Deep dive

The fake employee: inside DPRK's IT-worker supply chain

2026 · ~6 min read · sourced

The scariest supply-chain attacker doesn't break in. They get hired. They pass the interview, sign the offer, get a laptop and a real GitHub account — and then every commit they push is, technically, legitimate.

The scale is not a rounding error

320+

companies were found to have hired North Korean operatives in the 12 months to mid-2025 — a 220% YoY surge, roughly one new case a day. (CrowdStrike Threat Hunting Report, 2025.)

~every

Fortune 500 CISO Mandiant interviewed admitted to having unknowingly hired at least one DPRK IT worker. (Mandiant / Google, 2025.)

$2.0B

in crypto stolen in 2025 by DPRK — ~60% of the global total — including the $1.5B Bybit theft, executed as a supply-chain compromise of a wallet interface. (Chainalysis, FBI, 2025.)

Alongside the insider track, the same ecosystem runs an industrial malicious-package operation — 1,700+ poisoned packages across npm, PyPI, Go, Rust, and PHP since 2024 (Socket). The fake recruiter and the fake employee are two ends of the same machine.

Why this breaks the usual playbook

Walk it through your defenses and watch each one shrug:

Prevention? Passkeys, MFA, branch protection, SHA-pinning — all assume the threat is an outsider trying to get access. This person was granted access. Through the front door. With HR's blessing.
Identity verification? It happened once, at hiring — and it was defeated by AI-generated résumés, deepfaked video interviews, and laundered identities. After onboarding, the account is simply a valid employee. Impossible-travel and session-anomaly tooling sees a normal worker doing normal work (often via a US-based "laptop farm" proxy).
Pipeline scanning? Their commits are real code, often genuinely useful. Their workflow edits are made by a trusted account with legitimate permissions. There's no flaw to flag.

When the insider holds a real badge and a real commit history, every credential is legitimately theirs and every action is permitted. The compromise isn't in who they are — it's in what they eventually do.

So what's actually left to detect?

If you can't reliably catch the identity (it's real) and you can't catch the credential (it's valid), the only thing left is the behavior — the moment a legitimate account does something that lines up into an attack shape, regardless of how clean the account looks:

mass repository access or cloning well outside the account's normal pattern,
an unreviewed workflow change that reaches secrets,
egress from a build to infrastructure no prior job ever contacted,
a credential the account holds suddenly used from a new context.

Any one of these, from a "trusted" account, is invisible to a tool watching its own domain. Stitched together, they're the kill chain — the same shape whether the hands on the keyboard belong to a hijacked maintainer, a coerced contractor, or a state operative on payroll.

An honest caveat: this is the hardest case in the field. Cross-domain correlation doesn't magically unmask a fraudulent hire — but it does catch the action even when the identity is clean, which is the part prevention and identity checks structurally can't.

Watch the behavior, not just the badge

Sentinel correlates identity, pipeline, and egress signals into one incident — so a valid account doing the kill-chain dance gets caught on its behavior, not on whether its credentials check out. Because increasingly, they will.

Become a design partner →

Sources

CrowdStrike 2025 Threat Hunting Report (320+ companies, +220% YoY) · Mandiant/Google (Fortune 500 hiring) · Chainalysis & FBI IC3 (2025 crypto theft, Bybit) · Socket (1,700+ malicious packages). Figures best-available as of mid-2026; see our full data brief for sourcing and caveats.