North Korea has been placing ghost employees inside American companies for years. The Justice Department is just now catching up.

The hiring manager had been searching for three months. Good engineers were scarce, the team was underwater, and the backlog wasn't getting any shorter. Then "Anthony" surfaced. He had a polished résumé, sharp technical answers, and references that checked out. It felt like the drought was finally over.

The interview went well. Anthony was calm under pressure, quick with answers, fluent in the company's stack. He even cracked a joke about surviving another day of Zoom meetings. Within three weeks, he had credentials. Within five, unusual traffic was moving through the network in the middle of the night. Within two months, sensitive source code had been quietly copied, archived, and moved offshore.

Then came the part no one could process: Anthony did not exist.

His résumé was built from stolen identities. His LinkedIn profile was synthetic. His references were fake. The interview had almost certainly been coached in real time by a support team overseas, scrubbing the audio, smoothing the accent. The laptop he'd been shipped was routed through multiple proxy locations to hide its true origin.

Anthony, it turned out, was a North Korean IT worker—and American companies have been falling for the same script for years.

The "Laptop Farm" Assembly Line

The scheme sounds like a Cold War thriller. The mechanics are disturbingly mundane.

In April 2026, the Justice Department sentenced two New Jersey residents, Kejia Wang and Zhenxing Wang, for running a multi-year "laptop farm" operation that placed North Korean IT workers inside more than 100 U.S. companies, including Fortune 500 firms. The scheme compromised the stolen identities of at least 80 American citizens and generated more than $5 million for the government of North Korea. Victim companies were left with at least $3 million in legal fees and remediation costs. Kejia Wang received nine years in federal prison. Zhenxing Wang received just over seven.

The mechanics were simple. Employers would ship laptops to what they believed were the home addresses of their new remote hires. Those laptops were connected to remote-access hardware, placing the actual keyboard in China or North Korea while the screen showed a New Jersey return address. The "employee" never existed. But the access was entirely real.

Three weeks later, in May 2026, the DOJ sentenced two more Americans—Matthew Knoot of Nashville and Erick Ntekereze Prince of New York—for related schemes that impacted nearly 70 additional companies and generated more than $1.2 million for Pyongyang. These were the seventh and eighth sentences secured in just five months under the same federal initiative.

The sentences keep coming. They will keep coming for a while.

A National Security Problem Wearing an HR Badge

What makes this campaign so effective is that it requires no hacking in any traditional sense. Not a single line of code. The adversary applies for a job, passes the interview, and walks in through the front door with a badge.

The financial scale is significant. According to a joint FBI, Treasury, and State Department advisory, individual North Korean IT workers have been known to earn up to $300,000 annually —hundreds of millions of dollars per year—for the North Korean Ministry of Defense and to fund Pyongyang's weapons programs.

The data exfiltration is worse. In the Kejia Wang case, prosecutors revealed that at least one overseas IT worker had used his fraudulent employment to access International Traffic in Arms Regulations (ITAR)-controlled technical data from a California defense contractor developing AI-powered military equipment. The company had no idea its new "remote engineer" was doing anything other than writing code.

Remote Work Handed Adversaries a Master Key

When the pandemic dissolved the physical office, companies adapted fast. But speed leaves fingerprints. Temporary remote-access permissions became permanent. Background check processes designed for in-person environments were retrofitted, awkwardly, for video calls. The old assumption that a hired employee was a physically verified human being quietly became obsolete.

AI has since made impersonation cheaper and faster. A convincing résumé now takes seconds to generate. Deepfake technology can project a plausible American professional over a webcam. Voice tools can neutralize an accent or feed coached answers into an earpiece during a live interview. Entire synthetic identities including work history, GitHub repositories, and professional references, can be manufactured faster than a recruiter can complete a background check.

Deception at AI speed.

What Hanssen Taught Me

I went undercover to expose Robert Hanssen, the FBI agent who spied for the Soviet Union and Russia for more than two decades from inside the bureau. That experience left me with one lesson I have never been able to shake: the most dangerous insider is rarely the most suspicious one. Hanssen survived because the institution trusted him too much, for too long, and never turned its scrutiny inward. He looked like a dedicated, if difficult, colleague. He was methodical, competent, and invisible in plain sight.

The North Korean IT worker scheme runs on the same psychology. The threat doesn't announce itself. It gets hired, credentialed, and left alone, because questioning a trusted colleague feels paranoid, and in most organizations, paranoia is a performance problem, not a security posture.

The Reckoning

The Justice Department's prosecutions are only the tip of a mountainous iceberg of problems affecting thousands of companies globally. The FBI has warned that the tactics are evolving: stolen identities are rotated more frequently, proxy infrastructure is improving, and interview-coaching support networks are growing more sophisticated. Eight defendants from the Kejia Wang case remain fugitives, currently subject to a $5 million State Department reward offer.

Meanwhile, other bad guys are watching and learning. Ransomware operators now recruit corporate insiders through Telegram. Nation-state actors study corporate hiring pipelines the same way signals intelligence agencies once studied communication networks.

One compromised insider account can serve as the initial access point for a ransomware attack that shuts down operations for weeks. One trusted engineer can quietly exfiltrate intellectual property for months. One fake contractor can map an organization's internal architecture in preparation for an attack that arrives long after they've moved on.

The most effective infiltrations are the ones nobody notices until the damage is already done.

Companies have spent the past decade building elaborate external defenses that are largely designed to stop an adversary trying to break through the wall. Cyber criminals and spies now simply walk around it.

