CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

North Korean State Actors Exploit Fake Employee Schemes to Infiltrate Companies

First reported
Last updated
4 unique sources, 15 articles

Summary

Hide ▲

North Korean state actors continue to exploit fake employee schemes to infiltrate companies, particularly in blockchain and technology sectors, funneling stolen virtual currency and funds to North Korea's weapons program. The practice has escalated with remote work and AI, enabling fraudsters to impersonate employees and gain privileged access to company networks. Labyrinth Chollima, a prolific North Korean-linked cyber threat group, has evolved into three distinct hacking groups: Labyrinth Chollima (cyber espionage targeting industrial, logistics, and defense), Golden Chollima (smaller-scale cryptocurrency theft), and Pressure Chollima (high-value heists). Each group uses distinct toolsets derived from the same malware framework used by Labyrinth Chollima in the 2000s and 2010s. A joint investigation uncovered a network of remote IT workers tied to Lazarus Group's Famous Chollima division, with researchers capturing live activity of Lazarus operators on sandboxed laptops. The scheme, tracked as Jasper Sleet, PurpleDelta, and Wagemole, involves stealing or borrowing identities, using AI tools for interviews, and funneling salaries to the DPRK. Thousands of North Korean IT workers have infiltrated companies over the past two years, exploiting hiring processes and remote work environments. The U.S. Treasury has sanctioned individuals and entities involved, while Japan, South Korea, and the U.S. collaborate to combat the threat. Five U.S. citizens pleaded guilty to assisting North Korea's illicit revenue generation schemes, and two additional U.S. nationals, Kejia Wang and Zhenxing Wang, were sentenced to prison for operating a 'laptop farm' that facilitated the infiltration of over 100 companies, generating $5 million in illicit revenue and causing $3 million in damages to victim companies. Two more U.S. nationals, Matthew Isaac Knoot and Erick Ntekereze Prince, have now been sentenced to 18 months in prison each for operating laptop farms that enabled North Korean IT workers to fraudulently secure remote employment at nearly 70 American companies between 2020 and 2024. The operations resulted in over $1.2 million in illicit payments to North Korean operatives and caused significant remediation costs for victim companies.

Timeline

  1. 30.01.2026 17:40 2 articles · 3mo ago

    Labyrinth Chollima evolves into three distinct hacking groups

    Labyrinth Chollima has evolved into three distinct hacking groups: Labyrinth Chollima, Golden Chollima, and Pressure Chollima. Labyrinth Chollima continues to focus on cyber espionage, targeting industrial, logistics, and defense companies. Golden Chollima and Pressure Chollima have shifted towards targeting cryptocurrency entities. Each group uses distinct toolsets in their malware campaigns, all evolutions of the same malware framework used by Labyrinth Chollima in the 2000s and 2010s. The three groups share tools and infrastructure, indicating centralized coordination and resource allocation within the North Korean cyber ecosystem. Golden Chollima focuses on consistent, smaller-scale cryptocurrency thefts in economically developed regions, whereas Pressure Chollima pursues high-value heists with advanced implants to single out organizations with significant digital asset holdings. Labyrinth Chollima's operations are motivated by cyber espionage, using tools like the FudModule rootkit to achieve stealth.

    Show sources
    Open in new tab
  2. 04.09.2025 04:00 4 articles · 8mo ago

    Japan, South Korea, and the U.S. Collaborate to Combat North Korean IT Worker Schemes

    The article underscores the ongoing collaboration between Japan, South Korea, and the U.S. to combat North Korean IT worker schemes, highlighting the sentencing of U.S. nationals involved in facilitating these operations. It also notes the expansion of the scheme's reach to Fortune 500 companies and the theft of sensitive data and source code from military contractors and AI companies.

    Show sources
    Open in new tab
  3. 28.08.2025 11:53 3 articles · 8mo ago

    U.S. Treasury Sanctions Key Players in North Korean IT Worker Scheme

    The US Treasury Department sanctioned Vitaliy Sergeyevich Andreyev, Kim Ung Sun, Shenyang Geumpungri Network Technology, and Korea Sinjin Trading Corp for their roles in the IT worker scheme. The two individuals and two companies allegedly acted as fronts for the North Korean government to facilitate the transfer of at least $1.6 million to the regime. The DoJ has also filed two civil complaints to forfeit cryptocurrency valued at more than $15 million seized from APT38 actors.

    Show sources
    Open in new tab
  4. 21.08.2025 00:39 14 articles · 8mo ago

    North Korean Actors Steal $900,000 in Virtual Currency Using Fake Employee Scheme

    The article adds sentencing details for Matthew Isaac Knoot and Erick Ntekereze Prince, who were sentenced to 18 months in prison each for operating laptop farms that helped North Korean IT workers fraudulently obtain remote employment at nearly 70 American companies. Knoot ran a laptop farm from his Nashville residence between July 2022 and August 2023, receiving company-issued laptops addressed to a stolen identity and installing unauthorized remote desktop software to allow North Korean IT workers to appear as legitimate U.S.-based employees. Prince facilitated North Korean IT workers through his company, Taggcar Inc., from June 2020 to August 2024, resulting in over $1.2 million in illicit payments to operatives and causing more than $1.5 million in remediation costs at victim companies. The FBI has warned since at least 2023 about North Korea's large-scale IT worker infiltration schemes targeting hundreds of American companies annually.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Global disruption of pig-butchering cryptocurrency scam networks with 276 arrests

A coordinated international law enforcement operation dismantled nine cryptocurrency investment fraud centers across Dubai and Southeast Asia, arresting 276 suspects linked to pig-butchering (romance baiting) schemes that defrauded victims through fake investment platforms. Scammers cultivated trust with targets via fabricated relationships before redirecting victims to counterfeit cryptocurrency investment portals where deposited funds were immediately siphoned and laundered through layered crypto accounts. Victims were coerced into borrowing money and taking loans to increase investments, exacerbating financial losses. The operation targeted operations including Ko Thet Company, Sanduo Group, and Giant Company, with fugitives still at large. Additional developments include the seizure of over $701 million in illicit funds, charges against key figures in forced labor scam compounds, sanctions on a Cambodian senator tied to cyber scam networks, and the disruption of an Android banking trojan linked to scam operations in Cambodia. U.S. authorities also expanded victim notification efforts and launched new cybersecurity initiatives to counter evolving fraud tactics.

