Unit 42 describes DPRK IT worker operations that use fraudulent remote employment to earn revenue, evade sanctions and create security risk for employers. The workers use stolen, synthetic or forged identities, fake documents, job platforms, VPNs, remote desktop tools and U.S.-based facilitators who operate laptop farms to make overseas work appear domestic. The report cites DOJ information that some workers earn up to $300,000 annually, with North Korea retaining much of the proceeds for WMD programs. It recommends identity verification, IT asset management, contextual analysis of work patterns and shipping addresses, background checks, security awareness and information sharing to spot suspicious remote worker activity.