North Korean remote IT worker infiltration trend across companies
Trend
Summary
Hide ▲
Show ▼
North Korean remote IT worker infiltration continues to expand as Famous Chollima (WageMole) uses stolen identities, deep fake videos, GitHub spam, and remote-access tooling to help operatives pose as legitimate developers and win jobs at Fortune 500 companies. The latest reporting shows recruiters luring engineers into renting their identities, asking for 24/7 remote access via AnyDesk, using Astrill VPN, and relying on AI-enabled helpers such as AIApply, Simplify Copilot, Final Round AI, and Saved Prompts to push applications and interviews forward. The operation matters because it turns identity theft and social engineering into a repeatable hiring pipeline that can fund regime activity and expose companies to infiltration. A new Nisos case adds an internal view of the same pattern after a supposed Florida-based AI architect applied in June 2025 and was exposed as part of an active fraud cell. The investigation found Canary tokens linking the operative to Astrill VPN, a delivery address tied to a stolen identity, and a hidden laptop farm with PiKVM hardware, Tailscale mesh VPN, roughly 40 devices, and about 20 actively in use.
Related Happenings
North Korean remote IT worker scam operation targeting American companies
Campaign
H score41
First: 16.04.2026 19:00
Last: 16.04.2026 19:00
Sources 1
About this happening:
A long-running **North Korean remote IT worker scam operation** used **stolen identities** and fake placements to embed operators inside **more than 100 American companies**. The...
North Korean remote IT worker scam operation targeting American companies
CampaignAbout this happening: A long-running **North Korean remote IT worker scam operation** used **stolen identities** and fake placements to embed operators inside **more than 100 American companies**. The...
Masjesu IoT DDoS botnet activity
Malware Activity
H score31
First: 08.04.2026 14:49
Last: 08.04.2026 14:49
Sources 1
About this happening:
The **Masjesu** botnet is actively infecting **IoT devices** and using them for **DDoS attacks**, creating a distributed attack platform that can generate large traffic floods. It...
Masjesu IoT DDoS botnet activity
Malware ActivityAbout this happening: The **Masjesu** botnet is actively infecting **IoT devices** and using them for **DDoS attacks**, creating a distributed attack platform that can generate large traffic floods. It...
DPRK-linked cryptoasset theft campaign continuing into 2026
Campaign
H score35
First: 03.04.2026 11:35
Last: 03.04.2026 11:35
Sources 1
About this happening:
The **DPRK-linked cryptoasset theft campaign** is continuing into **2026**, keeping **crypto and Web3** targets at risk of repeated theft and laundering activity. The operation us...
DPRK-linked cryptoasset theft campaign continuing into 2026
CampaignAbout this happening: The **DPRK-linked cryptoasset theft campaign** is continuing into **2026**, keeping **crypto and Web3** targets at risk of repeated theft and laundering activity. The operation us...
North Korean fake-persona remote job infiltration campaign against Western tech companies
Campaign
H score34
First: 25.03.2026 17:30
Last: 25.03.2026 17:30
Sources 1
About this happening:
A **North Korean** fake-persona campaign is using **remote job applications** to gain **trusted insider access** at **Western tech companies**, creating theft and espionage risk....
North Korean fake-persona remote job infiltration campaign against Western tech companies
CampaignAbout this happening: A **North Korean** fake-persona campaign is using **remote job applications** to gain **trusted insider access** at **Western tech companies**, creating theft and espionage risk....
Contagious Interview cryptocurrency social-engineering and malware-delivery campaign
Campaign
H score37
First: 23.03.2026 20:09
Last: 23.03.2026 20:09
Sources 1
About this happening:
A **North Korean** cluster behind **Contagious Interview / WaterPlum** is running a coordinated **malware campaign** against **cryptocurrency professionals**, increasing the risk...
Contagious Interview cryptocurrency social-engineering and malware-delivery campaign
CampaignAbout this happening: A **North Korean** cluster behind **Contagious Interview / WaterPlum** is running a coordinated **malware campaign** against **cryptocurrency professionals**, increasing the risk...
Timeline
-
20.08.2025 12:18 5 articles · 10mo ago
North Korean remote IT workers infiltrate companies at scale
Campaign Scope UpdateCrowdStrike said North Koreans posing as remote IT workers infiltrated companies in more than 320 incidents over the past 12 months, a 220% increase from the prior year. The scheme uses GenAI to create attractive résumés, real-time deepfake interviews, AI code tools, and laptop farms to support illicit employment and revenue generation.
Show sources
- North Korea Uses GitHub in Diplomat Cyber Attacks as IT Worker Scheme Hits 320+ Firms — thehackernews.com — 20.08.2025 12:18
- North Korean Hackers Use New AkdoorTea Backdoor to Target Global Crypto Developers — thehackernews.com — 25.09.2025 16:14
- North Korea’s Fake Recruiters Feed Stolen Data to IT Workers — www.securityweek.com — 26.09.2025 15:01
- North Korea lures engineers to rent identities in fake IT worker scheme — www.bleepingcomputer.com — 02.12.2025 16:57
- North Korean Hiring Fraud Runs on AI and US Laptop Farms — www.infosecurity-magazine.com — 17.06.2026 18:00