The Justice Department's DPRK RevGen: Domestic Enabler Initiative is ongoing. Companies that believe they may have employed fraudulent remote IT workers are advised to contact the FBI.

Anthony passed every check. Polished résumé. Strong references. Clean background report. He interviewed well, onboarded without incident, and never gave anyone a reason to look twice.

That is exactly how it is supposed to work — from the adversary's perspective.

As the title story makes clear, the modern insider threat rarely telegraphs itself. The North Korean IT workers now infiltrating American companies show up on time for Slack standups, complete their tickets, and wait. The threat is designed to be invisible for as long as possible. But invisibility is not the same as traceless. There are signals—if you know where to look.

The old cybersecurity model was built around perimeter defense: keep the intruder out. What the federal cases in this issue make plain is that the wall has already been bypassed. The intruder applied for the job. The intruder passed the interview. The intruder may already have a company email address and a spot on the org chart.

The question is no longer just who is trying to get in. It is who is already inside — and whether anyone is paying close enough attention to notice.

The world has changed. Cybercriminals, foreign intelligence services, scammers, and AI-powered fraudsters are no longer targeting only governments and Fortune 500 companies. They are targeting all of us.

That is why I wrote SPIES, LIES, AND CYBERCRIME.

The book pulls readers inside the real world of espionage, cybercrime, betrayal, surveillance, and modern digital warfare using lessons I learned hunting spies for the FBI and protecting organizations under attack.

If you want to better understand how deception works, how cybercriminals manipulate trust, and how to think more clearly in a world filled with digital lies, start here:

Want more? My new hub, PROTECT, is now live at ericoneill.net/protect and it’s built for anyone who wants to stop cybercriminal scammers cold. And it’s FREE!

The explicit and pornographic AI-generated images of the singer spread across social media so quickly that platforms struggled to contain them.

The pictures were fake, but once they escaped into the bloodstream of the internet, that distinction barely mattered. Fans rushed to report the posts while news outlets amplified the controversy and politicians demanded action. Meanwhile, the machinery of online humiliation continued doing what it does best: moving faster than the truth.

For years, deepfakes occupied a strange corner of the internet, somewhere between prank and novelty. Fake movie scenes. Viral impersonations. Political memes. But artificial intelligence evolved at astonishing speed. Today, anyone with a smartphone, an internet connection, and a grudge can manufacture convincing synthetic pornography in minutes.

That shift has created a new kind of weapon.

The recently enacted Take It Down Act attempts to confront this reality by criminalizing the publication of non-consensual intimate imagery, including AI-generated deepfakes designed to harass, exploit, blackmail, or destroy reputations. The law also pressures online platforms to remove such material quickly once victims report it.

At its core, the legislation recognizes something society is only beginning to understand: in the age of artificial intelligence, fake evidence can inflict real damage.

The human brain is wired to trust what it sees. Even after victims prove an image is fabricated, suspicion lingers. Employers still wonder. Friends still gossip. Search engines still preserve the content. By the time the truth arrives, the damage has already settled into memory.

Cybercriminals understand this instinctively. They know humiliation scales beautifully online, and they know artificial intelligence can automate it.

What makes malicious deepfakes especially dangerous is how effortlessly they distort reality itself. In my book Spies, Lies, and Cybercrime, I take my readers on a tour of the most malicious deepfakes including teenagers that used AI to create fake nude images of classmates, criminals who use synthetic media in sextortion schemes, and foreign actors that deployed deepfakes against political candidates, executives, or government officials. Trust is now an uncommon commodity.

The Take It Down Act will not eliminate deepfake abuse. Anonymous accounts will continue appearing, and overseas actors will remain difficult to prosecute. But the law marks an important turning point because governments are finally acknowledging that AI-driven deception is no longer theoretical. It’s here to stay and can destroy a reputation with the speed of an AI prompt.

Last week, I joined Steve Moore on The New CISO Podcast for a conversation that started with ransomware but quickly turned into something much bigger: espionage, organized cybercrime, artificial intelligence, and the terrifying reality that the dark web now operates like one of the largest economies on earth. We talked about my time undercover helping catch FBI spy Robert Hanssen, why today’s cybercriminals behave more like intelligence agencies than hackers, and how groups like Scattered Spider can compromise billion-dollar companies faster than most organizations can schedule a security meeting. Check out the interview below.

Sotheby's and Christie's open their New York spring sales this month. High auction house estimates have $45 million for a Basquiat. $70 million for a Rothko. $100 million on a Pollock at Christie's.

This is coming off the heels of a US art market that grew 23% in Q1 2026 over the same period last year. Sotheby’s ended 2025 with 17% year-over-year growth. Their CEO called last year's bidder demand "the highest we have ever experienced."

The people filling those auction rooms are billionaires, family offices, institutional collectors -- they've held blue-chip art through various market cycles.

71,000+ investors are now in the same market through Masterworks. Former Sotheby's and Christie's specialists on the acquisition committee. 29 exits to-date and $68M in distributions back, including amount invested, from their 525+ works offered. Net annualized returns like 16.5%, 17.6%, and 17.8%, not including those unsold.

Skip the waitlist to join Masterworks.

^{Investing involves risk. Past performance is not indicative of future returns. See important disclosures at masterworks.com/cd.}

Don’t miss a newsletter! Subscribe to Spies, Lies & Cybercrime for our top espionage, cybercrime and security stories delivered right to your inbox. Always weekly, never intrusive, totally secure.

Until next time, Praemonitus Praemunitus!

~ Eric