CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

North Korean State Actors Exploit Fake Employee Schemes to Infiltrate Companies

First reported
Last updated
4 unique sources, 12 articles

Summary

Hide ▲

North Korean state actors have been using fake or stolen identities to secure IT jobs in various companies, particularly in the blockchain and technology sectors. These actors have stolen virtual currency and funneled money to North Korea's weapons program. The practice has escalated with the rise of remote work and AI, enabling fraudsters to impersonate employees and gain privileged access to company networks. Labyrinth Chollima, a prolific North Korean-linked cyber threat group, has recently evolved into three distinct hacking groups: Labyrinth Chollima, Golden Chollima, and Pressure Chollima. Labyrinth Chollima continues to focus on cyber espionage, targeting industrial, logistics, and defense companies, while Golden Chollima and Pressure Chollima have shifted towards targeting cryptocurrency entities. Each group uses distinct toolsets in their malware campaigns, all evolutions of the same malware framework used by Labyrinth Chollima in the 2000s and 2010s. A joint investigation led by Mauro Eldritch, founder of BCA LTD, conducted together with threat-intel initiative NorthScan and ANY.RUN, uncovered a network of remote IT workers tied to Lazarus Group's Famous Chollima division. Researchers captured live activity of Lazarus operators on what they believed were real developer laptops, which were actually fully controlled, long-running sandbox environments created by ANY.RUN. Thousands of North Korean IT workers have infiltrated the job market over the past two years, exploiting vulnerabilities in hiring processes and remote work environments. Over 320 cases of North Korean operatives infiltrating companies by posing as remote IT workers were identified in August 2025. The Justice Department has shut down several laptop farms used by these actors, but the problem persists, with security experts warning of significant security risks and financial losses for affected companies. The U.S. Treasury's Office of Foreign Assets Control (OFAC) has recently sanctioned two individuals and two entities for their role in these schemes, identifying financial transfers worth nearly $600,000 and over $1 million in profits generated since 2021. Japan, South Korea, and the United States are collaborating to combat North Korean IT worker schemes. The three countries held a joint forum on August 26, 2025, in Tokyo to improve collaboration, with both Japan and South Korea issuing updated advisories on the threat. The United States sanctioned four entities for their roles in the IT worker fraud schemes, accusing them of working to help the Democratic People's Republic of Korea (DPRK) to generate revenue. Recently, five U.S. citizens pleaded guilty to assisting North Korea's illicit revenue generation schemes by enabling IT worker fraud. The scheme impacted more than 136 U.S. victim companies, generated more than $2.2 million in revenue for the DPRK regime, and compromised the identities of more than 18 U.S. persons. The US government has seized $15m worth of gains in Tether (USDT) from APT38 actors, seeking to return the funds to their rightful owners. North Korean IT recruiters target and lure developers into renting their identities for illicit fundraising. Famous Chollima, part of North Korea’s state-sponsored Lazarus group, uses deep fake videos and avoids appearing on camera during interviews. Legitimate engineers are recruited to act as figureheads in DPRK agents’ operations to secure remote jobs at targeted companies. Compromised engineers receive a percentage of the salary, between 20% and 35%, for the duration of the contract. DPRK agents use compromised engineers' computers as proxies for malicious activities to hide their location and traces. North Korean recruiters use AI-powered tools like AIApply, Simplify Copilot, Final Round AI, and Saved Prompts to autofill job applications and create resumes. The threat actor used Astrill VPN, a popular service among North Korean fake IT workers, for remote connections. The Famous Chollima team involved in this operation consisted of six members, who used the names Mateo, Julián, Aaron, Jesús, Sebastián, and Alfredo. The DPRK IT worker scheme is also tracked as Jasper Sleet, PurpleDelta, and Wagemole. The scheme aims to generate revenue, conduct espionage, and in some cases, demand ransoms. DPRK IT workers transfer cryptocurrency through various money laundering techniques, including chain-hopping and token swapping. Norwegian businesses have been impacted by IT worker schemes, with salaries likely funding North Korea's weapons and nuclear programs. A campaign dubbed Contagious Interview uses fake hiring flows to lure targets into executing malicious code. The campaign employs EtherHiding, a technique using blockchain smart contracts to host and retrieve command-and-control infrastructure. New variants of the Contagious Interview campaign use malicious Microsoft VS Code task files to execute JavaScript malware. The Koalemos RAT campaign involves malicious npm packages to deploy a modular JavaScript remote access trojan (RAT) framework. Oleksandr Didenko, a 39-year-old Ukrainian national, was sentenced to five years in prison for providing North Korean IT workers with stolen identities to infiltrate U.S. companies. Didenko pleaded guilty to aggravated identity theft and wire fraud conspiracy in November 2025 and was arrested in Poland in May 2024. Didenko provided North Korean remote workers with at least 871 proxy identities and proxy accounts on three freelance IT hiring platforms. Didenko facilitated the operation of at least eight 'laptop farms' in Virginia, Tennessee, California, Florida, Ecuador, Poland, and Ukraine. Christina Marie Chapman, a 50-year-old woman from Arizona, was sentenced to 102 months in prison for running a 'laptop farm' from her home between October 2020 and October 2023.

