CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

North Korean State Actors Exploit Fake Employee Schemes to Infiltrate Companies

First reported
Last updated
4 unique sources, 8 articles

Summary

Hide ▲

North Korean state actors have been using fake or stolen identities to secure IT jobs in various companies, particularly in the blockchain and technology sectors. These actors have stolen virtual currency and funneled money to North Korea's weapons program. The practice has escalated with the rise of remote work and AI, enabling fraudsters to impersonate employees and gain privileged access to company networks. A joint investigation led by Mauro Eldritch, founder of BCA LTD, conducted together with threat-intel initiative NorthScan and ANY.RUN, uncovered a network of remote IT workers tied to Lazarus Group's Famous Chollima division. Researchers captured live activity of Lazarus operators on what they believed were real developer laptops, which were actually fully controlled, long-running sandbox environments created by ANY.RUN. Thousands of North Korean IT workers have infiltrated the job market over the past two years, exploiting vulnerabilities in hiring processes and remote work environments. Over 320 cases of North Korean operatives infiltrating companies by posing as remote IT workers were identified in August 2025. The Justice Department has shut down several laptop farms used by these actors, but the problem persists, with security experts warning of significant security risks and financial losses for affected companies. The U.S. Treasury's Office of Foreign Assets Control (OFAC) has recently sanctioned two individuals and two entities for their role in these schemes, identifying financial transfers worth nearly $600,000 and over $1 million in profits generated since 2021. Japan, South Korea, and the United States are collaborating to combat North Korean IT worker schemes. The three countries held a joint forum on August 26, 2025, in Tokyo to improve collaboration, with both Japan and South Korea issuing updated advisories on the threat. The United States sanctioned four entities for their roles in the IT worker fraud schemes, accusing them of working to help the Democratic People's Republic of Korea (DPRK) to generate revenue. Recently, five U.S. citizens pleaded guilty to assisting North Korea's illicit revenue generation schemes by enabling IT worker fraud. The scheme impacted more than 136 U.S. victim companies, generated more than $2.2 million in revenue for the DPRK regime, and compromised the identities of more than 18 U.S. persons. The US government has seized $15m worth of gains in Tether (USDT) from APT38 actors, seeking to return the funds to their rightful owners. North Korean IT recruiters target and lure developers into renting their identities for illicit fundraising. Famous Chollima, part of North Korea’s state-sponsored Lazarus group, uses deep fake videos and avoids appearing on camera during interviews. Legitimate engineers are recruited to act as figureheads in DPRK agents’ operations to secure remote jobs at targeted companies. Compromised engineers receive a percentage of the salary, between 20% and 35%, for the duration of the contract. DPRK agents use compromised engineers' computers as proxies for malicious activities to hide their location and traces. North Korean recruiters use AI-powered tools like AIApply, Simplify Copilot, Final Round AI, and Saved Prompts to autofill job applications and create resumes. The threat actor used Astrill VPN, a popular service among North Korean fake IT workers, for remote connections. The Famous Chollima team involved in this operation consisted of six members, who used the names Mateo, Julián, Aaron, Jesús, Sebastián, and Alfredo.

Timeline

  1. 04.09.2025 04:00 3 articles · 3mo ago

    Japan, South Korea, and the U.S. Collaborate to Combat North Korean IT Worker Schemes

    The threat actors often conceal their foreign location by using VPNs or remote desktop services. The scheme has expanded operations to Europe and deepened networks in the Asia Pacific, claiming residency in Japan, Malaysia, Singapore, and Vietnam. The main goal of these operations is for revenue generation back to the regime. The scheme poses serious risks, ranging from theft of intellectual property, data, and funds to reputational harm and legal consequences. The forum brought together government officials with private-sector experts, including from Google Cloud's Mandiant, to find additional strategies to combat the threat. Five U.S. citizens have pleaded guilty to assisting North Korea's illicit revenue generation schemes by enabling IT worker fraud.

    Show sources
    Open in new tab
  2. 28.08.2025 11:53 3 articles · 3mo ago

    U.S. Treasury Sanctions Key Players in North Korean IT Worker Scheme

    The US Treasury Department sanctioned Vitaliy Sergeyevich Andreyev, Kim Ung Sun, Shenyang Geumpungri Network Technology, and Korea Sinjin Trading Corp for their roles in the IT worker scheme. The two individuals and two companies allegedly acted as fronts for the North Korean government to facilitate the transfer of at least $1.6 million to the regime. The DoJ has also filed two civil complaints to forfeit cryptocurrency valued at more than $15 million seized from APT38 actors.

    Show sources
    Open in new tab
  3. 21.08.2025 00:39 8 articles · 3mo ago

    North Korean Actors Steal $900,000 in Virtual Currency Using Fake Employee Scheme

