North Korean IT Worker Took Six-Figure U.S. Tech Job Until a VPN Blunder Unmasked Him

A North Korean operative who spent months working remotely for an American software company has been unmasked after a routine security check caught him routing his supposed California connection through a Chinese data center, federal investigators revealed Tuesday.

The case, unsealed in a Washington state court, offers a rare window into Pyongyang’s evolving cyber-crime playbook: place skilled programmers inside Western firms, siphon off wages that breach United Nations sanctions, and, when the opportunity arises, steal corporate secrets or plant malware.

Prosecutors say the 34-year-old defendant, using the alias “Jake Davis,” earned more than £250,000 during his ten-month tenure while never setting foot outside North Korea. He now faces charges of conspiracy to commit wire fraud, money laundering and violating the International Emergency Economic Powers Act. If convicted, he could spend up to 20 years in a U.S. prison.

From Pyongyang to Palo Alto: How the Scheme Worked

According to the indictment, North Korea’s Reconnaissance General Bureau—the military-intelligence arm behind the 2014 Sony Pictures hack—hand-picked the defendant for his fluent English and software architecture skills. The plan was straightforward: pose as a freelance developer, win contracts with Western start-ups hungry for affordable talent, and route the proceeds back to Pyongyang through a web of shell companies and cryptocurrency wallets.

To clear background checks, the operative purchased the identity of a Japanese-American graduate from the dark web, then hired photo editors in China to forge a U.S. passport, driver’s licence and even LinkedIn head-shots. A MacBook and iPhone were shipped to a forwarding address in Shenyang, just across the North Korean border, so geolocation pings would appear to originate from California whenever the device connected to the employer’s VPN.

The ruse worked for months. “Jake” passed coding interviews, received glowing performance reviews and was promoted twice, ultimately leading a team building cloud-storage micro-services. Colleagues described him as quiet but technically brilliant, always quick to volunteer for weekend bug fixes. In reality, he was working 16-hour shifts inside a cramped government office in Pyongyang, investigators say.

The Single Click That Blew the Cover

The break came when the company upgraded its network monitoring tools. A new security engineer noticed that Jake’s workstation routinely authenticated from an IP address registered to a data center in Liaoning, China, even though he claimed to live in Los Angeles. The engineer flagged the anomaly for further review.

During a routine video call, Jake blamed “travel” and promised to reconnect from L.A. the next day. Instead, he attempted to spoof his location using a residential proxy service. The switch-over failed: for 47 seconds his real North Korean IP leaked through, long enough for the company’s software to log the discrepancy. Within hours, the firm cut off his credentials and alerted the FBI.

Agents traced the payments to a Hong Kong front company, then to a cryptocurrency exchange that had served previous North Korean money-laundering operations. A sealed indictment followed, and last month the operative was arrested when he tried to cash out Bitcoin at an ATM in Vladivostok, Russia. He is now awaiting extradition.

Why Fake IT Jobs Are North Korea’s New Gold Mine

Western sanctions have choked off most of Pyongyang’s legitimate exports, but they cannot easily block human labour sold online. The U.S. Treasury estimates that North Korea earns between £500 million and £1.2 billion annually from overseas IT work, a figure that has doubled since 2020.

Unlike ransomware or bank heists, fake employment carries low risk and high reward. A single developer can bill £100,000 a year while living on a state salary of barely £1,200. Multiply that by the thousands of technicians the regime trains each year, and the revenue quickly rivals coal exports, formerly the country’s biggest cash cow.

Security analysts warn the threat goes beyond stolen wages. Once inside a corporate network, these operatives can:

• Inject back doors into software builds that later ship to customers.
• Harvest credentials for resale on criminal forums.
• Exfiltrate source code to accelerate North Korea’s own weapons programmes.
• Pose as insiders for future phishing campaigns against supply-chain partners.

Microsoft’s Digital Defense Report, released last week, found that 43 % of all malware downloads now arrive inside booby-trapped Office documents—many of them planted by contractors who already have privileged access.

Red Flags Employers Should Watch For

Federal agents say the Jake Davis case is not an outlier; hundreds of similar profiles operate on major freelancing platforms. To avoid becoming the next victim, companies hiring remote developers should:

1. Insist on a live video interview with government-issued ID verification.
2. Use time-zone tracking tools that correlate keyboard activity with claimed location.
3. Route new hires through a probationary sandbox environment with no access to customer data.
4. Audit VPN logs weekly for sudden geographic