BIPI is a Chennai-based engineering company that operates the control layer for modern digital infrastructure. We design and run cybersecurity defence, agentic AI systems, digital engineering, growth automation, and continuous compliance as one platform, so organisations can detect signals, decide in real time, and deliver continuously.

What cybersecurity services does BIPI offer?

Web, mobile, network, and API penetration testing (VAPT), red team engagements, cloud security architecture, Zero Trust deployments, 24/7 SOC operations, and detection engineering. We work with financial services, SaaS, and regulated mid-market companies across India, APAC, EMEA, and North America.

What AI services does BIPI build?

Custom AI agents, LLM integrations, autonomous decision systems, and AI Ops intelligence layers. Our agents are scoped, observable, and audited end-to-end. We do not ship demos. We ship production agents that take real action across your existing systems.

Which compliance frameworks does BIPI support?

ISO 27001:2022, SOC 2 Type II, PCI DSS, GDPR, and India's DPDPA. We treat compliance as an engineering program, not a paper exercise: continuous evidence generation, exception tracking, and 72-hour breach-readiness.

BIPI Private Limited is headquartered in Chennai, Tamil Nadu, India, and serves clients across APAC, EMEA, and North America.

How do I contact BIPI?

Email info@bipi.in for new engagements or careers@bipi.in for jobs. You can also use the contact form at bipi.in/contact. We respond within one business day.

BIPI

DPRK IT Worker Fraud: Detection Signals From Real Hiring Pipelines

Threat Intelligence

North Korean operatives are placing remote workers inside US and EU technology companies using fake identities. We document the laptop farm pattern, the payroll indicators, and the hiring-stage signals that have caught real cases.

By Arjun Raghavan, Security & Systems Lead, BIPI · May 10, 2024 · 8 min read

#dprk#insider-threat#identity-fraud

In 2024, the FBI publicly confirmed what threat intelligence teams had been tracking for years: North Korea systematically places IT workers inside Western tech companies using fake identities, then routes the salary back to Pyongyang. The scheme generates an estimated 300 million dollars annually. Two years on, the pattern has matured and the detection signals have sharpened. We share what works at the hiring stage and what works after hire.

The placement model

The typical scheme uses a stolen or borrowed US identity, a US-based laptop farm operator, and an overseas operative doing the actual work. The laptop is shipped to the laptop farm in the US, where the operator keeps it powered on and connected. The overseas worker connects via remote access tools, often AnyDesk or a custom RDP setup. The salary lands in a US bank account controlled by the operator and gets routed through cryptocurrency rails to North Korea.

Hiring-stage signals

The most cost-effective detection happens before hire. Our recruiting clients adopted these signals after the 2024 advisories and they have caught real cases:

Video interview anomalies: the candidate's camera quality, lighting, and audio do not match what their submitted resume suggests about their work environment. Watch for staged backgrounds and audio mismatched to the visible space.
Time zone inconsistencies: a candidate claiming to be in California is consistently available at 2 AM Pacific. Available hours align with East Asia time zones.
AI-assisted interview behaviour: pauses before answering technical questions while the candidate appears to read off-screen. Eye gaze patterns suggest they are reading content rather than answering from memory.
Identity document inconsistencies: the address on ID does not match the address on the resume, the photo appears edited, or the document is a recent reissue with no history.
Reference patterns: references unreachable by phone, or all references answer from the same VoIP provider.

Post-hire infrastructure signals

If a placement passes the hiring stage, infrastructure signals can catch it within the first weeks of employment.

Laptop ships to one address, the address changes to a different US state within 30 days of receipt
IP geolocation of the work laptop is consistently in a small set of US states known for laptop farm operations: New York, North Carolina, Florida, California
Remote desktop tools installed on the corporate laptop: AnyDesk, TeamViewer, Splashtop, Chrome Remote Desktop are common, but custom scripts that establish reverse tunnels are the strongest indicator
VPN egress to a single Astrill or NordVPN node that handles all the worker's traffic
Network telemetry shows zero-hour gaps in activity that align with North Korean working hours

Laptop farms: what they look like

Laptop farms cluster physically. The FBI raids in late 2024 hit residential addresses in Arizona, Florida, and North Carolina. Inside, investigators found racks of company-issued laptops, each connected to power and a KVM, with a single broadband connection serving the whole farm. The farm operator's job is keeping the laptops online, accepting deliveries, and forwarding direct deposits. Sentinel One and Mandiant have published photos. The setup is industrial.

$300M

estimated annual revenue from DPRK IT worker scheme

1,500+

US companies publicly tied to DPRK worker placements

12-18 months

typical placement duration before detection

Payroll patterns

Payroll is where the scheme intersects financial fraud detection. We have advised payroll teams to flag patterns that, individually, look harmless but together raise the prior:

Multiple W-9 contractors at unrelated employers depositing to the same routing number
Direct deposit account changes within the first 90 days of employment, especially to small online-only banks
Salary that exits the US bank within 72 hours of every payroll deposit
Cryptocurrency exchange deposits matching net payroll amounts to the dollar

No single signal proves DPRK placement. Three signals together raise the prior enough to justify a discreet investigation.

What real cases look like

We worked one case in 2023 where a Series B fintech hired a remote senior engineer who passed background checks and Coderbyte assessments. The first signal: the engineer's GitHub commit times had a perfect 12-hour offset from their claimed US East Coast location. The second signal: a laptop network connection from a residential IP in North Carolina, but every login session originated from an Astrill VPN node. The third signal: 100 percent of net salary moved to a cryptocurrency exchange within 48 hours of each payday. The investigation closed the placement within three weeks. The employee never showed up to a video meeting after the first week despite being on the payroll for four months.

What does not work

We have seen teams over-rely on background check services. The DPRK operators use real US identities, often obtained through identity theft. The background check comes back clean because the identity is real. Background checks are necessary but not sufficient. Likewise, video interviews are spoofable with current generative AI: by 2024 the deepfake quality is good enough to fool a 30-minute interview if the operator is well-rehearsed. The compensating control is repeated video contact: a deepfake holds up in one interview but breaks down across five video meetings over two weeks.

Reporting and remediation

If you confirm a DPRK placement, the FBI's IC3 portal is the right reporting path. Treasury's OFAC sanctions enforcement also takes reports. Do not confront the employee directly: the placement involves overseas operators and sometimes US-based facilitators, and a confrontation tips off the wider network. Disable access through standard offboarding paths and let federal investigators trace the rest of the network.

The placement campaign is not slowing down. The pay is too good for the regime to abandon. Expect to see this signal pattern across remote-first companies for the foreseeable future. Build the detection stack into your hiring workflow now, before the placement is already inside your AWS account.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.