North Korean operatives are quietly working inside U.S. companies through remote technology jobs, funneling millions of dollars back to Pyongyang and potentially gaining access to sensitive corporate systems, according to investigators and U.S. officials, according to NBC News.

The scheme relies on workers posing as American job applicants using stolen identities and fake credentials to secure high-paying remote roles, particularly in software development and artificial intelligence. Authorities warn the tactic allows the regime to bypass international sanctions while embedding operatives inside Western companies.

An investigation by the Virginia-based cybersecurity firm Nisos found that suspected North Korean IT workers apply to thousands of jobs using fabricated résumés and multiple online personas. Once hired, the workers often operate from overseas — frequently from China — while U.S.-based facilitators help maintain the illusion that they are located domestically.

These facilitators run so-called “laptop farms,” where company-issued computers are physically kept in the United States and remotely accessed by workers abroad. Investigators say the workers also coordinate applications, interviews, and references within tightly organized teams to increase their chances of being hired.

NBC News writes that the scheme has expanded rapidly since the rise of remote work during the COVID-19 pandemic, which made it easier for overseas workers to obtain jobs without appearing in person. Authorities say the salaries — sometimes exceeding $300,000 per worker — are largely sent back to the regime of Kim Jong Un, helping fund North Korea’s weapons and ballistic missile programs.

U.S. officials estimate the operation now affects hundreds of companies and generates hundreds of millions of dollars annually for the North Korean government.

Investigators say some operatives hold multiple jobs simultaneously, applying to dozens of roles a day and coordinating through organized networks that track applications and interviews. In some cases, the workers are accused of stealing proprietary data, cryptocurrency, or sensitive technical information while employed. Officials warn that even after the workers are discovered and fired, they may leave behind hidden system access that could later be exploited, raising broader national security concerns.