The Department of Justice announced its first arrests and criminal indictments against networks helping North Koreans impersonate remote IT employees in the U.S. raise money for the Pyongyang regime.

In recent years, U.S. companies have had to battle the increasing threat of cybercriminals attacking their technology platforms, stealing their data, and at times entirely locking their businesses down until a ransom is paid. Now, leading businesses also face the risk that they may unknowingly employ undercover North Korean operatives in their remote tech support teams—a peril U.S. authorities this week moved to combat.

As Inc. reported in May, security experts continue sounding alarms about about the threat of Democratic People’s Republic of Korea (DPRK) citizens impersonating American job applicants to gain remote tech positions with leading American businesses. By using AI deepfakes to pass the interview phase—and relying on U.S.-based accomplices operating “laptop farms” to mask their real locations—North Korean hires have been stealing sensitive company data for future ransomware use. They’ve also siphoned off cryptocurrency reserves while sending their salaries to their government in support of weapons development and other clandestine programs. This week, the Department of Justice (DOJ) announced it had delivered a blow to the operation—its initial offensive in what’s likely to be a long battle. “These actions include two indictments, an arrest, searches of 29 known or suspected ‘laptop farms’ across 16 states, and the seizure of 29 financial accounts used to launder illicit funds and 21 fraudulent websites,” the DOJ announcement said, adding the impersonation scheme had gotten support from accomplices in U.S., China, United Arab Emirates, and Taiwan.

It also noted authorities had identified over 100 known corporate targets of the scam, “including many Fortune 500 companies.” The DOJ said infiltrators “caused U.S. victim companies to incur legal fees, computer network remediation costs, and other damages and losses of at least $3 million.” How did North Korean impostors secure positions with those businesses, then continue working undetected even as they pilfered employers’ data? According to security experts, operatives first scour job posting sites in search of well-paid remote tech support positions. They then either steal the names, work experience, and security clearances of reputable U.S. employees, or fabricate fictional yet convincing candidate profiles.

Impostors then apply for sought positions in coordinated swarms that increase the odds of their members progressing deep into the hiring process. Deepfakes that look and sound like the victims of identity theft who are being impersonated often suffice to convince unsuspecting recruiters during video interviews. After unwittingly hiring North Korean moles, companies dispatch security-approved computers to U.S. addresses the bogus new tech workers listed as their residences. Those houses are actually occupied by accomplices to the scam who run “laptop farms,” where PCs are accessed by North Korean users, creating the impression of being online and working from domestic locales. The imposters perform remote tech work for their unsuspecting employers, even as they steal sensitive information. At the same time, they plant malware and configure company networks for future access to stage data thefts or ransom attacks if they’re caught and fired.

Despite its first major strike against that North Korean infiltration program, the DOJ warned that possibly thousands of operatives are still employed by U.S. companies. Meanwhile, even more prospective operatives continue to apply for remote jobs assisting Pyongyang’s efforts to raise foreign currency to fund its clandestine programs. “These schemes target and steal from U.S. companies and are designed to evade sanctions and fund the North Korean regime’s illicit programs, including its weapons programs,” said Assistant Attorney General John A. Eisenberg of the Department’s National Security Division in the statement. “The Justice Department, along with our law enforcement, private sector, and international partners, will persistently pursue and dismantle these cyber-enabled revenue generation networks.” What can both big and more modest-sized companies that need remote tech support do to reduce their vulnerability to North Korean scammers? As Inc. noted in May, Google’s Threat Intelligence Group suggests the following steps:

Build a robust insider risk-management program: Establish a formal insider risk program, create clear policies, coach executives, build organizational frameworks, ensure standards of governance, and provide employee training to foster a security-conscious culture. Develop a security-minded hiring process and culture: Do stringent background checks, conduct careful on-camera interviews that require more personal engagement from the candidate, and vigilantly vet applicants’ job histories. Establish secure remote-work practices: Verify the identities and locations of remote workers, and look for potential red flags, such as a new remote employee suddenly suggesting a different shipping address for a secure company computer, and require in-person device pickup whenever possible. Monitor insider risk: Security teams should have the appropriate visibility and oversight capabilities to know when employees have exfiltrated sensitive data and opened network access. While these violations are ideally detected and prevented before a significant incident occurs, organizations should also factor insider risk into their incident response plans. U.S. government agencies also have their own recommendations about ways to detect North Koreans who have managed to infiltrate company workforces, as well as prevention measures to avoid accidentally hiring them in the first place.