    The US Department of Justice (DoJ) described the five individuals as 'facilitators' who assisted North Korean hackers with obtaining remote IT employment with US companies. The defendants allegedly provided personal, false or stolen identities and hosted laptops provided by the victim company at residences across the US to create the false appearance that the IT workers were employed domestically. The US government has seized $15m worth of gains in Tether (USDT) from APT38 actors, seeking to return the funds to their rightful owners. North Korean IT recruiters target and lure developers into renting their identities for illicit fundraising. Famous Chollima, part of North Korea’s state-sponsored Lazarus group, uses deep fake videos and avoids appearing on camera during interviews. Legitimate engineers are recruited to act as figureheads in DPRK agents’ operations to secure remote jobs at targeted companies. Compromised engineers receive a percentage of the salary, between 20% and 35%, for the duration of the contract. DPRK agents use compromised engineers' computers as proxies for malicious activities to hide their location and traces. North Korean recruiters use AI-powered tools like AIApply, Simplify Copilot, Final Round AI, and Saved Prompts to autofill job applications and create resumes. The threat actor used Astrill VPN, a popular service among North Korean fake IT workers, for remote connections. The Famous Chollima team involved in this operation consisted of six members, who used the names Mateo, Julián, Aaron, Jesús, Sebastián, and Alfredo. A joint investigation led by Mauro Eldritch, founder of BCA LTD, conducted together with threat-intel initiative NorthScan and ANY.RUN, uncovered a network of remote IT workers tied to Lazarus Group's Famous Chollima division. Researchers captured live activity of Lazarus operators on what they believed were real developer laptops, which were actually fully controlled, long-running sandbox environments created by ANY.RUN. The operation began when NorthScan's Heiner García impersonated a U.S. developer targeted by a Lazarus recruiter using the alias 'Aaron' (also known as 'Blaze'). The scheme involved stealing or borrowing an identity, passing interviews with AI tools and shared answers, working remotely via the victim's laptop, and funneling salary back to DPRK. The operators used AI-driven job automation tools, browser-based OTP generators, Google Remote Desktop, and performed routine system reconnaissance. Connections were consistently routed through Astrill VPN, a pattern tied to previous Lazarus infrastructure.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Manufacturing Sector Faces Persistent OT Security Challenges

The manufacturing sector continues to grapple with significant operational technology (OT) security challenges, including legacy systems, lack of visibility, and human factors. The industry's focus on IT security often overshadows OT security, despite the growing attack surface and interconnected nature of modern manufacturing environments. Recent incidents, such as the ransomware attack on Asahi, highlight the financial and supply chain risks associated with OT breaches. Experts emphasize the need for better awareness, identity-focused security strategies, and comprehensive governance to improve OT security in manufacturing.

Open in new tab

US sanctions North Korean entities and individuals for cybercrime and IT worker fraud

The U.S. Treasury Department has imposed sanctions on ten North Korean individuals and entities involved in laundering $12.7 million in cryptocurrency and IT worker fraud. The sanctions target Ryujong Credit Bank and Korea Mangyongdae Computer Technology Company (KMCTC), along with their respective executives and financial representatives. The move aims to disrupt North Korea's ability to fund its weapons programs and other illicit activities through cybercrime and financial fraud. The Treasury Department has identified $12.7 million in transactions linked to North Korean financial institutions over the past two years. North Korean IT workers have been using foreign freelance programmers to establish business partnerships and split revenue. The Treasury Department has accused North Korea of leveraging its IT army to gain employment at companies by obfuscating their nationality and identities, funneling income back to the DPRK.

Open in new tab

North Korean Threat Actor BlueNoroff Targets Web3 Sector

The North Korean threat actor BlueNoroff, also known as APT38 and TA444, has launched two new campaigns targeting the Web3 sector. These campaigns, dubbed GhostCall and GhostHire, focus on executives, Web3 developers, and blockchain professionals. The attacks use social engineering techniques on platforms like Telegram and LinkedIn to initiate multi-stage malware chains that compromise Windows, Linux, and macOS hosts. BlueNoroff is a financially motivated sub-cluster of the Lazarus Group, North Korea's state-sponsored cyber unit linked to the Reconnaissance General Bureau (RGB). The group is known for the long-running SnatchCrypto campaign, which has evolved to include comprehensive data acquisition across a range of assets. The harvested data is used to facilitate subsequent attacks, enabling supply chain attacks and leveraging established trust relationships to impact a broader range of users.

Open in new tab

Sophisticated Investment Scam Impersonates Singapore Officials

A large-scale scam operation impersonating Singapore’s top officials has been uncovered. The operation uses verified Google Ads, fake news websites, and deepfake videos to lure victims into a fraudulent investment platform. The scam falsely associates itself with Singapore prime minister Lawrence Wong and coordinating minister for national security K Shanmugam to appear credible. The campaign specifically targeted Singapore residents by configuring Google Ads to appear only to local IP addresses. Victims who clicked on the ads were funneled through a chain of redirect sites designed to conceal the final fraudulent destination – a Mauritius-registered forex investment platform. The scam involved 28 verified advertiser accounts, mostly registered to individuals in Bulgaria, with others in Romania, Latvia, Argentina, and Kazakhstan. These accounts ran malicious Google Ads promising lucrative returns. The ads led users to 52 intermediary domains that redirected them to fake news pages impersonating outlets like CNA and Yahoo! News. The Mauritius-registered platform appeared legitimate due to its regulatory license, but its Cyprus-based parent company had faced multiple suspensions and lost its UK authorization in 2022.

Open in new tab

North Korean Hackers Steal $2 Billion in Cryptocurrency in 2025

North Korean hackers have stolen approximately $2 billion in cryptocurrency in 2025, the highest annual total recorded. This theft is part of a broader campaign to fund nuclear weapons development. The largest single heist was the Bybit hack in February, which accounted for $1.46 billion. The tactics used by these hackers have evolved to include more sophisticated laundering techniques and a shift towards targeting individuals and exchange employees through social engineering. The 2025 total so far is triple last year’s figure and beats 2022’s record of $1.35bn, which came on the back of attacks against Ronin Network and Harmony Bridge. The total amount stolen by North Korean hackers since 2017 exceeds $6 billion. Other notable breaches include LND.fi, WOO X, Seedify, and BitoPro. The Lazarus Group stole an estimated $11 million from BitoPro. The actual stolen amount may be higher due to difficulties in attribution and unreported incidents. Recently, five individuals pleaded guilty to aiding North Korea's illicit revenue generation schemes, including remote IT worker fraud and cryptocurrency theft. The U.S. authorities seek the forfeiture of $15 million in cryptocurrency from heists carried out by the APT38 threat group, which is linked to the Lazarus hacking group.

Open in new tab