State-sponsored cybercriminals from North Korea are taking advantage of remote work trends in their latest effort to breach British companies, as per recent insights from cybersecurity organization CrowdStrike.
The collective, referred to in cyber threat discussions as ‘Famous Chollima’, is allegedly employing AI-generated resumes and compromised identities to masquerade as freelance IT workers or remote software engineers. Once integrated within legitimate organizations, these operatives frequently exhibit poor performance—delivering minimal code or output—while receiving full salaries. Some have been reported to submit as few as four lines of code weekly.
The most recent Global Threat Report from CrowdStrike indicates that the group has shifted its focus from the United States following a series of high-profile indictments and is now actively pursuing targets throughout the UK and mainland Europe. The report highlighted more than 300 such occurrences globally during the first half of 2024, with nearly 40 percent involving insider access across various sectors including financial services, healthcare, and technology.
These threat actors are said to be circumventing standard identity verification methods, such as video onboarding and document inspections, using strategies that range from recruiting unsuspecting US citizens to serve as interview substitutes to redirecting company-issued laptops to designated ‘laptop farms’ in the United States. These facilities are utilized to mask the operatives’ actual locations—most commonly North Korea, China, or Russia—through the use of remote proxies.
Once they secure access, they implement browser extensions and remote access software, enabling covert control of systems from abroad without immediate detection.
Adam Meyers, the head of counter-adversary operations at CrowdStrike, cautioned that hiring procedures have become a “security-critical process” because of the actions of these deceptive actors. “Insist on live video onboarding, thoroughly verify identities, and keep an eye on behavioral indicators like chronic under-performance or unusual login patterns,” he recommended.
The UK government has likewise issued a cautionary alert, advising businesses to enhance their scrutiny when evaluating remote applicants. In a recent notice, employers were urged to strengthen internal cybersecurity with behavior-based threat detection systems and multi-layered identity verification strategies.
This issue gained broader public awareness in December 2024 when the US Department of Justice revealed indictments against fourteen North Korean nationals accused of involvement in an extensive fraud scheme. As outlined in the [official filing](https://www.justice.gov/archives/opa/pr/fourteen-north-korean-nationals-indicted-carrying-out-multi-year-fraudulent-information), the defendants allegedly employed stolen identities and engaged US-based accomplices to apply for positions on their behalf, collectively generating an estimated $88 million (£69 million) for the Kim regime.
While some positions facilitated the theft of proprietary data or source code, much of the damage was financial: a salary-drawing scheme extracting company funds while yielding little to no productivity in return. In some instances, threats to disclose intellectual property were used post-employment as a means of extortion. According to intelligence reports, the regime even promoted such activities through ‘socialist competition’ initiatives, rewarding operatives who garnered the most resources from foreign entities.
“Many of the attackers are not targeting specific firms,” observes the CrowdStrike report. “They are opportunistic—applying wherever roles are available, irrespective of the industry.”
The increase in attacks highlights the wider cybersecurity difficulties related to the global shift towards remote working setups—and specific vulnerabilities in the freelance gig market. Companies hiring remote developers or engineers, particularly in high-demand sectors, may unintentionally miss warning signs if positions are filled hastily or through third-party services.
Cybersecurity professionals advocate for established protocols for confirming the identity of remote employees, which should include secure access controls, usage monitoring, and video verification for both interviews and onboarding. Employers are also advised to conduct routine audits of device activity and network behavior to detect unexpectedly low productivity or unusual connections to foreign IP addresses.
CrowdStrike’s observations coincide with similar warnings from other leading threat intelligence providers, including Mandiant and Recorded Future, regarding North Korea’s increasingly sophisticated cyber operations aimed at Western industries not only for intelligence but also for direct financial exploitation.
