North Korean IT workers, posing as US citizens, gained employment at over 300 US companies. A US woman helped North Koreans to steal the identities of 70 Americans. These false workers worked remotely from China, and Russia as well. This gave $17M to the government of North Korea. The North Korean workers had ties to the North Korean weapons programs.
This campaign is more prevalent than previously believed.[^1] Most Fortune 500 companies have received job applications and hired North Korean nationals.[^1] These operatives typically hold multiple jobs.[^1] These insider threats could disrupt infrastructure and leak data.[^1] Some of these operatives have IP addresses that are linked to North Korea’s Intelligence bureau.[^1]
This poses a long-term cybersecurity risk.[^1] You can detect North Korean IT workers by asking them the question “How fat is Kim Jong Un?” They have crafted Linkedin profiles with Polish names and running laptop farms. These workers leave behind malware.[^1] These workers do things like IT support, software engineering and other legitimate jobs.[^2] These types of fraudulent attacks are not possible without a very capable social engineering skillset.[^2]
These actors use laptop farms to assist foreign workers to impersonate US citizens.[^3] The threat actors use standard tools such as Zoom and network protocols to avoid detection.[^3] They also have used corporate VPNs to establish a multi-layered covert control channel for lateral movement, malicious code execution, and data exfiltration.[^3] These attacks exploit trust vulnerabilities rather than any technical flaws.[^2] The funds were laundered using chain-hopping, token-swapping, and buying NFTs.[^3]
ChatGPT was likely used to develop fraudulent materials for deceptive employment campaigns.[^4] Credible US-Based personas with fabricated employment histories were generated.[^4] North Americans were recruited to run laptops on behalf of the fradulent IT workers, while operators in Africa were posing as job applicants.[^4] Core operators automated resume creation based on specific skill templates, job descriptions, and personal profiles.[^4] The Laptops delivered to US individuals would be accessed by the core threat actors, or contractors working on their behalf.[^4] The threat actors used Tailscale VPN, OBS Studio, vdo.ninja, and HDMI capture loops as part of their operations.[^4]
Backlinks
[[Africa]]
[[HDMI]]
[[Insider Threats]]
IP Addresses
[[LLMs]]
[[North Korea Cyberattacks]]
[[OBS Studio]]
[[Social Engineering]]
[[Tallscale VPN]]
[[vdo.ninja]]
VPN
Sources
[1]CyberwireDaily
[2]microsoft_ThreatIntelPodcast
[3]CyberwireDaily
[4] “Disrupting Malicious uses of AI: June 2025,” OpenAI, Jun. 2025. [Online]. Available: https://cdn.openai.com/threat-intelligence-reports/5f73af09-a3a3-4a55-992e-069237681620/disrupting-malicious-uses-of-ai-june-2025.pdf