Timeline

  1. 30.01.2026 17:40 2 articles · 21d ago

    Labyrinth Chollima evolves into three distinct hacking groups

    Labyrinth Chollima has evolved into three distinct hacking groups: Labyrinth Chollima, Golden Chollima, and Pressure Chollima. Labyrinth Chollima continues to focus on cyber espionage, targeting industrial, logistics, and defense companies. Golden Chollima and Pressure Chollima have shifted towards targeting cryptocurrency entities. Each group uses distinct toolsets in their malware campaigns, all evolutions of the same malware framework used by Labyrinth Chollima in the 2000s and 2010s. The three groups share tools and infrastructure, indicating centralized coordination and resource allocation within the North Korean cyber ecosystem. Golden Chollima focuses on consistent, smaller-scale cryptocurrency thefts in economically developed regions, whereas Pressure Chollima pursues high-value heists with advanced implants to single out organizations with significant digital asset holdings. Labyrinth Chollima's operations are motivated by cyber espionage, using tools like the FudModule rootkit to achieve stealth.

    Show sources
    Open in new tab
  2. 04.09.2025 04:00 3 articles · 5mo ago

    Japan, South Korea, and the U.S. Collaborate to Combat North Korean IT Worker Schemes

    The threat actors often conceal their foreign location by using VPNs or remote desktop services. The scheme has expanded operations to Europe and deepened networks in the Asia Pacific, claiming residency in Japan, Malaysia, Singapore, and Vietnam. The main goal of these operations is for revenue generation back to the regime. The scheme poses serious risks, ranging from theft of intellectual property, data, and funds to reputational harm and legal consequences. The forum brought together government officials with private-sector experts, including from Google Cloud's Mandiant, to find additional strategies to combat the threat. Five U.S. citizens have pleaded guilty to assisting North Korea's illicit revenue generation schemes by enabling IT worker fraud.

    Show sources
    Open in new tab
  3. 28.08.2025 11:53 3 articles · 5mo ago

    U.S. Treasury Sanctions Key Players in North Korean IT Worker Scheme

    The US Treasury Department sanctioned Vitaliy Sergeyevich Andreyev, Kim Ung Sun, Shenyang Geumpungri Network Technology, and Korea Sinjin Trading Corp for their roles in the IT worker scheme. The two individuals and two companies allegedly acted as fronts for the North Korean government to facilitate the transfer of at least $1.6 million to the regime. The DoJ has also filed two civil complaints to forfeit cryptocurrency valued at more than $15 million seized from APT38 actors.

    Show sources
    Open in new tab
  4. 21.08.2025 00:39 11 articles · 6mo ago

    North Korean Actors Steal $900,000 in Virtual Currency Using Fake Employee Scheme

