Find notable cyber news and cases, enriched with sources, timelines, and signals.

North Korean remote IT worker infiltration trend across companies

Trend
First reported
Last updated
Happening score
H score 34
4 unique sources, 5 articles

Summary

Hide ▲

North Korean remote IT worker infiltration continues to expand as Famous Chollima (WageMole) uses stolen identities, deep fake videos, GitHub spam, and remote-access tooling to help operatives pose as legitimate developers and win jobs at Fortune 500 companies. The latest reporting shows recruiters luring engineers into renting their identities, asking for 24/7 remote access via AnyDesk, using Astrill VPN, and relying on AI-enabled helpers such as AIApply, Simplify Copilot, Final Round AI, and Saved Prompts to push applications and interviews forward. The operation matters because it turns identity theft and social engineering into a repeatable hiring pipeline that can fund regime activity and expose companies to infiltration. A new Nisos case adds an internal view of the same pattern after a supposed Florida-based AI architect applied in June 2025 and was exposed as part of an active fraud cell. The investigation found Canary tokens linking the operative to Astrill VPN, a delivery address tied to a stolen identity, and a hidden laptop farm with PiKVM hardware, Tailscale mesh VPN, roughly 40 devices, and about 20 actively in use.

Related Happenings

North Korean remote IT worker scam operation targeting American companies

Campaign
H score41 First: 16.04.2026 19:00 Last: 16.04.2026 19:00 Sources 1

About this happening: A long-running **North Korean remote IT worker scam operation** used **stolen identities** and fake placements to embed operators inside **more than 100 American companies**. The...

Masjesu IoT DDoS botnet activity

Malware Activity
H score31 First: 08.04.2026 14:49 Last: 08.04.2026 14:49 Sources 1

About this happening: The **Masjesu** botnet is actively infecting **IoT devices** and using them for **DDoS attacks**, creating a distributed attack platform that can generate large traffic floods. It...

DPRK-linked cryptoasset theft campaign continuing into 2026

Campaign
H score35 First: 03.04.2026 11:35 Last: 03.04.2026 11:35 Sources 1

About this happening: The **DPRK-linked cryptoasset theft campaign** is continuing into **2026**, keeping **crypto and Web3** targets at risk of repeated theft and laundering activity. The operation us...

North Korean fake-persona remote job infiltration campaign against Western tech companies

Campaign
H score34 First: 25.03.2026 17:30 Last: 25.03.2026 17:30 Sources 1

About this happening: A **North Korean** fake-persona campaign is using **remote job applications** to gain **trusted insider access** at **Western tech companies**, creating theft and espionage risk....

Contagious Interview cryptocurrency social-engineering and malware-delivery campaign

Campaign
H score37 First: 23.03.2026 20:09 Last: 23.03.2026 20:09 Sources 1

About this happening: A **North Korean** cluster behind **Contagious Interview / WaterPlum** is running a coordinated **malware campaign** against **cryptocurrency professionals**, increasing the risk...

Timeline

  1. 20.08.2025 12:18 5 articles · 10mo ago

    North Korean remote IT workers infiltrate companies at scale

    Campaign Scope Update

    CrowdStrike said North Koreans posing as remote IT workers infiltrated companies in more than 320 incidents over the past 12 months, a 220% increase from the prior year. The scheme uses GenAI to create attractive résumés, real-time deepfake interviews, AI code tools, and laptop farms to support illicit employment and revenue generation.

    Show sources