Open in new tab

Drift Protocol administrative takeover and $285 million loss via Security Council manipulation on Solana

The April 1, 2026, $285 million Drift Protocol loss was part of a broader campaign by North Korea-linked Lazarus Group (TraderTraitor) targeting DeFi protocols. On April 18, 2026, the group executed a $290 million heist against KelpDAO by exploiting its cross-chain verification layer (DVN) via compromised RPC nodes, falsified data injection, and DDoS attacks, laundering funds through Tornado Cash. The attack paused KelpDAO’s rsETH contracts, froze Aave’s rsETH collateral usage, and was isolated to rsETH without broader contagion. Drift Protocol’s Security Council hijacking, attributed to UNC4736 (AppleJeus/Labyrinth Chollima), and KelpDAO’s DVN compromise both align with Lazarus Group’s pattern of sophisticated state-sponsored attacks on DeFi infrastructure.

Open in new tab

Supply chain compromise in Trivy scanner triggers CanisterWorm propagation across CI/CD pipelines

Supply chain compromise in the Trivy vulnerability scanner triggered the CanisterWorm propagation across CI/CD pipelines, now expanding to additional open-source ecosystems and involving multiple advanced threat actors. The TeamPCP threat group continues to monetize stolen supply chain secrets through partnerships with extortion groups including Lapsus$ and the Vect ransomware operation, with Wiz (Google Cloud) and Cisco confirming collaboration and horizontal movement across cloud environments. A new npm supply chain malware campaign discovered on April 24, 2026, shows self-propagating worm-like behavior via @automagik/genie and pgserve packages, stealing credentials and spreading across developer ecosystems while using Internet Computer Protocol (ICP) canisters for command and control. The malware shares technical similarities with prior TeamPCP campaigns, including post-install scripts and canister-based infrastructure, potentially indicating ongoing evolution of the threat actor's tactics or a new campaign leveraging established infrastructure. The Axios NPM package compromise via malicious versions 0.27.5 and 0.28.0 delivered a multi-platform RAT through a malicious dependency impersonating crypto-js, with attribution disputes suggesting either TeamPCP involvement or North Korean actor UNC1069 (Google's Threat Intelligence Group). Cisco's internal development environment was breached using stolen Trivy-linked credentials via a malicious GitHub Action, resulting in the theft of over 300 repositories including proprietary AI product code and customer data from banks, BPOs, and US government agencies. Multiple AWS keys were abused across a subset of Cisco's cloud accounts, with multiple threat actors participating in the breach.

Open in new tab

North Korean APTs Leverage AI to Enhance IT Worker Scams

North Korea's state-linked APTs—particularly Jasper Sleet and Coral Sleet—continue to expand their IT worker scams using AI to fabricate identities, automate social engineering, and deploy malware, while simultaneously diversifying revenue streams to fund weapons programs. OFAC sanctions now confirm the scheme's scale and structure, revealing a multi-tiered network of recruiters, facilitators, IT workers, and collaborators that has infiltrated U.S. and international companies to steal sensitive data and extort victims. The use of AI tools like Faceswap for identity fabrication and Astrill VPN for geographic obfuscation underscores the sophistication of these operations, which are deeply embedded in North Korea's sanctions-evasion and revenue-generation machinery. Initial reporting by Microsoft documented how Jasper Sleet and Coral Sleet leverage AI to research job postings, generate fake resumes, create culturally tailored digital personas, and develop web infrastructure for malicious purposes. These groups use AI coding tools to refine malware and jailbreak LLMs to generate malicious code, complicating detection while enabling long-term persistence as insider threats. The scheme's expansion into malware deployment and extortion activities further increases its impact, with a significant portion of earnings funneled back to North Korea to support its missile programs.

Open in new tab

Lazarus Group Linked to Medusa Ransomware Attacks on U.S. Healthcare

North Korean state-backed hackers from the Lazarus group are targeting U.S. healthcare organizations and entities in the Middle East with Medusa ransomware in financially motivated extortion attacks. The Medusa ransomware-as-a-service (RaaS) operation has impacted over 366 organizations since its launch in 2023, with at least four additional healthcare and non-profit organizations in the U.S. targeted since November 2025. This is the first time Lazarus has been linked to Medusa ransomware, though they have been associated with other ransomware strains. The attacks use a toolset that includes both custom and commodity tools, some of which are linked to another North Korean group, Diamond Sleet. The average ransom recorded in these attacks is $260,000, which is reportedly used to fund espionage operations against defense, technology, and government sectors in the U.S., Taiwan, and South Korea. Symantec has provided indicators of compromise (IoCs) to help defenders prevent these attacks. The Stonefly sub-group of Lazarus, also known as Andariel, has been involved in ransomware operations for the past five years. Rim Jong Hyok, an alleged Stonefly member, was indicted by the US Justice Department for ransomware campaigns targeting US hospitals and healthcare providers. The US Justice Department announced a $10m reward for information related to Rim Jong Hyok.

Open in new tab