Nisos shipped a rigged laptop to a supposed Florida address and, through the device camera, watched a closet stacked with machines: a literal laptop farm being used to impersonate remote IT workers for Western companies.
The candidate and the AI-assisted interview
Risk intelligence provider Nisos says the incident began in June 2025 when a resume for a “Florida-based AI architect” applied for a remote role at the firm. The resume matched Nisos' own job posting almost word-for-word, listed tools that did not exist during the stated employment periods, and arrived from a brand-new email address with no breach history. A VoIP phone number and several conflicting resumes deepened the suspicion.
Interviews convinced Nisos the applicant was not a live human answering from experience. The candidate’s eyes tracked across the screen “as if reading,” and Nisos concluded an AI tool was supplying answers in real time. To test that conclusion, interviewers invented a hurricane and asked how it had affected the candidate’s supposed Florida home; the candidate calmly reported minor rain and wind from a storm that never happened.
The laptop farm: PiKVM, Tailscale, and a closet of machines
Instead of terminating the interaction, Nisos followed the connection. Canary tokens showed the operative connected via Astrill VPN, “a service favored by North Korean workers,” and the delivery address for the work laptop did not match the resume nor the identity of the real Floridian whose identity had been stolen.
When Nisos sent a rigged laptop to that address, the camera revealed a closet full of machines. The devices were controlled using PiKVM hardware, which the report says “lets a remote operator control a computer as if sitting at it, even before it boots,” and is hard for corporate security to spot. The network included roughly 40 devices, about 20 actively in use, and a Tailscale mesh VPN linking the machines. Multiple personas were employed across different companies at once.
Scale, money flows, and U.S.-hosted infrastructure
Nisos characterizes this setup as one cell inside a broader phenomenon. The company says hundreds of suspected laptop farms operate across the United States. Wages are routed through American bank accounts opened under stolen identities before funds are passed on to North Korea, the report states. The story notes that U.S. authorities have long said revenue from similar schemes helps fund the regime’s sanctioned weapons programs.
The presence of “willing Americans hosting the laptop farms on US soil,” combined with the use of VoIP numbers, stolen identities and mesh VPNs, creates an operational model that blends physical assets inside the country with remote control tools and AI-driven impersonation.
What this means for technologists, employers, and policymakers
- Technologists and security teams: The combination of PiKVM-level remote control, Tailscale meshes, and AI in interviews presents a layered operational challenge: a device can be physically present in a corporate environment but driven remotely in a way that standard endpoint inventories and access controls might not detect. Teams will watch for unusual device behavior and for evidence of off-network mesh VPNs and hardware KVM devices.
- Employers and procurement leaders: Nisos urges treating remote hiring as a security problem. Practical steps noted include deepening background checks, adding unexpected or localized questions to interviews to expose AI coaching, and monitoring device behavior post-hire, because “standard vetting no longer catches operatives this well prepared.”
- Policymakers and regulators: The report highlights U.S.-hosted infrastructure and bank accounts opened under stolen identities as part of the revenue chain; that framing links hiring fraud to broader concerns about illicit finance that U.S. authorities have associated with funding sanctioned programs.
Nisos' recommended defenses and a final observation
Nisos’ explicit recommendation to employers is to treat remote hiring as a security problem: deepen background checks, use unannounced or unexpected interview prompts to detect AI-assisted responses, and monitor device behavior after onboarding. The technical signal set in this case — PiKVM hardware controlling dozens of machines, a Tailscale mesh, Astrill VPN usage, and stolen-identity bank routing — provides concrete markers security teams can look for when assessing remote applicants and devices.
The episode lays bare an adaptation cycle: threat actors combining commodity hardware (PiKVM), mesh VPNs, stolen U.S. identities, and generative AI to scale impersonation at distance. For employers that assumed identity checks and standard vetting were sufficient, the Nisos findings argue otherwise: the attack surface now extends from interview rooms into closets and bank ledgers across the country.
Source: https://www.infosecurity-magazine.com/news/north-korea-it-worker-fraud-ai/
