North Korean hackers are infiltrating companies by day—and quietly funding missiles by night. Their cover? Remote jobs at Fortune 500s and crypto startups. But while their tech is top-tier, they have a weakness. The trick to outing them, apparently, is asking one surprisingly blunt question: “How fat is Kim Jong Un?”
So how fat is he?
We’ve asked around at ZME Science and apparently, we’re free from North Korean interference. But many companies aren’t so fortunate. But if you feel this is a real risk, you should try it.
The question isn’t meant to be funny — it’s strategic. North Korean IT workers abroad risk severe punishment if they’re ever caught criticizing their leader, even in private. As a result, asking them to say anything negative about Kim Jong Un is a minefield.
According to cybersecurity experts, that question alone has caused multiple suspected North Korean operatives to terminate job interviews instantly. It’s crude but it’s working. “They terminate the call instantly, because it’s not worth it to say something negative about that,” said Adam Meyers, senior vice president of Counter Adversary Operations at CrowdStrike, during a recent panel at the RSA Conference, according to a report from The Register.
Startup founders have caught on. Harrison Leggio, CEO of the crypto firm g8keep, told Fortune he ends every interview with that exact challenge. “The first time I ever did it, the person started freaking out and cursing,” Leggio said. The applicant then blocked him on all social media. This is where it gets even weirder: the more Leggio did it, the more people responded the same way. He estimates that 95% of the résumés he gets are from North Koreans pretending to be U.S.-based developers. “Say something negative about Kim Jong Un” has become his line in the sand.
Real jobs, real fraud
This isn’t just about fake résumés or finding the odd North Korean here and there. It’s not about North Koreans trying to find honest jobs, either. This is a large-scale, coordinated attack that North Koreans are using to fund their military. The U.S. Treasury, State Department, and FBI estimate North Korea’s IT worker scam has raked in $250 million to $600 million annually since 2018. That money flows directly into Kim Jong Un’s weapons programs — funding everything from cyberattacks to ballistic missiles.
CrowdStrike tracks the group behind these operations as “Famous Chollima,” and the group is expanding. In 2024 alone, they were linked to 304 cyber incidents, and experts warn that AI is only supercharging their strategy.
The playbook is simple. Use generative AI to build convincing LinkedIn profiles, deploy teams to tag-team technical interviews, and rely on American-based “laptop farms” to spoof their physical location. Once hired, they perform well — sometimes exceptionally well — because there’s often a whole team behind the screen.
The deception doesn’t stop at fake names. According to The Register, some job candidates request laptops be shipped to alternate addresses — citing family emergencies — only for the devices to end up at U.S.-based “farms” where accomplices help maintain the illusion of a domestic worker.
And, once embedded, the consequences can be severe. They’ll already have collected login details, planted unactivated malware, and will then attempt to extort the maximum they can from the victim, warned FBI Special Agent Elizabeth Pelker.
It’s probably even bigger than we think
Sometimes, the deception is more elaborate. Aidan Raney, founder of Farnsworth Intelligence, posed as a helpful American to investigate the fraud. He ended up video chatting with a group of North Koreans — all going by “Ben.” The Bens offered to create a fake LinkedIn profile, coach him through interviews using remote desktop software, and even modify his headshot, Raney told Fortune.
He landed a real job offer with a private government contractor worth $80,000 a year. He had to back out and alert the company—because every part of his candidacy had been fake, crafted by operatives working on behalf of the regime.
The scheme is no longer confined to U.S. shores. Google researchers say North Korean operatives are now targeting British and European companies, including defense firms and AI developers.
One North Korean was found operating under 12 different personas across Europe, mostly looking for jobs with government contractors and defense companies. Many use job platforms like Upwork or Freelancer, with facilitators on the ground helping them manage the ruse — from hosting laptops to funneling crypto payments. They’ll sometimes be planted in Russia, and use Russia to launder money too. This money is sometimes used to invest in weapons and missiles, like the ones used by Russia to invade Ukraine.
The most basic defense is also the most effective: verify identities. Use real-time video interviews. Check IP geolocation. Compare IDs to live selfies. And yes, maybe try that Kim Jong Un question. But that can only be a temporary fix.
