane George” supposedly impacting Florida.
When asked to screenshare and walk through his work, the operative’s behavior shifted dramatically. According to the report: “the operative appeared to frantically close tabs on his screen and left the interview”.
The investigation didn’t stop at the interview. Nisos sent a corporate laptop to the mailing address provided by the operative—an address that was notably different from the one on the stolen-identity resume.
By accessing the laptop’s built-in camera, Nisos discovered a laptop farm located in what appeared to be a closet. The network was administered via PiKVM devices, which allow for stealthy, remote hardware-level control.
- Scale of Operation: The researchers identified approximately 40 devices on the network, with 20 likely belonging to the farm.
- Cross-Company Impact: Each PiKVM machine was running a different laptop for a different “employee” name at a different victim company.
The report concludes that “The North Korean IT worker scheme is pervasive and targets companies of all sizes across numerous industries and countries”. Beyond the loss of wages, hiring these operatives exposes organizations to massive IP breaches and regulatory sanctions.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
