CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

North Korean State Actors Exploit Fake Employee Schemes to Infiltrate Companies

First reported
Last updated
3 unique sources, 6 articles

Summary

Hide ▲

North Korean state actors have been using fake or stolen identities to secure IT jobs in various companies, particularly in the blockchain and technology sectors. These actors have stolen virtual currency and funneled money to North Korea's weapons program. The practice has escalated with the rise of remote work and AI, enabling fraudsters to impersonate employees and gain privileged access to company networks. Thousands of North Korean IT workers have infiltrated the job market over the past two years, exploiting vulnerabilities in hiring processes and remote work environments. Over 320 cases of North Korean operatives infiltrating companies by posing as remote IT workers were identified in August 2025. The Justice Department has shut down several laptop farms used by these actors, but the problem persists, with security experts warning of significant security risks and financial losses for affected companies. The U.S. Treasury's Office of Foreign Assets Control (OFAC) has recently sanctioned two individuals and two entities for their role in these schemes, identifying financial transfers worth nearly $600,000 and over $1 million in profits generated since 2021. Japan, South Korea, and the United States are collaborating to combat North Korean IT worker schemes. The three countries held a joint forum on August 26, 2025, in Tokyo to improve collaboration, with both Japan and South Korea issuing updated advisories on the threat. The United States sanctioned four entities for their roles in the IT worker fraud schemes, accusing them of working to help the Democratic People's Republic of Korea (DPRK) to generate revenue. Recently, five U.S. citizens pleaded guilty to assisting North Korea's illicit revenue generation schemes by enabling IT worker fraud. The scheme impacted more than 136 U.S. victim companies, generated more than $2.2 million in revenue for the DPRK regime, and compromised the identities of more than 18 U.S. persons. The US government has seized $15m worth of gains in Tether (USDT) from APT38 actors, seeking to return the funds to their rightful owners.

Timeline

  1. 04.09.2025 04:00 3 articles · 2mo ago

    Japan, South Korea, and the U.S. Collaborate to Combat North Korean IT Worker Schemes

    The threat actors often conceal their foreign location by using VPNs or remote desktop services. The scheme has expanded operations to Europe and deepened networks in the Asia Pacific, claiming residency in Japan, Malaysia, Singapore, and Vietnam. The main goal of these operations is for revenue generation back to the regime. The scheme poses serious risks, ranging from theft of intellectual property, data, and funds to reputational harm and legal consequences. The forum brought together government officials with private-sector experts, including from Google Cloud's Mandiant, to find additional strategies to combat the threat. Five U.S. citizens have pleaded guilty to assisting North Korea's illicit revenue generation schemes by enabling IT worker fraud.

    Show sources
    Open in new tab
  2. 28.08.2025 11:53 3 articles · 2mo ago

    U.S. Treasury Sanctions Key Players in North Korean IT Worker Scheme

    The US Treasury Department sanctioned Vitaliy Sergeyevich Andreyev, Kim Ung Sun, Shenyang Geumpungri Network Technology, and Korea Sinjin Trading Corp for their roles in the IT worker scheme. The two individuals and two companies allegedly acted as fronts for the North Korean government to facilitate the transfer of at least $1.6 million to the regime. The DoJ has also filed two civil complaints to forfeit cryptocurrency valued at more than $15 million seized from APT38 actors.

    Show sources
    Open in new tab
  3. 21.08.2025 00:39 6 articles · 2mo ago

    North Korean Actors Steal $900,000 in Virtual Currency Using Fake Employee Scheme

    The US Department of Justice (DoJ) described the five individuals as 'facilitators' who assisted North Korean hackers with obtaining remote IT employment with US companies. The defendants allegedly provided personal, false or stolen identities and hosted laptops provided by the victim company at residences across the US to create the false appearance that the IT workers were employed domestically. The US government has seized $15m worth of gains in Tether (USDT) from APT38 actors, seeking to return the funds to their rightful owners.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

US sanctions North Korean entities and individuals for cybercrime and IT worker fraud

The U.S. Treasury Department has imposed sanctions on ten North Korean individuals and entities involved in laundering $12.7 million in cryptocurrency and IT worker fraud. The sanctions target Ryujong Credit Bank and Korea Mangyongdae Computer Technology Company (KMCTC), along with their respective executives and financial representatives. The move aims to disrupt North Korea's ability to fund its weapons programs and other illicit activities through cybercrime and financial fraud. The Treasury Department has identified $12.7 million in transactions linked to North Korean financial institutions over the past two years. North Korean IT workers have been using foreign freelance programmers to establish business partnerships and split revenue. The Treasury Department has accused North Korea of leveraging its IT army to gain employment at companies by obfuscating their nationality and identities, funneling income back to the DPRK.

