Flare Research found evidence that North Korean IT worker operators are recruiting people from Iran, Syria, Lebanon, Saudi Arabia, and other countries to support remote employment fraud against Western organizations. Internal documents described facilitators applying for large volumes of roles, maintaining fabricated personas, coaching interviewers, and tracking progress through hiring stages at US defense contractors, cryptocurrency firms, telecommunications companies, financial institutions, and other targets. The reporting highlights Iranian developers being guided to interview under fake US personas, with resumes adjusted to match their skills and daily application activity organized by North Korean facilitators. The operation matters because it shows the DPRK IT worker threat extending beyond simple identity fraud into coordinated recruitment pipelines that can reach sensitive employers and potentially expose payroll, systems, and intellectual property.