SpyCloud used infostealer malware logs and identity matching to investigate fraudulent DPRK remote IT worker activity, estimating that roughly 10% of Fortune 500 companies have interacted with or potentially hired such workers. The schemes involve North Korean-linked individuals using fraudulent identities to obtain remote software engineering and IT roles at U.S. organizations, with wages presumed to support the regime and the FBI warning of follow-on data-theft extortion. Researchers pivoted from VPN and IP data, including Astrill VPN use near the China-North Korea border, into job-platform activity, reused credentials across personas, remote management accounts, persona-building tools, and OSINT on GitHub, LinkedIn, and shared resumes. The findings matter because compromised worker devices exposed evidence of applications, hires, and copied resumes, showing how hiring fraud can grant business access through normal HR workflows rather than traditional network intrusion.