North Korean Hackers Pose as IT Workers to Infiltrate Companies
Key Takeaways North Korean state-sponsored hackers are infiltrating global companies by posing as remote IT workers. This long-running scheme, active since at least 2017, involves using stolen...
Key Takeaways
- North Korean state-sponsored hackers are infiltrating global companies by posing as remote IT workers.
- This long-running scheme, active since at least 2017, involves using stolen identities and fabricated credentials to secure high-paying software development jobs.
- Salaries, potentially up to $300,000 annually per operative, are siphoned back to North Korea, funding the country’s weapons programs.
- These operatives leverage commercial VPNs and residential IP addresses to mask their true location, making them appear as legitimate domestic employees.
- Organizations are advised to enhance vetting processes for remote hires, monitor for suspicious VPN usage, and scrutinize network traffic for known indicators of compromise.
North Korea’s Covert IT Workforce Funds Weapons Programs
North Korea has established an expansive and highly effective cyber fraud operation, deploying state-sponsored operatives disguised as legitimate IT professionals to penetrate companies worldwide. This sophisticated campaign serves as a critical revenue stream, circumventing international sanctions and directly financing Pyongyang’s illicit weapons development programs.
Table Of Content
Recent intelligence indicates that these North Korean threat actors, backed by the Democratic People’s Republic of Korea (DPRK) regime, are securing remote employment with unsuspecting organizations. By presenting themselves as skilled IT workers, they gain access to company networks, systems, and sensitive data, all while earning substantial salaries that are systematically funneled back to their government.
A Multi-Continental Deception
The scheme, which began as early as 2017, has significantly expanded its reach, now targeting a diverse range of industries and larger corporations across multiple continents, with a notable focus on the United States and Europe. The operatives meticulously craft fake resumes, acquire stolen identities, and present fraudulent professional credentials to secure remote software development positions.
During the hiring process, these actors employ clever tactics to avoid detection. For instance, they frequently steer job interviews away from video calls towards phone or text-based communication, often citing technical issues. In some cases, an accomplice may appear on camera to impersonate the applicant, further obscuring the operative’s true identity and location.
The financial gains from this operation are substantial. Individual operatives can command salaries up to $300,000 per year. A significant portion of these earnings, sometimes as much as 90 percent, is repatriated to North Korea, directly supporting the regime’s efforts to develop missiles and weapons of mass destruction.
Unmasking the Infrastructure
Analysts at Team Cymru played a pivotal role in exposing a key component of this elaborate infrastructure. Their investigation was initiated after cryptocurrency security researcher ZachXBT highlighted the domain luckyguys[.]site as being associated with payments linked to DPRK-connected fake IT workers.
At the time of analysis, the luckyguys[.]site domain resolved to the IP address 163.245.219[.]19. By scrutinizing 30 days of network activity tied to this infrastructure, researchers were able to piece together a comprehensive understanding of the operatives’ methods, communication channels, and financial movements, all designed to evade detection by corporate security teams.
The investigation revealed that these workers heavily rely on commercial Virtual Private Networks (VPNs) to obscure their actual geographical locations. Traffic analysis indicated significant usage of Astrill VPN (37.5%), Mullvad (32.25%), and Proton VPN (6.25%). These services enable operatives to route their internet traffic through exit nodes located in countries like the United States, effectively making them appear as legitimate domestic employees.
Further network activity analysis also showed connections to common platforms such as Gmail, ChatGPT, and Workana. Notably, Workana, a popular freelance platform, has emerged as a significant conduit through which these threat actors seek remote employment under false pretenses.
In response to increasing law enforcement pressure, particularly in the United States, these North Korean operations have become more aggressive. Since late 2024, the IT workers have reportedly escalated their tactics to include extortion, stealing sensitive data and source code from their employers before demanding ransom payments.
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has already taken action, sanctioning six individuals and two entities in March 2026 for their direct involvement in these schemes. This elaborate operation is also tracked by various threat intelligence teams under aliases such as Coral Sleet, PurpleDelta, and Wagemole.
VPN Abuse and Residential IP Deception
A technically sophisticated element of this scheme involves how operatives meticulously conceal their network presence. Team Cymru’s analysis identified American and Latvian residential IP addresses communicating with the flagged infrastructure during the review period. This strongly suggests the utilization of home-based systems or “laptop farms,” where employer-provided laptops are placed in residences managed by U.S.-based facilitators, further blurring the lines of origin.
The rapid and significant drop in network traffic observed immediately following the public disclosure of the luckyguys[.]site domain confirmed that the operators actively monitor for exposure. This swift abandonment of compromised infrastructure is a well-documented pattern of DPRK cyber activity, demonstrating their agility in cycling through new resources once identified.

What You Should Do
- Strengthen Vetting for Remote Hires: Implement rigorous background checks, verify professional credentials, and conduct thorough identity verification processes for all remote employees, especially those in IT and software development roles. Consider using multi-factor authentication for access to critical systems.
- Monitor VPN Usage: Treat the use of commercial VPN providers, particularly Astrill, Mullvad, and Proton VPN, as a potential risk indicator, especially when associated with remote workers. Implement policies that restrict or tightly control VPN usage for corporate resources.
- Scrutinize Freelance Platforms: Exercise extreme caution when hiring through global freelance platforms like Workana, as these are known vectors for infiltration. Enhance due diligence for candidates sourced from such platforms.
- Network Traffic Analysis: Proactively monitor network traffic for connections to known malicious IP addresses, including 216.158.225[.]144 and 163.245.219[.]19. Flag and investigate any suspicious activity immediately.
- Beware of Residential IP Proxies: Do not automatically trust residential IP addresses. Be vigilant for residential IPs exhibiting proxy-hosting behavior, as they may be part of larger laundering or malicious infrastructure networks.
- Implement Behavioral Analytics: Deploy tools that can detect anomalous user behavior, such as unusual login times, access patterns, or data exfiltration attempts, which might indicate a compromised account or an insider threat.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.