Kyle was actually in North Korea.

Cash-starved Pyongyang has long deployed cyberspies to steal intellectual property. But now it is forcing companies and government agencies to grapple with a new insider threat: Instead of merely hacking into networks, North Korean operatives are secretly joining the payroll as remote workers.

Capitalizing on a post-Covid boom in remote work and advances in generative artificial intelligence, North Koreans have been hired for hundreds—and potentially thousands—of low-level information-technology jobs and other roles in recent years, using stolen identities of foreigners, U.S. officials and security researchers say.

The scheme is netting hundreds of millions of dollars annually for Kim Jong Un’s reclusive regime, according to the U.S. Justice Department, allowing it to evade strict international sanctions and continue to fund its nuclear-weapons and ballistic-missile program.

Michael Barnhart, an analyst with Google Cloud’s Mandiant cyber-threat division, said its researchers were stunned at how prevalent the North Korean scam appears to be. “Once we peeled back these onion layers, we realized these IT workers are everywhere,” Barnhart said.

North Korea’s diplomatic mission at the United Nations didn’t respond to a request for comment.

Stu Sjouwerman, chief executive at KnowBe4 in Clearwater, Fla., said the company hired Kyle after a third-party jobs site flagged his apparent fluency in the technical language necessary for the internal IT position. In a Zoom interview, he came across as eager and honest.

“He was being open about strengths and weaknesses, and things he still needed to learn, career path ideas,” Sjouwerman said in an interview. “This guy was a professional interviewee who had probably done this a hundred times.”

Kyle posted an AI-generated photo of himself on his LinkedIn page using a stock image from the internet, the company said.

He attempted to deploy malware on his first day, which tripped the firm’s internal security alarms. The company deduced Kyle was an impostor and notified the Federal Bureau of Investigation, which traced the scheme to a residence in Washington state where a middleman was assisting the fraudulent operation, Sjouwerman said.

Companies say job seekers traced to North Korea have jumped in the past two years.

Cinder, a startup technology company whose workforce is remote, said that it began receiving dozens of fraudulent applications in early 2023. Roughly 80% of applications from some job sites were believed to be North Korean operatives using false identities, the company said.

Declan Cummings, the company’s head of engineering, said he became suspicious when applicants would appear on Zoom for remote interviews and didn’t look quite like their LinkedIn profile photos. Often they spoke with thick accents, said Cummings, who is fluent in Korean and has done volunteer work with defectors from the country.

In some cases, they listed work experience at Facebook offices in foreign countries that Cummings—a former employee of Facebook parent Meta Platforms—knew didn’t exist. Online searches of job seekers’ names didn’t yield much personal information, he said.

“Hi, I love what you are doing,” one cover letter sent to the company by a suspected North Korean applicant said. “I’d love to use my strong debugging and problem-solving abilities to be a powerful force in the workplace. I can wear multiple hats and adapt to a fast-paced team.”

In one interview, Cummings mentioned that Cinder’s co-founders were former officers at the Central Intelligence Agency, which led the applicant to drop off the call. The company never heard from him again.

“Out of all the companies that these people could apply to, they are applying to a company run by ex-CIA people and a North Korea expert,” Cummings said. “I don’t think that we were uniquely targeted, but we might be uniquely aware of it.”

To fool employers, North Korea often relies on laptop farms run by middlemen in the U.S. who install remote desktop software that allows North Koreans to log in to internal company servers from overseas while creating the impression they are in the U.S.

Federal prosecutors alleged last month that Pyongyang paid a Tennessee man a monthly fee for receiving and booting up work laptops at his Nashville home that North Koreans posing as IT workers used to defraud multiple U.S. media companies, a Portland-based technology company and a British financial institution.

Matthew Knoot, 38 years old, was allegedly promised $500 per laptop—plus 20% of net profits—by his North Korean handler who went by the name Yang Di, according to the indictment. He earned substantially less—only about $15,100 over a 13-month period. Knoot entered a plea of not guilty and is scheduled to go on trial in October. His lawyer didn’t respond to a request for comment.

Each of the companies thought it had hired a U.S. citizen identified in court papers as “Andrew M.” The North Koreans were paid over $250,000 by each company from summer 2022 to summer 2023, and filed false reports with the Internal Revenue Service using the stolen identity.

In some instances, the North Korean hires actually provided IT assistance to the companies—apparently seeking a paycheck that was at least partially claimed by Pyongyang.

The cyber operatives have used their access to company networks to steal intellectual property or quietly open a backdoor to launch cyberattacks.

When Mandiant, Google Cloud’s cyber-threat division, shared nearly 800 email addresses suspected of belonging to North Korean IT workers with various private-sector security partners earlier this year, it found that around 10% of the accounts were used to apply for jobs between February and August, netting 236 conversations with recruiters.

In at least five cases, job inquiries were sent to a critical infrastructure organization in the U.S. and elsewhere, Barnhart said.

In May, federal prosecutors unsealed an indictment alleging an Arizona woman and a man in Ukraine were part of a network of laptop-farms that resulted in over 300 U.S. companies unknowingly hiring people with ties to North Korea, prosecutors said.

Applicants assumed the identities of at least 60 U.S. citizens—some at different companies simultaneously, sending $6.8 million of revenue overseas to Pyongyang, prosecutors said.

The targeted companies included a major television network, a Silicon Valley tech company, an aerospace and defense company, an American car manufacturer, a luxury retail store and a media and entertainment company, according to the Justice Department. At least three unsuccessful attempts were made to infiltrate U.S. government agencies.

Write to Dustin Volz at dustin.volz@wsj.com