    The US Department of Justice (DoJ) described the five individuals as 'facilitators' who assisted North Korean hackers with obtaining remote IT employment with US companies. The defendants allegedly provided personal, false or stolen identities and hosted laptops provided by the victim company at residences across the US to create the false appearance that the IT workers were employed domestically. The US government has seized $15m worth of gains in Tether (USDT) from APT38 actors, seeking to return the funds to their rightful owners. North Korean IT recruiters target and lure developers into renting their identities for illicit fundraising. Famous Chollima, part of North Korea’s state-sponsored Lazarus group, uses deep fake videos and avoids appearing on camera during interviews. Legitimate engineers are recruited to act as figureheads in DPRK agents’ operations to secure remote jobs at targeted companies. Compromised engineers receive a percentage of the salary, between 20% and 35%, for the duration of the contract. DPRK agents use compromised engineers' computers as proxies for malicious activities to hide their location and traces. North Korean recruiters use AI-powered tools like AIApply, Simplify Copilot, Final Round AI, and Saved Prompts to autofill job applications and create resumes. The threat actor used Astrill VPN, a popular service among North Korean fake IT workers, for remote connections. The Famous Chollima team involved in this operation consisted of six members, who used the names Mateo, Julián, Aaron, Jesús, Sebastián, and Alfredo. A joint investigation led by Mauro Eldritch, founder of BCA LTD, conducted together with threat-intel initiative NorthScan and ANY.RUN, uncovered a network of remote IT workers tied to Lazarus Group's Famous Chollima division. Researchers captured live activity of Lazarus operators on what they believed were real developer laptops, which were actually fully controlled, long-running sandbox environments created by ANY.RUN. The operation began when NorthScan's Heiner García impersonated a U.S. developer targeted by a Lazarus recruiter using the alias 'Aaron' (also known as 'Blaze'). The scheme involved stealing or borrowing an identity, passing interviews with AI tools and shared answers, working remotely via the victim's laptop, and funneling salary back to DPRK. The operators used AI-driven job automation tools, browser-based OTP generators, Google Remote Desktop, and performed routine system reconnaissance. Connections were consistently routed through Astrill VPN, a pattern tied to previous Lazarus infrastructure. DPRK operatives are now using real LinkedIn accounts of individuals they are impersonating to apply for remote positions, marking a new escalation of the fraudulent scheme. These profiles often include verified workplace emails and identity badges to appear legitimate. The scheme, also tracked as Jasper Sleet, PurpleDelta, and Wagemole, aims to generate revenue, conduct espionage, and in some cases, demand ransoms. DPRK IT workers transfer cryptocurrency through various money laundering techniques, including chain-hopping and token swapping. Norwegian businesses have been impacted by these schemes, with salaries likely funding North Korea's weapons and nuclear programs. A campaign dubbed Contagious Interview uses fake hiring flows to lure targets into executing malicious code. The campaign employs EtherHiding, a technique using blockchain smart contracts to host and retrieve command-and-control infrastructure. New variants of the Contagious Interview campaign use malicious Microsoft VS Code task files to execute JavaScript malware. The Koalemos RAT campaign involves malicious npm packages to deploy a modular JavaScript remote access trojan (RAT) framework. Oleksandr Didenko, a 39-year-old Ukrainian national, was sentenced to five years in prison for providing North Korean IT workers with stolen identities to infiltrate U.S. companies. Didenko pleaded guilty to aggravated identity theft and wire fraud conspiracy in November 2025 and was arrested in Poland in May 2024. Didenko provided North Korean remote workers with at least 871 proxy identities and proxy accounts on three freelance IT hiring platforms. Didenko facilitated the operation of at least eight 'laptop farms' in Virginia, Tennessee, California, Florida, Ecuador, Poland, and Ukraine. Christina Marie Chapman, a 50-year-old woman from Arizona, was sentenced to 102 months in prison for running a 'laptop farm' from her home between October 2020 and October 2023. Didenko ran a website named Upworksell[.]com to help overseas IT workers buy or rent stolen or borrowed identities since the start of 2021. The site was seized by authorities on May 16, 2024. Didenko paid individuals in the U.S. to receive and host laptops at their residences in Virginia, Tennessee, and California to give the impression that the workers were located in the country. Didenko enabled his North Korean clients to access the U.S. financial system through Money Service Transmitters instead of having to open an account at a bank within the U.S. Didenko's clients were paid hundreds of thousands of dollars for their work.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Ex-Google Engineer Convicted for Stealing AI Trade Secrets for China

Linwei Ding, a former Google engineer, has been convicted of stealing over 2,000 confidential documents containing AI-related trade secrets to benefit China. The theft occurred between May 2022 and April 2023, involving sensitive information about Google's supercomputing infrastructure, AI models, and custom hardware. Ding was found guilty on seven counts of economic espionage and seven counts of theft of trade secrets. Additionally, three former Google engineers and one of their husbands have been indicted in the U.S. for allegedly committing trade secret theft from Google and other tech firms and transferring the information to unauthorized locations, including Iran. The stolen data included details about Google's Tensor Processing Unit chips, Cluster Management System software, and other proprietary technologies. Ding used deceitful methods to cover up the theft, including transferring data to his personal Google Cloud account and using an accomplice to fake his presence at work. He also applied to a Shanghai-based talent program sponsored by Beijing, aiming to enhance China's AI capabilities. Ding was originally indicted in March 2024 after lying and not cooperating with Google's internal investigation. He was secretly affiliated with two China-based technology companies and negotiated a role as CTO at one of them. Ding founded his own AI company in China (Shanghai Zhisuan Technology Co.) and served as its CEO, intending to benefit entities controlled by the government of China. Ding faces a maximum sentence of 10 years for each theft count and 15 years for each espionage count.

