North Korean remote IT worker infiltration trend across companies
Target Trend
Summary
Hide ▲
Show ▼
North Korean remote IT worker infiltration continues to expand as Famous Chollima (WageMole) uses stolen identities, deep fake videos, GitHub spam, and remote-access tooling to help operatives pose as legitimate developers and win jobs at Fortune 500 companies. The latest reporting shows recruiters luring engineers into renting their identities, asking for 24/7 remote access via AnyDesk, using Astrill VPN, and relying on AI-enabled helpers such as AIApply, Simplify Copilot, Final Round AI, and Saved Prompts to push applications and interviews forward. The operation matters because it turns identity theft and social engineering into a repeatable hiring pipeline that can fund regime activity and expose companies to infiltration.
Related Happenings
North Korean remote IT worker scam operation targeting American companies
Campaign
First: 16.04.2026 19:00
Last: 16.04.2026 19:00
Sources 1
About this happening:
A long-running **North Korean remote IT worker scam operation** used **stolen identities** and fake placements to embed operators inside **more than 100 American companies**. The...
North Korean remote IT worker scam operation targeting American companies
CampaignAbout this happening: A long-running **North Korean remote IT worker scam operation** used **stolen identities** and fake placements to embed operators inside **more than 100 American companies**. The...
Masjesu IoT DDoS botnet activity
Malware Activity
First: 08.04.2026 14:49
Last: 08.04.2026 14:49
Sources 1
About this happening:
The **Masjesu** botnet is actively infecting **IoT devices** and using them for **DDoS attacks**, creating a distributed attack platform that can generate large traffic floods. It...
Masjesu IoT DDoS botnet activity
Malware ActivityAbout this happening: The **Masjesu** botnet is actively infecting **IoT devices** and using them for **DDoS attacks**, creating a distributed attack platform that can generate large traffic floods. It...
DPRK-linked cryptoasset theft campaign continuing into 2026
Campaign
First: 03.04.2026 11:35
Last: 03.04.2026 11:35
Sources 1
About this happening:
The **DPRK-linked cryptoasset theft campaign** is continuing into **2026**, keeping **crypto and Web3** targets at risk of repeated theft and laundering activity. The operation us...
DPRK-linked cryptoasset theft campaign continuing into 2026
CampaignAbout this happening: The **DPRK-linked cryptoasset theft campaign** is continuing into **2026**, keeping **crypto and Web3** targets at risk of repeated theft and laundering activity. The operation us...
Contagious Interview cryptocurrency social-engineering and malware-delivery campaign
Campaign
First: 23.03.2026 20:09
Last: 23.03.2026 20:09
Sources 1
About this happening:
A **North Korean** cluster behind **Contagious Interview / WaterPlum** is running a coordinated **malware campaign** against **cryptocurrency professionals**, increasing the risk...
Contagious Interview cryptocurrency social-engineering and malware-delivery campaign
CampaignAbout this happening: A **North Korean** cluster behind **Contagious Interview / WaterPlum** is running a coordinated **malware campaign** against **cryptocurrency professionals**, increasing the risk...
OFAC sanctions DPRK IT worker scheme network
Regulatory/Legal Action
First: 18.03.2026 19:26
Last: 18.03.2026 19:26
Sources 1
About this happening:
**OFAC** sanctioned **Ryujong Credit Bank**, **KMCTC**, and **eight individuals** tied to **North Korean cryptocurrency laundering** and **fraudulent IT worker schemes**. The **U....
OFAC sanctions DPRK IT worker scheme network
Regulatory/Legal ActionAbout this happening: **OFAC** sanctioned **Ryujong Credit Bank**, **KMCTC**, and **eight individuals** tied to **North Korean cryptocurrency laundering** and **fraudulent IT worker schemes**. The **U....
Timeline
-
20.08.2025 12:18 4 articles · 9mo ago
North Korean remote IT workers infiltrate companies at scale
Campaign Scope UpdateCrowdStrike said North Koreans posing as remote IT workers infiltrated companies in more than 320 incidents over the past 12 months, a 220% increase from the prior year. The scheme uses GenAI to create attractive résumés, real-time deepfake interviews, AI code tools, and laptop farms to support illicit employment and revenue generation.
Show sources
- North Korea Uses GitHub in Diplomat Cyber Attacks as IT Worker Scheme Hits 320+ Firms — thehackernews.com — 20.08.2025 12:18
- North Korean Hackers Use New AkdoorTea Backdoor to Target Global Crypto Developers — thehackernews.com — 25.09.2025 16:14
- North Korea’s Fake Recruiters Feed Stolen Data to IT Workers — www.securityweek.com — 26.09.2025 15:01
- North Korea lures engineers to rent identities in fake IT worker scheme — www.bleepingcomputer.com — 02.12.2025 16:57