North Korean “remote workers” also targeting Hungarian companies – but they’re actually hackers

In recent months, North Korean hacker groups have resurfaced, attempting to infiltrate foreign companies while posing as remote workers.

According to the Google Threat Analysis Group, this phenomenon has already reached several European countries –including Hungary. The attackers apply with fake identities for IT positions, and companies often have no idea who they are really dealing with.

Remote workers who seem legitimate

Researchers at cybersecurity firm Sophos warn that most candidates with North Korean backgrounds claim to be IT developers or system administrators living in other Asian countries. At first glance, these profiles appear completely legitimate, with polished LinkedIn pages, years of “built-up” portfolios, and references often stolen from real companies.

Their technical skills are usually genuine – the applicants can handle real tasks. The problem is that their identities are fabricated, and their goal is not to earn a salary but to gain access to corporate systems.

“Many organizations now hire internationally, and identity verification in remote recruitment processes is often insufficient. This poses a serious risk, as even sanctioned individuals could gain access to company systems,” warns Gábor Szappanos, cybersecurity expert at Sophos.

The situation has become especially concerning because attackers now use far more sophisticated methods than a few years ago. Applicants often present carefully crafted, AI-generated online profiles, appearing as ordinary remote workers. Their true backgrounds, however, are well disguised – which is why Sophos emphasizes that HR processes must become an integral part of corporate cybersecurity.

• How cybersecurity works in Hungarian casinos: key threats and solutions for 2025

Six red flags HR should watch for

According to Sophos researchers, the following signs appearing together may indicate suspicious activity:

• Inconsistent digital footprint: Minor discrepancies between CV, LinkedIn, and other online profiles.
• Repeated contact information: The same phone number or email appears across multiple candidates.
• Avoiding video calls: The candidate refuses to use the camera, uses a blurry image, an unusual background, or skips video interviews entirely.
• Excessive urgency: Attempts to bypass standard checks, pushes for rapid decisions.
• Lack of local knowledge: The “local” candidate cannot answer basic questions about the company or the area.
• Unusual technical requests: Requests their own laptop, frequently changes bank accounts, or makes other atypical equipment demands.

• Guest workers in Hungary reaches record high

The role of HR in cybersecurity

While technical cybersecurity measures are essential, attacks often start during the recruitment process itself. If HR cannot detect fake identities, companies may unknowingly grant system or financial access to individuals backed by state actors.

“The most effective defense is consistency. Standardized hiring processes, thorough identity verification protocols, and background checks supported by IT security tools together can prevent malicious actors from entering the company,” emphasized Gábor Szappanos.