Open in new tab

Coupang Data Breach Exposes 33.7 Million Customer Records

Coupang, a South Korean e-commerce platform, confirmed a data breach affecting 33.7 million customers, including names, emails, phone numbers, physical addresses, and order information. The breach, initially detected on June 24, 2025, but discovered on November 18, 2025, was traced to an overseas unauthorized access. The Seoul Metropolitan Police identified a suspect, a former Coupang employee from China, who has left South Korea. The breach did not expose payment information or login credentials. Coupang has blocked the access route and strengthened internal monitoring. The police are investigating potential vishing or smishing activities related to the breach. On December 10, 2025, Coupang's CEO, Park Dae-jun, stepped down, taking full responsibility for the data breach and the company's response. Harold Rogers, the current chief administrative officer and general counsel based in Seattle, has been appointed as interim CEO. The Seoul Metropolitan Police raided Coupang's headquarters on December 9, 2025, to search for internal documents and records related to the breach. South Korea's Personal Information Protection Commission (PIPC) ordered Coupang to revise its liability exemption clause for data breaches and simplify its membership cancellation process. The suspect is a 43-year-old Chinese national who joined Coupang in November 2022 and left in 2024. The police are gathering records such as internal documents, logs, system records, IP addresses, user credentials, and access histories. The incident has sparked high-volume phishing activity in South Korea, affecting roughly two-thirds of its population, and the police have received hundreds of reports of Coupang impersonation since the start of the month. Coupang announced $1.17 billion (1.685 trillion Won) total compensation for the 33.7 million customers affected by the data breach. The compensation will be provided gradually, starting on January 15, 2026, to all Coupang customers, including WOW and non-WOW members, as well as those who canceled their membership. Each customer will receive four single-use purchase vouchers totaling 50,000 won (around $34). Coupang contacted the former employee directly earlier this month, met with them, and recovered their desktop computer's hard drives containing the sensitive data. A MacBook Air laptop belonging to the suspect was recovered from a river, where they disposed of it in an attempt to destroy evidence. The perpetrator accessed 33 million accounts but retained user data from approximately 3,000. The former employee did not transfer any of this data to others and subsequently deleted it from his devices. Investors in Coupang who suffered substantial losses following a cyber-attack are being urged to join plaintiffs in a class action lawsuit led by US-based law firm Hagens Berman. The breach has led to a $1.2bn compensation plan and a loss of over $8bn in market value for Coupang. Hagens Berman is investigating potential security failures made by the retailer, including inadequate protocols that allowed a former employee to retain access to sensitive customer information.

Open in new tab

Increasing Threat of Insider Cyber Threats Through Fake Worker Schemes

Cybercriminals are increasingly impersonating cybersecurity and IT professionals to gain privileged access within organizations. These threat actors manipulate the hiring process, creating elaborate fake personas with fabricated resumes, convincing online presences, and sophisticated deepfake technology to secure legitimate positions. Their primary goals include data theft, cyber espionage, and financial fraud, with significant consequences for organizations, including reputational damage, financial penalties, and legal repercussions. The rise of remote work has exacerbated this vulnerability, making it harder to verify identities and detect impersonations. Recent incidents, such as North Korean IT worker schemes and deepfake job interview incidents, highlight the real-world impact of these threats. Organizations must implement robust HR practices, advanced technical controls, and continuous security awareness training to mitigate these risks.

Open in new tab

Manufacturing Sector Faces Persistent OT Security Challenges

The manufacturing sector continues to grapple with significant operational technology (OT) security challenges, including legacy systems, lack of visibility, and human factors. The industry's focus on IT security often overshadows OT security, despite the growing attack surface and interconnected nature of modern manufacturing environments. Recent incidents, such as the ransomware attack on Asahi, highlight the financial and supply chain risks associated with OT breaches. Experts emphasize the need for better awareness, identity-focused security strategies, and comprehensive governance to improve OT security in manufacturing.

Open in new tab

US sanctions North Korean entities and individuals for cybercrime and IT worker fraud

The U.S. Treasury Department has imposed sanctions on ten North Korean individuals and entities involved in laundering $12.7 million in cryptocurrency and IT worker fraud. The sanctions target Ryujong Credit Bank and Korea Mangyongdae Computer Technology Company (KMCTC), along with their respective executives and financial representatives. The move aims to disrupt North Korea's ability to fund its weapons programs and other illicit activities through cybercrime and financial fraud. The Treasury Department has identified $12.7 million in transactions linked to North Korean financial institutions over the past two years. North Korean IT workers have been using foreign freelance programmers to establish business partnerships and split revenue. The Treasury Department has accused North Korea of leveraging its IT army to gain employment at companies by obfuscating their nationality and identities, funneling income back to the DPRK.

Open in new tab