When remote workers aren’t who they seem to be 

Imagine this: A promising IT specialist named John lands a remote job at a leading software company. His LinkedIn profile is flawless, his resume impeccable. However, what his hiring manager doesn’t know is that John isn’t real — he’s a persona created by a North Korean operative using AI-enhanced deepfakes. Within weeks, “John” is siphoning sensitive data while remaining undetected. 

These stories have become increasingly common. But what hiring managers don’t see is the machinery behind the scenes: deepfake video tools, stolen U.S. identities, and a laptop “farm” across the country where devices are powered on and operated by proxy. 

It’s a new spin on an old story, but this is the current face of insider risk: a real and ongoing campaign backed by a nation-state adversary. Cyber operatives from North Korea are using fake personas to land IT roles at legitimate companies. Once inside, they siphon sensitive data and divert income to fund the regime’s weapons programs, bypassing conventional defenses designed for yesterday’s threats.  

 The scheme has been growing since at least 2022. According to a recent advisory released by the FBI, the threat actors are increasing their malicious activity to include data extortion. Previous alerts have noted that a single operative can earn up to $300,000 per year, contributing to a pipeline of tens of millions of dollars flowing to sanctioned entities. This month, the U.S. Department of Justice seized $7.74 million in cryptocurrency traced to North Korean IT workers who used fake identities to secure remote jobs and funnel money. 

In May, a Politico investigation revealed that North Korean operatives continue to land remote tech roles at U.S. companies using AI-enhanced deepfakes and impersonation tactics. Behind every compromised laptop is a company caught off guard, often unaware it’s become an unwitting partner in international espionage. These operatives don’t just threaten your data. They challenge the very assumptions we make about who can be trusted inside the walls of our networks. 

Why this threat demands attention now  

North Korean operatives exploit the trust and speed built into modern remote work practices. They sail through onboarding with falsified documents and often request corporate devices be shipped to U.S. addresses, where a small group of accomplices maintains dozens of machines — each one logged into your systems, downloading your data, and bypassing identity verification checks. 

Once embedded, these insiders behave like advanced persistent threats (APTs). They use standard tools like VPNs, file-sharing apps, and automation scripts to conduct their activities in plain sight. Traditional perimeter defenses, and even identity controls, are unlikely to stop them. And because they often operate under the guise of legitimate contractors or employees, many organizations fail to detect the threat until it is too late. 

The technology that enables this scam to occur will only improve and become more sophisticated over time, so the problem will not disappear anytime soon and will become more difficult to address. The consequences of failing to detect insider threats go far beyond economic loss. It’s about protecting your reputation, your clients, and your ability to innovate in a competitive market. For CISOs, the challenge is clear: Do you have the visibility to detect subtle file exfiltration? Are your controls catching anomalies in real time? And most critically, are your insider risk strategies built for adversaries who are this determined and this good at blending in? 

Reframing insider risk for a state-sponsored reality 

Security leaders have long understood insider threats as a human risk problem: disgruntled, carelessness, or occasional sabotage. But North Korean operatives posing as employees flip that model on its head.  To thwart this level of threat, the question is not just who has access to sensitive data. It’s how that access is used, what’s being moved, and whether the activity makes sense in the broader behavioral context. 

Mimecast’s insider risk and data protection capabilities, including those offered through Incydr, are designed to answer these questions. Unlike legacy DLP or narrow endpoint tools, they focus on how data is handled in real-world workflows through agents, giving security teams the ability to: 

Track file exfiltration with context. Detect not just large data movements, but subtle, rarely used, high-value transfers—such as code snippets, legal documents, or sensitive PDFs—that often escape traditional filters. 

Restrict and monitor unauthorized tools. Spot and block the use of remote access programs, automation scripts, and VPNs that can signal persistent access by threat actors working behind the scenes. 

Correlate identity and behavior. Integrate with UEBA and identity platforms to surface inconsistencies like simultaneous logins from different geographies or accounts that escalate privileges without cause. 

Apply threat intelligence where it counts. Incorporate known tactics from OSINT and threat research—such as the use of VoIP numbers, unusual device behaviors, or persistent access via multiple profiles—to proactively fine-tune detection. 

By combining agent insights with data-centric analysis, these tools help security teams move from reactive cleanup to preemptive disruption. That shift is critical when your adversary is patient, coordinated, and often hiding in plain sight. 

To effectively mitigate insider threats without unnecessary alarm, CISOs should focus on practical, proactive measures that balance security and employee trust with the right technology.

Key best practices include: 

Verify identities and monitor access: Ensure thorough identity checks during hiring and closely monitor data access when employees onboard and other high-risk inflection points during the employee lifecycle. 

Enhance visibility: Use monitoring tools to track file movements and detect unusual user behavior, with a focus on high-risk users like contractors or fully remote employees. 

Protect sensitive data: Encrypt critical data and restrict the use of unauthorized tools. 

Educate employees: Provide ongoing, just-in-time training to prevent accidental data leaks and encourage reporting of suspicious activity. 

Regularly review security policies: Conduct periodic risk assessments, update protocols, and limit access to sensitive information. 

Prepare for incidents: Establish clear response plans and document all investigations to ensure quick and effective action when risks arise. 

By adopting these practices, organizations can address insider threats effectively while fostering a security-aware culture that prioritizes collaboration and trust. 

Staying ahead of the threat of malicious insiders 

As this threat continues to evolve, organizations must move beyond static, perimeter-based models of defense. Insider threats are dynamic and combating them requires dynamic solutions. A mindset shift is essential — from prevention-only to visibility-first. You cannot stop what you cannot see. 

See how Mimecast Incydr can uncover and stop insider threats before they cause irreparable damage. Explore it in action or get in touch for a demo.