Nisos research details how stolen identities, AI assisted interview cheating, and a small ring of paid American helpers turned remote hiring into an industrial scale pipeline for landing North Korean operatives inside U.S. companies.
A 22-person cell linked to North Korea submitted more than 166,000 fake job applications to American companies between December 2024 and September 2025, according to research released June 16, 2026 by Nisos, a Virginia-based firm that sells "human risk management" services to corporate security teams. At least 76 of those applications turned into job offers. The hires, scattered across technology, consulting, healthcare, and financial services, were not the endpoint of the operation. They were the entry point.
The investigation began with a job application. A suspected North Korean operative applied to Nisos itself for a remote "AI architect" role, a senior engineering position focused on artificial intelligence systems. The application raised enough flags to start a probe that grew into a sustained look at how the cell worked. Nisos sells the kind of insider-risk software meant to catch a new hire who turns out to be the actual attacker, so the company has a direct commercial stake in how this threat is framed, a fact the company itself acknowledges by positioning the report as research.
What the probe found, by Nisos's count, was an industrial-scale résumé factory. Operatives built personas on stolen or fabricated U.S. identities, then ran them through AI-assisted interview tools: software that listens to a recruiter's question and feeds an answer to the candidate in real time, often in the right accent. They assembled references, prepared for technical screens with deepfake video where needed, and walked into job pipelines as ordinary remote candidates.
The U.S.-based facilitator layer is what made the operation land. A small number of Americans, in exchange for a cut of each placed operative's salary, received and forwarded company laptops, hosted equipment, and provided domestic infrastructure that made each "remote hire" look like a normal distributed employee. The facilitator is the human router that turns a foreign résumé into an American employee of record.
By the numbers Nisos reported: 166,893 applications tied to the cell, more than 21,645 interviews, and 76 confirmed offers, concentrated in technology companies (42.6% of organizations that extended offers) and spread across consulting, healthcare, and financial services. These are Nisos's own tallies, drawn from a single vendor's investigation. The company coordinated with law enforcement but did not name agencies, indictments, or arrests in the release.
What Nisos's report contributes is a count of how well the receiving end has worked. If a 22-person cell can land 76 job offers at American firms in roughly ten months, the gap is not in catching this particular network. The gap is in catching any network running the same playbook at scale right now.
The practical question for a hiring or security team this quarter is narrower. Did the company, in the last 18 months, extend a remote IT offer to someone it never met in person, on equipment it did not control, supervised by a manager who only ever saw the candidate on a webcam? If yes, the relevant controls are identity verification beyond documents, proctored technical assessments, anomaly detection on application clusters that share infrastructure, and supervised onboarding for any remote role with production or sensitive-data access. The 76 confirmed offers are documented. The interview-stage contacts are not. The pipeline, not the network, is what needs to be re-engineered.