Security leaders are warning of a shift in cyber risk following reports that DPRK-linked operatives have used LinkedIn to impersonate professionals and gain employment inside target organisations.
Takanori Nishiyama, SVP APAC and Japan Country Manager at Keeper Security, said the activity reflects a more systemic threat rather than a conventional fraud campaign. According to Nishiyama, attackers are combining stolen personal data, AI-generated imagery and deepfake video interviews to construct credible professional identities capable of passing recruitment checks.
Unlike traditional phishing attacks, the tactic targets hiring processes directly. In some reported cases, individuals have allegedly assumed real identities, used legitimate workplace email addresses and built detailed employment histories to secure remote roles. Once embedded, access to corporate systems can create opportunities for data exfiltration, intellectual property theft or the deployment of malicious tools.
Reports have also indicated the use of so-called “laptop farms,” where company-issued devices are routed through intermediaries to maintain the appearance that employees are operating from approved locations. While diverted salaries may provide financial benefit, the longer-term concern centres on sustained internal access to corporate environments.
Nishiyama said the incidents highlight how identity has become a primary attack surface in remote and hybrid workplaces. When attackers are granted legitimate credentials and endpoint access, traditional perimeter-based security controls offer limited protection.
He said organisations should strengthen identity governance across the employee lifecycle, including enhanced identity verification during onboarding, phishing-resistant multi-factor authentication, least-privilege access controls and continuous behavioural monitoring. Tight management and auditing of privileged access were also identified as critical controls.
The activity underscores growing concerns among security professionals that digital identity verification processes are increasingly being targeted by sophisticated threat actors, including those with nation-state backing.