Open in new tab

North Korean Hackers Steal $2 Billion in Cryptocurrency in 2025

North Korean hackers have stolen approximately $2 billion in cryptocurrency in 2025, the highest annual total recorded. This theft is part of a broader campaign to fund nuclear weapons development. The largest single heist was the Bybit hack in February, which accounted for $1.46 billion. The tactics used by these hackers have evolved to include more sophisticated laundering techniques and a shift towards targeting individuals and exchange employees through social engineering. The 2025 total so far is triple last year’s figure and beats 2022’s record of $1.35bn, which came on the back of attacks against Ronin Network and Harmony Bridge. The total amount stolen by North Korean hackers since 2017 exceeds $6 billion. Other notable breaches include LND.fi, WOO X, Seedify, and BitoPro. The Lazarus Group stole an estimated $11 million from BitoPro. The actual stolen amount may be higher due to difficulties in attribution and unreported incidents. Recently, five individuals pleaded guilty to aiding North Korea's illicit revenue generation schemes, including remote IT worker fraud and cryptocurrency theft. The U.S. authorities seek the forfeiture of $15 million in cryptocurrency from heists carried out by the APT38 threat group, which is linked to the Lazarus hacking group.

Open in new tab

U.S. sanctions cyber scam operations in Southeast Asia

The U.S. Department of the Treasury has sanctioned several large cyber scam networks in Southeast Asia, primarily in Burma and Cambodia. These operations, which used forced labor and human trafficking, stole over $10 billion from Americans in 2024, a 66% increase from the previous year. The scams included romance baiting and fake cryptocurrency investments. The sanctions target individuals and entities linked to the Karen National Army (KNA) and various organized crime networks. The U.S. has established a new task force, the Scam Center Strike Force, to disrupt Chinese cryptocurrency scam networks. This task force, supported by the U.S. Attorney's Office, the Department of Justice, the FBI, and the Secret Service, has already seized over $401 million in cryptocurrency and filed forfeiture proceedings for an additional $80 million in stolen funds. The Treasury Department’s Office of Foreign Assets Control has imposed additional sanctions on the Democratic Karen Benevolent Army (DKBA) and related entities. The sanctions block these entities from the U.S. financial system, freeze their U.S.-based assets, and limit their access to international financial services. The move aims to disrupt the operations and impose legal and financial consequences on the perpetrators. The cybercriminal syndicates in Southeast Asia net nearly $40 billion annually in illicit profits. The U.S. actions are part of a broader effort to degrade the infrastructure supporting these scams and punish the system enabling their crimes.

Open in new tab

Lazarus Group Deploys Multiple RATs in DeFi Sector Campaign

The Lazarus Group, a North Korea-linked threat actor, has expanded its operations to target European defense companies in 2025, leveraging a coordinated Operation DreamJob campaign. The attack involved fake recruitment lures and the deployment of various malware, including the ScoringMathTea RAT. This campaign follows earlier attacks on a decentralized finance (DeFi) organization in 2024, where the group deployed multiple cross-platform malware variants, including PondRAT, ThemeForestRAT, and RemotePE. The initial 2024 attack began with social engineering on Telegram and fake scheduling websites, leading to the compromise of an employee's system. The attackers used various tools for discovery, credential harvesting, and proxy connections, eventually transitioning to stealthier RATs. The impact of the attack includes the compromise of employee systems and potential data exfiltration. The use of multiple RATs indicates a sophisticated and multi-stage attack strategy aimed at high-value targets. The 2025 campaign targeted three European firms involved in drone development, using trojanized open-source applications and manipulated GitHub projects to deliver malware. The attacks coincide with North Korean support for Russian operations in Ukraine, suggesting an effort to gather intelligence on Western-made drones. The campaign began in late March 2025 and involved the use of a trojanized PDF reader to deliver malware. The campaign could be focused on collecting information on weapon systems deployed in Ukraine, as well as gathering information to perfect designs and processes. At least two of the victims are heavily involved in the development of UAV technology, with one making critical drone components and the other building UAV-related software.

Open in new tab

Espionage Campaign Targeting Eastern Asia via Sogou Zhuyin Update Server Hijacking

An abandoned update server for the Sogou Zhuyin input method editor (IME) software was hijacked by threat actors to distribute malware in an espionage campaign. The campaign, codenamed TAOTH, primarily targets users in Eastern Asia, including dissidents, journalists, researchers, and technology/business leaders. The malware families deployed include C6DOOR, GTELAM, DESFY, and TOSHIS, which enable remote access, information theft, and backdoor functionality. The attack chain begins with a compromised update process that fetches malicious payloads from a hijacked domain. The campaign was identified in June 2025, with the domain hijacking occurring in October 2024. The malware families were first detected between December 2024 and May 2025. The primary targets are in Taiwan, accounting for 49% of all targets, followed by Cambodia and the U.S. The attackers also used phishing websites and fake cloud storage pages to distribute TOSHIS. The TAOTH campaign shares infrastructure and tooling overlap with previously documented threat activity by ITOCHU, indicating a persistent threat actor focused on reconnaissance, espionage, and email abuse.

Open in new tab