GTIG says North Korean IT workers have expanded beyond salary fraud into extortion, data theft, and operations inside corporate virtual desktops, networks, and servers. The scheme uses fake identities, resumes, profiles, and remote technical roles to place DPRK workers in companies across the U.S., Europe, and Asia. Google observed workers experimenting with AI-generated profile photos, deepfakes in interviews, and writing tools to bypass language barriers. The report recommends tighter hiring, identity and location checks, remote-work controls, and insider-risk monitoring for signs such as mouse-jiggling tools, suspicious shipping addresses, and data exfiltration.