Identity services provider Okta said in a research report that nearly half of companies targeted by a prolonged scheme of fraudulent remote job applicants fall outside the IT sector, with attackers increasingly applying to roles in finance, healthcare, public administration and professional services.
Okta Threat Intelligence said it tracked more than 130 identities operated by facilitators and workers and linked those identities to over 6,500 initial job interviews across more than 5,000 companies from 2021 through mid-2025. The company said it assesses identities as DPRK-aligned using a combination of technical indicators, behavioral patterns and first-hand employer reporting, and that it was “deliberately withholding some details” of its methodology to avoid tipping off the threat actors.
The report said the tracked identities likely represent only a small sample of total activity and cited warnings from law enforcement and security firms. The article noted a related advisory from the FBI and said private security firms, including Mandiant, have raised alarms; Mandiant Consulting CTO Charles Carmakal is quoted as saying “almost every CISO of a Fortune 500 company” he has spoken to has a North Korean IT worker problem.
Okta reported that while the bulk of interviews (73 percent) targeted U.S. firms, about 27 percent were outside the United States. Big technology companies remain the highest-volume targets, but since mid-2023 the firm recorded a marked increase in interviews at companies focused on artificial intelligence, noting some 50 AI-related interviews so far this year and warning that exposure of intellectual property, model-training data and proprietary algorithms makes the sector attractive to state-linked actors.
The researchers said they “surprisingly” observed a sustained number of DPRK-linked job interviews in healthcare and medical-technology companies, including about 85 interviews this year focused on mobile application development, customer service systems and electronic record-keeping platforms. The report warned these areas can provide potential access to sensitive personally identifiable information, clinical workflows and health data infrastructure, which aligns with broader trends of ransomware and extortion targeting hospitals and healthcare facilities.
Okta also said fraudsters are interviewing for financial-sector roles in banks, insurers, fintech and cryptocurrency firms and that targeted roles have expanded beyond software development to include back-office and financial processing functions such as payroll and accounting. The company said the primary objective of the scam remains financial gain via payroll abuse, but some schemes have led to data theft, extortion attempts and ransomware-related activity.