North Korea has turned your hiring pipeline into a revenue machine. And most organizations have no idea.
Evan Gordenker, Director of AI Security and DPRK Operations at Unit 42, has led more than 160 investigations into sophisticated threat actors, including the North Korean IT worker networks quietly embedded inside global companies. He joins David Moulton to unpack how this operation actually works, why common assumptions about remote work leave organizations exposed, and what security and HR teams can do to detect and disrupt it.
You’ll learn:
How DPRK operatives use deepfakes, fabricated identities, and real accomplice networks to pass interviews and land jobs at global companies
Why "we don’t hire remote" is a dangerous assumption that no longer holds
What signals HR and SOC teams should look for, before and after someone is hired
How the threat has evolved from quiet wage theft to active extortion of former employers
What government collaboration and cross-border intelligence sharing can realistically accomplish
Evan contributed to the UN Sanctions Monitoring Team report on North Korean operations and brings a rare combination of technical depth and geopolitical fluency to this problem. Having lived and worked across the US, EU, and Japan, he brings cultural context that matters when investigating a threat with global reach. His investigations have produced some of the most detailed profiles of DPRK operators in the security community.
This episode is essential listening if you’re: a security leader building out your insider threat program, an HR or talent acquisition leader who hasn’t yet connected with your security team, or a threat intelligence analyst tracking how nation-state programs fund themselves.
Related Episodes:
From Code to Compromise — Covers North Korean threat actors using fake job interviews to target developers via malicious IDE extensions. A strong companion to this episode’s look at the broader IT worker scheme.
Inside the Mind of State-Sponsored Cyberattackers — A deeper look at how nation-state operations are structured and why they’re so hard to disrupt.
#NationStateThreat #InsiderRisk
00:00 Why HR Is Your Best Early-Warning System for DPRK IT Workers
00:39 Welcome to Threat Vector + Meet Evan Gordenker
01:42 How the Threat Hit Evan’s Radar—and Why It’s Personal
04:27 A Mechanized Operation: How GenAI Supercharged the Scheme
05:55 Remote Work Isn’t Required: Accomplices, Contractors, and Office Proxies
07:40 Crash Marker Need Evan’s answer above this point
10:20 Scale & Targeting: Roles, Regions, and the Global Expansion
12:20 Deepfakes, Synthetic IDs, and Resume Factories: Modern Tradecraft
14:25 Verification That Works: ID Checks, Pipeline Metadata, and Programmatic Flags
16:33 Facilitator Networks: Laptop Farmers, KVMs, Identity Mules, and Malware
19:27 From Wage Theft to Extortion: Data Theft, Ransoms, and 2025 Acceleration
21:48 Detection & Response Playbook: HR+SOC Signals and IR Priorities
25:27 AI on Both Sides: Proliferation, Defensive Analytics, and Deepfake Detection
28:15 Policy & Collaboration: What Governments and Industry Can Do Together
31:07 Looking Ahead + Final Takeaways
Subscribe + Follow
• Subscribe to Threat Vector
https://www.paloaltonetworks.com/podcasts/threat-vector
• Palo Alto Networks website
http://www.paloaltonetworks.com/
• Unit 42 threat research
https://unit42.paloaltonetworks.com/
• Facebook
https://www.facebook.com/LifeatPaloAltoNetworks/
• LinkedIn
https://www.linkedin.com/company/palo-alto-networks/
• More videos on YouTube
@paloaltonetworks
About Threat Vector
Threat Vector is Palo Alto Networks podcast for people who want to understand what’s really happening in cybersecurity. Every episode brings you inside the latest threats, smarter protection strategies, and the trends shaping the field.
You’ll hear from industry leaders, Palo Alto Networks experts, and real customers. The goal is simple. Give security teams and decision-makers the insights they need to stay ahead.
About Palo Alto Networks
Palo Alto Networks helps organizations prevent cyberattacks across cloud, network, and mobile with an automated, unified approach to security. Learn more at http://paloaltonetworks.com
