Report: A North Korean Cyber Espionage Agent Worked Undercover at Fisker Automotive for a Year
In a series of sophisticated cyberespionage operations, North Korean spies have infiltrated U.S. companies, primarily posing as legitimate remote workers through identity fraud and cyberespionage. This infiltration method has affected tech-focused companies, including those in the aerospace, technology, and sectors that handle sensitive data like cryptocurrency companies.
The FBI has issued warnings about North Korean spies in the finance and crypto sectors, highlighting them as a persistent, highly capable threat. These spies have been infiltrating U.S. companies through IT roles, often in low-level positions. They bypass traditional hiring barriers by using fake resumes, stolen social security numbers, deepfake-enhanced identity documents, and even proxies to pass interviews remotely. Their "laptop farms" hosted in the U.S. made it appear that North Korean IT workers were physically located inside the country, deceiving companies into hiring them remotely for technical roles.
One such case involved Kou Thao, an IT worker hired by Fisker Inc. in October 2021. Thao was terminated by Fisker in September 2023 after being alerted to the scheme by the Justice Department. It was later revealed that Thao was a covert agent for North Korea, involved in a money laundering scheme targeting the automotive industry. The financial fallout from Thao's espionage activities may have contributed to Fisker's bankruptcy filing in June 2024.
The scheme involved using fraudulent addresses and setting up laptops for remote access via networks in Russia and China. Fisker was not the only automaker impacted by this scheme. Other major American automotive manufacturers were also targeted, although their identities remain undisclosed.
North Korean groups such as Kimsuky (APT43/Thallium) have combined espionage and theft to launder stolen cryptocurrencies, effectively funding the regime’s weapons and nuclear programs. Recent intelligence suggests North Korean actors are specifically researching targets connected to cryptocurrency exchange-traded funds (ETFs).
Potential consequences for these U.S. companies include financial losses, data and security risks, reputational damage, and legal and compliance repercussions. The U.S. government, via new programs such as the Data Security Program (DSP), imposes stricter export controls and compliance obligations to counter foreign adversaries accessing sensitive data. Noncompliance or breaches can lead to penalties and increased regulatory scrutiny.
Fisker CEO Henrik Fisker did not comment on the matter, citing the ongoing FBI investigation. The identity of the automaker targeted by the scheme remains undisclosed, but both General Motors and Ford Motor Company are Detroit-based. As remote work continues to rise, companies must remain vigilant against such sophisticated threats to protect their financial stability, data security, and reputation.
- The FBI has warned companies in the finance and technology sectors, including automotive manufacturers, about North Korean spies who disguise themselves in IT roles, using fake identities to bypass hiring barriers and infiltrate companies remotely.
- North Korean groups, such as Kimsuky (APT43/Thallium), not only engage in cyberespionage but also combine these activities with cryptocurrency theft to launder funds, which are used to support the regime's weapons and nuclear programs. They are reportedly researching targets related to cryptocurrency exchange-traded funds (ETFs).
