The sleeper on your payroll.
A "remote IT engineer" in Phoenix is really an operative in Pyongyang, working through a laptop farm a U.S. accomplice keeps running in their spare bedroom. The FBI has tied more than 300 U.S. companies — Fortune 500 names among them — to North Korean workers using stolen identities to fund a weapons program. They survive background checks and video interviews. What they cannot survive is a 30-second re-verify from a real human's own phone, every two weeks.
This isn't a fringe scam. It's a state program, and it's accelerating.
North Korean operatives apply with stolen or borrowed U.S. identities and AI-enhanced photos. A facilitator inside the U.S. receives the company laptop, plugs it into a "laptop farm," and gives the overseas worker remote access — so traffic looks domestic. The wages, often six figures each, are funneled back to the regime. In July 2024, KnowBe4 hired one such "engineer" who had cleared four video interviews and a background check; malware hit the laptop within hours of delivery.
You can't out-interview a state actor. You can make them prove they're a real, local human — repeatedly.
The whole scheme depends on a gap: identity is checked once, at hire, on a screen the operative controls. After that, nobody ever asks the worker to prove — on hardware they personally hold, in the location they claim — that they are still the same human who was hired. The laptop farm exists precisely to fake that one-time check. A recurring, device-bound, geo-aware checkpoint breaks it, because the operative can't put the borrowed U.S. identity's real phone in a real U.S. living room every two weeks.
Run the checkpoint the operative can't pass.
Worker Daniel P. was hired as a remote engineer and "lives" in Phoenix, AZ. The company laptop reports a US IP. Run the every-two-weeks checkpoint from the worker's own phone and compare.
What you're seeing: the laptop's IP can be faked to look domestic. The checkpoint binds to the real human's phone and face — which can't be in Arizona and Asia at once.
A recurring proof-of-human checkpoint. 30 seconds, from the worker's own phone.
// Scheduled every 14 days per active worker (cron / HRIS hook) const r = await manav.checkpoint({ manav_id: worker.manavId, factors: ["passkey", "liveness", "device", "geo"], expect_geo: worker.declaredRegion // e.g. "US-AZ" }); if (!r.same_human) flag("identity_mismatch"); if (r.device_changed) flag("new_device_midstream"); if (r.geo_distance_km > 300) flag("location_anomaly"); // phone in Liaoning, not Arizona if (r.vpn_or_remote_relay) flag("laptop_farm_signature");
The checkpoint is bound to the human's own device passkey and a live facial check, then cross-checked against the phone's coarse location. An operative behind a laptop farm has the company laptop's domestic IP — but not the borrowed identity's actual phone, and not a body standing in Arizona. The first checkpoint they can't pass cleanly is the moment they're caught. For everyone legitimate, it's a half-minute tap they do twice a month.
The cost of one undetected operative.
A planted operative draws a full salary, gets privileged access, and exposes you to incident response, breach disclosure, and OFAC sanctions exposure for paying a sanctioned entity. The salary is the smallest line.
Where this lives.
Recurring re-attest
A bi-weekly checkpoint fires from your HRIS for every active remote worker. Misses and anomalies route to a security queue, not a paycheck.
Laptop-farm signature
Device + geo + relay signals expose the gap between a domestic laptop IP and a worker who is nowhere near it.
Sanctions evidence
Every checkpoint is a signed, timestamped record that you took reasonable steps to verify you weren't paying a sanctioned entity.
Make the laptop farm useless.
→ See also: the bait-and-switch hire · the phantom shift