March 18, 2026
Ghost devs, real cash, HR on blast
North Korean's 100k fake IT workers net $500M a year for Kim
100k ghost coders rake in $500M—commenters roast hiring and argue they’re not even “fake”
TLDR: IBM and Flare say 100,000 North Korean “ghost” IT hires use fake or borrowed identities to earn $500M a year for the regime. Commenters argue they’re not “fake” if they do the work, roast sloppy hiring and weak vetting, and warn promotions could unlock deeper access and bigger breaches.
The web lit up over a new IBM X‑Force/Flare report claiming North Korea runs an army of 100,000 remote “ghost” IT workers, pulling in roughly $500 million a year. But the community’s first fight was over the F-word: “fake.” One camp cries scam; another scoffs, saying these folks are doing real work—just under stolen identities and for a very different boss. “How are they fake if they ship code?” was the vibe, echoed by users who say the real fail is paying big salaries to strangers you barely vet.
Commenters piled on HR and security. Some called it a classic salary arbitrage caper—US paychecks going a long way elsewhere—while others slammed companies for letting remote hires with murky identities touch sensitive systems. The report’s receipts fueled the drama: recruiters posing as a “stealth startup” called “C Digital LLC,” coaching candidates, issuing US identities, and tracking “Bids” and “Msg” on sites like Upwork and LinkedIn. Tools like OConnect/NetKey (a North Korean VPN), IP Messenger, and even Google Translate—the thread’s unexpected MVP—were named as staples.
As mitigation tips rolled in—watch for AI face/voice changers, resumes that don’t match interviews—the jokes wrote themselves. “The killer interview question” teased by [The Reg] became a meme, and one commenter warned the bigger picture: promotions mean deeper access, and that’s where the real damage happens. Drama score: high, trust score: low.
Key Points
- •IBM X‑Force and Flare Research detail a North Korean scheme placing deceptive IT workers in global companies to earn funds and access data.
- •U.S. Government figures cited: ~100,000 workers across ~40 countries generate about $500M annually; individuals can earn over $300,000.
- •The operation has defined roles—recruiters, facilitators, IT workers, and collaborators—with recruiters using names like “C Digital LLC” and U.S. identities.
- •Workers target platforms such as Upwork, LinkedIn, and Freelancer, track daily “Bids” and “Msg,” and may use verified accounts tied to real people.
- •Common tools include Google Translate, OConnect/NetKey VPNs, and IP Messenger; mitigation involves spotting identity discrepancies and deepfake indicators.