The Threat Was Already Inside

DPRK did not invent insider threat. It just gave an old problem a new LinkedIn profile, a polished resume, and a remote-work allowance. For many in incident response and traditional cyber defense, the North Korean remote-worker issue has been the moment the penny finally dropped: the most dangerous threat actor is not always the one rattling the perimeter. Sometimes the threat already has a badge, a laptop, a Slack account, and a manager who thinks they’re doing excellent work from three time zones away. The Department of Justice’s 2025 crackdown on DPRK remote IT worker schemes made that painfully concrete: searches of 29 suspected laptop farms across 16 states, more than 100 U.S. companies affected, fake and stolen identities, sensitive data theft, and even the compromise of export-controlled technology.

And honestly, I will take the attention however it arrives. If DPRK is the issue that finally got some of the “cyber guys” to stop treating insider threat as a niche compliance topic and start treating it like the operational security problem it has always been, good. Welcome aboard. Genuinely. We have needed your telemetry, detection engineering, and response muscle for a long time.

But let’s not confuse the current trigger with the actual history. Insider threat did not begin with fake remote developers, AI-polished resumes, or laptop farms humming away in suburban closets. Long before SaaS and zero trust, there were trusted insiders like Aldrich Ames and Robert Hanssen, both of whom demonstrated in spectacularly catastrophic fashion what authorized access can do in the wrong hands. By 2001, Carnegie Mellon’s CERT Division had already begun formal research into malicious insider behavior, and its insider-threat case database has since grown into the thousands. After the WikiLeaks era, Executive Order 13587 established an interagency Insider Threat Task Force to build government-wide programs for deterring, detecting, and mitigating insider threats. In other words, this field did not materialize last quarter. It has been maturing for decades.

I know this because I have had the unusual privilege, some days it felt more like occupational hazard, of seeing the problem from several angles. I worked national-security and counterespionage matters at the FBI, contributed to the prosecution connected to the Russian Illegals Program, supported work around the Snowden and WikiLeaks investigations, later helped shape insider-threat policy and program work at NSA under Executive Order 13587, and for the last decade, have built insider risk capabilities for hundreds of corporations. Along the way, I advised major enterprises, wrote and taught on the topic, and kept seeing the same truth in different clothes: the names, motives, and tradecraft change, but the underlying problem does not. "Trusted access is attack surface."

That is why I resist any effort to reduce insider risk to a North Korea story. DPRK is important, urgent, and very real. But insider risk is much broader than any one country code, threat cluster, or geopolitical headline. CISA defines insider threat as the potential for an insider to use authorized access or understanding of an organization to cause harm through malicious, complacent, or unintentional acts. That broader definition matters because, in the real world, insider risk is not just espionage. It is fraud. It is theft of intellectual property. It is sabotage. It is negligent mishandling of sensitive data. It is policy violating polywork. It is the trusted employee who becomes disgruntled, compromised, financially desperate, or simply careless on the wrong day.

A few composite examples make the point better than jargon ever will. There is the departing engineer who decides the source code belongs in a personal repository because, after all, “I wrote most of it anyway.” There is the privileged administrator who starts with harmless curiosity, then drifts into misuse after a bruising performance review. There is the employee juggling two full-time remote jobs who shares snippets of code, credentials, or customer context to keep both bosses happy. There is the contractor who is not malicious at first, merely sloppy, until an external actor notices the weakness and turns negligence into compromise. And now, yes, there is the “new hire” whose paperwork clears, whose interview is good enough, and whose digital footprint quietly tells a very different story. Different motives. Different pathways. Same category of problem: insider risk.

What DPRK changed was not the existence of insider threat. It changed the urgency, the scale, and the packaging. The remote IT worker schemes fuse employment fraud, identity fraud, privileged access, remote work, sanctions evasion, and state-directed revenue generation into one ugly bundle. The FBI warned in early 2025 that DPRK IT workers were using unlawful access to exfiltrate proprietary and sensitive data, facilitate cybercriminal activity, and conduct revenue-generating operations for the regime. Treasury’s March 2026 sanctions announcement explicitly pointed back to a May 2022 advisory from State, Treasury, and Justice, which is a useful reminder that even the DPRK playbook itself is not new; what is new is how impossible it has become to ignore.

This is also why recent practitioner work in the space has been so useful. Michael Barnhart at DTEX, now helping lead insider intelligence efforts there after previously leading Google Mandiant’s North Korea threat-hunting work, has been especially effective at framing DPRK not simply as an external cyber campaign, but as a nation-state insider infiltration problem. His reporting and commentary around Exposing DPRK’s Cyber Syndicate and Hidden IT Workforce and the 2025 crackdown help clarify a point many defenders missed for too long: if the bad actor gets hired, your “external” threat just became very internal indeed.

Barnhart has also warned that these tactics will not remain uniquely North Korean; others will learn from a model that works.

Nisos has been equally instructive from a practical standpoint. Their recent work on DPRK employment fraud, fake personas, hiring-phase OSINT, and even laptop-farm investigations shows how much of this battle is won or lost before day one of employment. Their research also underscores a broader lesson I have been preaching for years: insider risk is not confined to what happens inside the firewall. External intelligence, attribution, and disciplined vetting can surface the warning signs early including: reused contact data, synthetic resumes, impossible work histories, suspicious portfolio trails, undisclosed side employment, or false identities designed to walk right through the front door. That is not a niche HR issue. That is frontline security.

So yes, it makes perfect sense that the cyber community has finally leaned in. DPRK makes the overlap impossible to miss. The indicators show up in identity proofing, endpoint activity, unusual geolocation patterns, code repositories, access governance, payments, and response workflows. This is exactly where incident response, threat hunting, and cyber defense should be contributing, and it is good news that they are. The insider-risk world has needed more cyber muscle for years. The smart move now is not to argue over who discovered the problem last. The smart move is to solve it together.

But I would offer one gentle caution to my cyber friends: insider risk is not just a perimeter problem that wandered indoors. It is not a SIEM use case with feelings. It is a human-risk problem that leaves technical artifacts. If you only collect logs and ignore context, you will miss intent. If you only focus on behavior and ignore controls, you will miss opportunity. The most effective insider-risk programs sit at the intersection of cyber, legal, HR, compliance, physical security, investigations, and leadership. The point is not to crown a single owner. The point is to stop letting the seams between functions become the adversary’s hiding place.

So, did DPRK invent the insider threat problem? Of course not. But it may have done the industry a strange favor by forcing more companies to confront an uncomfortable truth: authorized access has always been one of the most powerful forms of access. If DPRK is the catalyst that gets more leaders to invest in mature insider-risk programs, I am all for it. We are overdue. We just need to keep the aperture wide enough to remember that the next serious insider event may involve a hostile state, a disgruntled employee, a compromised contractor, a careless insider, or a fraudster who never should have been hired in the first place. The flag may change. The problem does not. And to the cyber guys finally joining the fight: glad you’re here. We saved you a seat.