Microsoft and the DOJ disrupt the massive North Korean employment scam

Microsoft has announced the suspension of 3,000 Outlook and Hotmail accounts believed to have been created by North Korean IT workers using false identities. The action is part of a broader campaign by both private companies and the U.S. government to disrupt a long-running scheme that has funneled millions of dollars to the sanctioned regime.

In a blog post published last week, Microsoft detailed years of covert monitoring of North Korea’s cyber-enabled employment fraud, warning that the operation has recently evolved. The company now says North Korean operatives are leveraging artificial intelligence to create more convincing fake resumes, enhance photos, and even alter voices – all aimed at helping them secure remote IT jobs at Western companies.

“They’ve adopted AI tools like Faceswap to place their images onto stolen identity documents and doctor photos to make their profiles appear more professional,” Microsoft said.

The North Korean operatives are also reportedly exploring the use of voice-changing software to mimic American accents during interviews. Microsoft warned this development could soon eliminate the need for intermediaries - often U.S.-based co-conspirators - who have traditionally stood in during interviews or rented out access to verified accounts.

Justice Department indictments and FBI raids

Microsoft’s revelations came as the U.S. Department of Justice unsealed three indictments charging several North Korean nationals and at least two American citizens for their roles in the scheme. The DOJ said one of the indicted Americans is an active-duty U.S. military service member with a security clearance.

Additionally, federal authorities carried out coordinated raids across 16 states, seizing 137 laptops and shutting down 29 so-called “laptop farms”. These are setups where U.S. residents house company-issued laptops and install software enabling remote access from North Korea.

The FBI said the scheme involved more than 100 U.S.-based companies, many of which were unaware they had hired North Koreans using stolen or fake identities.

In one case, the workers faked their way into an Atlanta-based blockchain research company where they stole about $740,000 worth of cryptocurrency.

In another case, they infiltrated a California defense contractor developing AI-powered military technology and accessed sensitive employer data and source code, including material governed by the International Traffic in Arms Regulations (ITAR).

“This is not just a financial fraud. It’s a national security threat,” said John Eisenberg, assistant attorney general for the DOJ’s National Security Division. “The goal is to steal from U.S. companies, evade sanctions, and fund the North Korean regime’s illicit weapons programs.”

Formidable opponents

Despite the crackdown, Microsoft warned the scheme is far from over. “We are witnessing a rapid evolution in tactics, especially with the integration of AI,” the company said, urging organizations to strengthen hiring protocols and identity verification systems.

The FBI echoed that warning, advising U.S. citizens to be cautious about offers to host laptops or accounts and encouraging employers to report suspicious applications.

“This is a sophisticated, well-resourced operation,” said FBI Assistant Director Brett Leatherman. “And it’s not going away quietly.”