CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

North Korean State Actors Exploit Fake Employee Schemes to Infiltrate Companies

First reported
Last updated
4 unique sources, 13 articles

Summary

Hide ▲

North Korean state actors continue to exploit fake employee schemes to infiltrate companies, particularly in blockchain and technology sectors, funneling stolen virtual currency and funds to North Korea's weapons program. The practice has escalated with remote work and AI, enabling fraudsters to impersonate employees and gain privileged access to company networks. Labyrinth Chollima, a prolific North Korean-linked cyber threat group, has evolved into three distinct hacking groups: Labyrinth Chollima (cyber espionage targeting industrial, logistics, and defense), Golden Chollima (smaller-scale cryptocurrency theft), and Pressure Chollima (high-value heists). Each group uses distinct toolsets derived from the same malware framework used by Labyrinth Chollima in the 2000s and 2010s. A joint investigation uncovered a network of remote IT workers tied to Lazarus Group's Famous Chollima division, with researchers capturing live activity of Lazarus operators on sandboxed laptops. The scheme, tracked as Jasper Sleet, PurpleDelta, and Wagemole, involves stealing or borrowing identities, using AI tools for interviews, and funneling salaries to the DPRK. Thousands of North Korean IT workers have infiltrated companies over the past two years, exploiting hiring processes and remote work environments. The U.S. Treasury has sanctioned individuals and entities involved, while Japan, South Korea, and the U.S. collaborate to combat the threat. Five U.S. citizens pleaded guilty to assisting North Korea's illicit revenue generation schemes, and two additional U.S. nationals, Kejia Wang and Zhenxing Wang, have now been sentenced to prison for operating a 'laptop farm' that facilitated the infiltration of over 100 companies, generating $5 million in illicit revenue and causing $3 million in damages to victim companies.

Timeline

  1. 30.01.2026 17:40 2 articles · 2mo ago

    Labyrinth Chollima evolves into three distinct hacking groups

    Labyrinth Chollima has evolved into three distinct hacking groups: Labyrinth Chollima, Golden Chollima, and Pressure Chollima. Labyrinth Chollima continues to focus on cyber espionage, targeting industrial, logistics, and defense companies. Golden Chollima and Pressure Chollima have shifted towards targeting cryptocurrency entities. Each group uses distinct toolsets in their malware campaigns, all evolutions of the same malware framework used by Labyrinth Chollima in the 2000s and 2010s. The three groups share tools and infrastructure, indicating centralized coordination and resource allocation within the North Korean cyber ecosystem. Golden Chollima focuses on consistent, smaller-scale cryptocurrency thefts in economically developed regions, whereas Pressure Chollima pursues high-value heists with advanced implants to single out organizations with significant digital asset holdings. Labyrinth Chollima's operations are motivated by cyber espionage, using tools like the FudModule rootkit to achieve stealth.

    Show sources
    Open in new tab
  2. 04.09.2025 04:00 3 articles · 7mo ago

    Japan, South Korea, and the U.S. Collaborate to Combat North Korean IT Worker Schemes

    The threat actors often conceal their foreign location by using VPNs or remote desktop services. The scheme has expanded operations to Europe and deepened networks in the Asia Pacific, claiming residency in Japan, Malaysia, Singapore, and Vietnam. The main goal of these operations is for revenue generation back to the regime. The scheme poses serious risks, ranging from theft of intellectual property, data, and funds to reputational harm and legal consequences. The forum brought together government officials with private-sector experts, including from Google Cloud's Mandiant, to find additional strategies to combat the threat. Five U.S. citizens have pleaded guilty to assisting North Korea's illicit revenue generation schemes by enabling IT worker fraud.

    Show sources
    Open in new tab
  3. 28.08.2025 11:53 3 articles · 7mo ago

    U.S. Treasury Sanctions Key Players in North Korean IT Worker Scheme

    The US Treasury Department sanctioned Vitaliy Sergeyevich Andreyev, Kim Ung Sun, Shenyang Geumpungri Network Technology, and Korea Sinjin Trading Corp for their roles in the IT worker scheme. The two individuals and two companies allegedly acted as fronts for the North Korean government to facilitate the transfer of at least $1.6 million to the regime. The DoJ has also filed two civil complaints to forfeit cryptocurrency valued at more than $15 million seized from APT38 actors.

    Show sources
    Open in new tab
  4. 21.08.2025 00:39 12 articles · 7mo ago

    North Korean Actors Steal $900,000 in Virtual Currency Using Fake Employee Scheme

