SEOUL—On a California-based company’s internal directory, he was just another face in the grid of remote workers—a prolific software developer with a polished LinkedIn profile and an IP address tracing back to the Midwest.
In reality, the man behind the coding lived in a state-run dormitory in China. His name was Anton Koh. And he wasn’t Chinese.
Koh belonged to a pipeline of elite North Korean cyber operatives, identified, trained and dispatched overseas by the Kim regime. Their mission: generate hard currency for Pyongyang by stealing foreigners’ identities to land remote IT jobs—with no gig more coveted than those from the U.S.
“I’m a software engineer and I have a great opportunity for you,” Koh said he messaged dozens of Americans daily, when remote working peaked during the pandemic. “It could be a lot of money for you too.”
Koh, who defected to South Korea in recent years, provides a rare window into Kim Jong Un’s digital warriors, who have managed to infiltrate hundreds of Fortune 500 companies, according to estimates from Google’s Mandiant division.
More than 40 countries have been targeted or involved in North Korea’s cyber work, according to a U.S.-led consortium of 11 nations documenting Pyongyang’s sanctions violations. The cyber agents are largely based in China and Russia, where the internet connection is stronger and won’t trace back to North Korea. They generated up to $800 million for the Kim regime in 2024, the group said.
American companies sit atop the list of targets because of the high pay and intelligence-gathering value. But the North Koreans don’t just work alone.
They seek to appear more credible to employers by paying Americans to host so-called “laptop farms,” where company-issued computers can be shipped and then used remotely by the North Koreans to appear online as if they were U.S.-based personnel. In November, the Justice Department said four Americans pleaded guilty to helping North Korean IT workers hold work at more than 136 American firms.
These overseas IT workers are the cash cows among North Korea’s illicit overseas labor, which helps funnel resources to Pyongyang’s nuclear program. The Kim regime is known to seize up to 90% of a given worker’s earnings, said Nam Bada, who interviewed defectors including Koh and other former IT workers for a report on Pyongyang’s cyber operations.
“A few IT workers can easily fund a missile,” said Nam, head of a Seoul-based North Korean human-rights group called People for Successful Corean Reunification, or PSCORE.
Due to their elevated roles in society, only a handful of North Korea’s hackers or cyber operatives are known to have defected over the decades. Just a few have ever spoken to the media. Koh’s account has been verified by South Korean officials and mirrors broader findings outlined in reports from the United Nations and third-party cybersecurity researchers.
Koh said his overseas posting afforded him luxuries nearly impossible to find at home: steady electricity, nutritious meals and internet access.
“It was like watching color TV for the first time after a lifetime of black-and-white,” Koh said of his first days in China.
Paralyzing pressure
Koh was seen as a child prodigy by North Korean authorities. They placed him on a track for software development after he aced the exams to get into an elite middle school that fed to a top university. He went overseas shortly after graduating college.
Upon arriving in China, Koh worked up to 16 hours a day. About 10 North Koreans crowded into a two-bedroom dormitory space containing little more than bunk beds and computers. Portraits of the ruling Kim leaders hung on the wall.
The revenue Koh and each of his colleagues generated was tracked in detail. At a monthly review session, the manager would hand out envelopes containing the workers’ 10% cut. Koh felt humiliated if his envelope was thinner than the others.
“The pressure and embarrassment could be paralyzing,” he said.
Koh admits he lived a life unattainable to most North Koreans. On Sundays, a day off for IT workers who met their monthly revenue quota of at least $5,000, Koh and his co-workers went shopping for American brands like Nike and the North Face. They dined on famed North Korean cold noodles or grilled lamb skewers washed down with cold beers.
Hitting the quotas got harder over the years, though, as North Korea’s operations became more well-known. Some clients started demanding live-camera interviews to land a job.
Koh found a workaround by enlisting willing Western software developers to apply for jobs in their own names and even show up for video meetings. Without having to do any actual work, the Westerners typically received a lump payout of $500 or ongoing commissions of 30% or more. Koh handled all the coding or debugging work.
Some were so enticed by Koh they forked over copies of their ID cards, which then got used by other North Korean IT workers to grab more work.
The Covid-19 pandemic, coupled with better AI tools, turned into a breakthrough for workers like Koh. Remote working became common. Résumés could be written with native-level English proficiency. In recent years, video-filtering software has allowed IT workers to mask their identity.
The Kim regime recognized that remote job opportunities were plentiful abroad, and raised the quota for IT workers to $8,000 during the pandemic, Koh said. The IT workers took on more jobs, translating messages into English and managing collaborators.
Koh’s account echoes those heard by Mun Chong-hyun, a South Korean cybersecurity expert who has engaged with former North Korean IT workers online and tracked their behavior for more than two decades. Most hail from elite institutions, speak foreign languages and want U.S.-based work.
“They are online on weekends and at night, generating significant cash that helps maintain the regime,” said Mun, director of cybersecurity firm Genians Security Center.
Internet freedom
The North Korean IT workers face constant surveillance, a lack of sleep and pressure to perform, according to defector testimonies published in a 2025 PSCORE report on North Korea’s cyber threats. During their workweek they are only allowed outdoors for short daily walks.
Yet handing over 90% or more of their earnings to the regime was considered an act of “patriotic duty,” the report said. IT workers, including Koh, were generally sent back to Pyongyang every two or three years for roughly a month of “re-education,” to reinstate loyalty after being exposed to foreign information.
“In that environment we were being abused,” Koh said, “but we were also the perpetrators.”
Koh’s manager installed monitoring software to track the IT workers’ browsing histories. But to a group of software experts, workarounds were easily found. Koh said he surfed the web when the others slept.
His loyalty to the Kim regime faded not long after his first Google searches. He searched for “Kim Jong Il,” who was North Korea’s leader at the time and died in 2011.
He read news articles about the “Dear Leader” drinking expensive whisky during North Korea’s massive famine in the late 1990s. “At first I thought, ‘This is a fabricated lie,’” Koh said.
But he kept seeing news articles in which portrayals of North Korea differed greatly from those in Pyongyang’s state-run media. He learned tens of thousands of North Koreans had escaped to the South. He later came to see all of the Kim regime’s promises as deceptions.
Following his escape, Koh’s life in South Korea is also demanding. His IT job limits his free time, but he finds happiness in the quiet of his own home. Sometimes he finds himself staring at his computer screen wondering how his old friends are doing. And how they feel about him.
“Maybe they think of me as a dirty traitor,” Koh said. “But maybe there’s a chance they understand me on a human level.”
Write to Dasl Yoon at dasl.yoon@wsj.com