Robert Dougherty 
Representatives from both countries recently attended a “Protecting Industry from North Korean Threats” symposium hosted in partnership with Global Affairs Canada, DTEX, and Mandiant in Sydney late last month.
Australia and the US are becoming increasingly concerned about the growing scale and sophistication of North Korean workers posing as legitimate remote professionals to infiltrate private sector organisations, generate revenue for the Democratic People’s Republic of Korea (DPRK) government and conduct malicious cyber activity.
“DPRK IT workers employ increasingly deceptive tactics, including the use of fabricated identities, fraudulent credentials, and AI-generated personas to secure remote employment,” according to a public statement from the US Department of State.
“Once hired, they may access sensitive corporate systems, steal intellectual property, and extort their employers.
“In response to these threats, the United States and Australia, with support from Canada, convened government officials together with industry leaders in the fight against these threats, including DTEX and Mandiant.”
The Multilateral Sanctions Monitoring Team has estimated in the October 2025 report that DPRK cyber actors and IT workers have stolen over US$2.8 billion in cryptocurrency since January 2024 and earned an estimated US$350–800 million in revenue in 2024, enabling the financing of the DPRK’s weapons of mass destruction and ballistic missile programs in violation of UN Security Council sanctions.
The US Department of State and the FBI have announced rewards for information that leads to the disruption of financial mechanisms of persons engaged in certain activities that support North Korea and/or information on individuals who, at the direction or under the control of a foreign government, participate in malicious cyber activities against US critical infrastructure in violation of the Computer Fraud and Abuse Act.
Late last year, the Australian Sanctions Office released a “Cyber risks of DPRK IT workers to Australian businesses” advisory note advising that Australian businesses should take additional precautions when hiring a remote worker.
“Identity details and documentation of remote workers should be independently verified … DPRK IT workers impersonate foreign or domestic teleworkers and use fraudulent tactics to bypass employment verification,” according to the advisory.
“They may obtain or create stolen identities matching target organisations’ locations, set up email and social media accounts, and build fake portfolios on platforms like GitHub and LinkedIn. They may also use AI tools such as image generators and voice changers to support these activities.
“Australian businesses should be aware of the potential indicators of remote DPRK IT workers, and continue to assess their remote staff for high-risk behaviour. Consideration should be given to the breadth of access remote workers have to systems – particularly sensitive data, including payroll and personal information.
“Business[es] should consider auditing access logs to determine if remote workers have accessed non-essential to their role. IT security sweeps should be conducted regularly to identify unauthorised new software and malicious code that may have been introduced into products.”
“If you have detected or hold suspicions that a remote worker may be a DPRK IT worker, please contact the Australian Sanctions Office and suspend all future payments until further direction. Further payments may be viewed as sanctions contraventions. The suspected worker should have their remote access limited or removed until their identity is confirmed.”
This article was originally published on Cyber Daily’s sister brand, Defence Connect.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.