    The US Department of Justice (DoJ) described the five individuals as 'facilitators' who assisted North Korean hackers with obtaining remote IT employment with US companies. The defendants allegedly provided personal, false or stolen identities and hosted laptops provided by the victim company at residences across the US to create the false appearance that the IT workers were employed domestically. The US government has seized $15m worth of gains in Tether (USDT) from APT38 actors, seeking to return the funds to their rightful owners. North Korean IT recruiters target and lure developers into renting their identities for illicit fundraising. Famous Chollima, part of North Korea’s state-sponsored Lazarus group, uses deep fake videos and avoids appearing on camera during interviews. Legitimate engineers are recruited to act as figureheads in DPRK agents’ operations to secure remote jobs at targeted companies. Compromised engineers receive a percentage of the salary, between 20% and 35%, for the duration of the contract. DPRK agents use compromised engineers' computers as proxies for malicious activities to hide their location and traces. North Korean recruiters use AI-powered tools like AIApply, Simplify Copilot, Final Round AI, and Saved Prompts to autofill job applications and create resumes. The threat actor used Astrill VPN, a popular service among North Korean fake IT workers, for remote connections. The Famous Chollima team involved in this operation consisted of six members, who used the names Mateo, Julián, Aaron, Jesús, Sebastián, and Alfredo. A joint investigation led by Mauro Eldritch, founder of BCA LTD, conducted together with threat-intel initiative NorthScan and ANY.RUN, uncovered a network of remote IT workers tied to Lazarus Group's Famous Chollima division. Researchers captured live activity of Lazarus operators on what they believed were real developer laptops, which were actually fully controlled, long-running sandbox environments created by ANY.RUN. The operation began when NorthScan's Heiner García impersonated a U.S. developer targeted by a Lazarus recruiter using the alias 'Aaron' (also known as 'Blaze'). The scheme involved stealing or borrowing an identity, passing interviews with AI tools and shared answers, working remotely via the victim's laptop, and funneling salary back to DPRK. The operators used AI-driven job automation tools, browser-based OTP generators, Google Remote Desktop, and performed routine system reconnaissance. Connections were consistently routed through Astrill VPN, a pattern tied to previous Lazarus infrastructure. DPRK operatives are now using real LinkedIn accounts of individuals they are impersonating to apply for remote positions, marking a new escalation of the fraudulent scheme. These profiles often include verified workplace emails and identity badges to appear legitimate. The scheme, also tracked as Jasper Sleet, PurpleDelta, and Wagemole, aims to generate revenue, conduct espionage, and in some cases, demand ransoms. DPRK IT workers transfer cryptocurrency through various money laundering techniques, including chain-hopping and token swapping. Norwegian businesses have been impacted by these schemes, with salaries likely funding North Korea's weapons and nuclear programs. A campaign dubbed Contagious Interview uses fake hiring flows to lure targets into executing malicious code. The campaign employs EtherHiding, a technique using blockchain smart contracts to host and retrieve command-and-control infrastructure. New variants of the Contagious Interview campaign use malicious Microsoft VS Code task files to execute JavaScript malware. The Koalemos RAT campaign involves malicious npm packages to deploy a modular JavaScript remote access trojan (RAT) framework. Oleksandr Didenko, a 39-year-old Ukrainian national, was sentenced to five years in prison for providing North Korean IT workers with stolen identities to infiltrate U.S. companies. Didenko pleaded guilty to aggravated identity theft and wire fraud conspiracy in November 2025 and was arrested in Poland in May 2024. Didenko provided North Korean remote workers with at least 871 proxy identities and proxy accounts on three freelance IT hiring platforms. Didenko facilitated the operation of at least eight 'laptop farms' in Virginia, Tennessee, California, Florida, Ecuador, Poland, and Ukraine. Christina Marie Chapman, a 50-year-old woman from Arizona, was sentenced to 102 months in prison for running a 'laptop farm' from her home between October 2020 and October 2023. Didenko ran a website named Upworksell[.]com to help overseas IT workers buy or rent stolen or borrowed identities since the start of 2021. The site was seized by authorities on May 16, 2024. Didenko paid individuals in the U.S. to receive and host laptops at their residences in Virginia, Tennessee, and California to give the impression that the workers were located in the country. Didenko enabled his North Korean clients to access the U.S. financial system through Money Service Transmitters instead of having to open an account at a bank within the U.S. Didenko's clients were paid hundreds of thousands of dollars for their work. Two additional U.S. nationals, Kejia Wang (42) and Zhenxing Wang (39), were sentenced to 108 months and 92 months in prison respectively for operating a 'laptop farm' that facilitated the infiltration of over 100 companies, including Fortune 500 firms, generating over $5 million in illicit revenue for the DPRK and causing an estimated $3 million in damages to victim companies. The scheme involved creating shell companies (e.g., Tony WKJ LLC, Hopana Tech LLC, Independent Lab LLC) and hosting company-issued laptops at U.S. residences to provide North Korean operatives with network access without raising suspicion.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Drift Protocol administrative takeover and $285 million loss via Security Council manipulation on Solana

Drift Protocol’s April 1, 2026, $285 million loss was the culmination of a six-month in-person social engineering campaign, where North Korea-linked threat actors (UNC4736, a.k.a. AppleJeus/Labyrinth Chollima) infiltrated the ecosystem by posing as a quantitative trading firm at crypto conferences. The attackers compromised contributors via malicious code repositories (exploiting VSCode/Cursor vulnerabilities) and fraudulent TestFlight wallet applications, enabling them to hijack Security Council multisig controls. Post-takeover, they deployed the CarbonVote Token as collateral, removed withdrawal limits, and drained funds across deposits and trading accounts within minutes. Drift has frozen all protocol functions, flagged attacker wallets globally, and is collaborating with intelligence firms (Elliptic, TRM Labs) and law enforcement to trace and recover stolen assets. On-chain analysis confirms North Korean involvement, aligning with prior state-sponsored campaigns targeting crypto infrastructure.

Open in new tab

Supply chain compromise in Trivy scanner triggers CanisterWorm propagation across CI/CD pipelines

Supply chain compromise in Trivy scanner triggers CanisterWorm propagation across CI/CD pipelines, now expanding to encompass additional open-source ecosystems and attributed to multiple advanced threat actors. The TeamPCP threat group continues to monetize stolen supply chain secrets through partnerships with extortion groups including Lapsus$ and the Vect ransomware operation, with Wiz (Google Cloud) confirming collaboration and horizontal movement across cloud environments. Cisco’s internal development environment was breached using stolen Trivy-linked credentials via a malicious GitHub Action, resulting in the theft of over 300 repositories, including proprietary AI product code and data belonging to corporate customers such as banks, BPOs, and US government agencies. Attackers also abused stolen AWS keys across a subset of Cisco’s cloud accounts, with multiple threat actors observed participating in the breach. New developments include the compromise of the Axios NPM package, a top-10 JavaScript library with over 400 million monthly downloads, via malicious versions 0.27.5 and 0.28.0. The attack delivered a multi-platform RAT through a malicious dependency impersonating crypto-js, with operational sophistication including pre-staging, platform-specific payloads, and anti-forensic cleanup. Initial attribution suggested TeamPCP involvement, but Google attributed the incident to UNC1069, a suspected North Korean actor linked to Lazarus Group, indicating potential actor diversification or false-flag operations. The Axios compromise highlights escalating tradecraft in open-source supply chain attacks, distinct from opportunistic infections and suggesting a focus on access brokering or targeted espionage rather than indiscriminate data theft.

Open in new tab

North Korean APTs Leverage AI to Enhance IT Worker Scams

North Korea's state-linked APTs—particularly Jasper Sleet and Coral Sleet—continue to expand their IT worker scams using AI to fabricate identities, automate social engineering, and deploy malware, while simultaneously diversifying revenue streams to fund weapons programs. OFAC sanctions now confirm the scheme's scale and structure, revealing a multi-tiered network of recruiters, facilitators, IT workers, and collaborators that has infiltrated U.S. and international companies to steal sensitive data and extort victims. The use of AI tools like Faceswap for identity fabrication and Astrill VPN for geographic obfuscation underscores the sophistication of these operations, which are deeply embedded in North Korea's sanctions-evasion and revenue-generation machinery. Initial reporting by Microsoft documented how Jasper Sleet and Coral Sleet leverage AI to research job postings, generate fake resumes, create culturally tailored digital personas, and develop web infrastructure for malicious purposes. These groups use AI coding tools to refine malware and jailbreak LLMs to generate malicious code, complicating detection while enabling long-term persistence as insider threats. The scheme's expansion into malware deployment and extortion activities further increases its impact, with a significant portion of earnings funneled back to North Korea to support its missile programs.

Open in new tab

Lazarus Group Linked to Medusa Ransomware Attacks on U.S. Healthcare

North Korean state-backed hackers from the Lazarus group are targeting U.S. healthcare organizations and entities in the Middle East with Medusa ransomware in financially motivated extortion attacks. The Medusa ransomware-as-a-service (RaaS) operation has impacted over 366 organizations since its launch in 2023, with at least four additional healthcare and non-profit organizations in the U.S. targeted since November 2025. This is the first time Lazarus has been linked to Medusa ransomware, though they have been associated with other ransomware strains. The attacks use a toolset that includes both custom and commodity tools, some of which are linked to another North Korean group, Diamond Sleet. The average ransom recorded in these attacks is $260,000, which is reportedly used to fund espionage operations against defense, technology, and government sectors in the U.S., Taiwan, and South Korea. Symantec has provided indicators of compromise (IoCs) to help defenders prevent these attacks. The Stonefly sub-group of Lazarus, also known as Andariel, has been involved in ransomware operations for the past five years. Rim Jong Hyok, an alleged Stonefly member, was indicted by the US Justice Department for ransomware campaigns targeting US hospitals and healthcare providers. The US Justice Department announced a $10m reward for information related to Rim Jong Hyok.

Open in new tab

Ex-Google Engineer Convicted for Stealing AI Trade Secrets for China

Linwei Ding, a former Google engineer, has been convicted of stealing over 2,000 confidential documents containing AI-related trade secrets to benefit China. The theft occurred between May 2022 and April 2023, involving sensitive information about Google's supercomputing infrastructure, AI models, and custom hardware. Ding was found guilty on seven counts of economic espionage and seven counts of theft of trade secrets. Additionally, three former Google engineers and one of their husbands have been indicted in the U.S. for allegedly committing trade secret theft from Google and other tech firms and transferring the information to unauthorized locations, including Iran. The stolen data included details about Google's Tensor Processing Unit chips, Cluster Management System software, and other proprietary technologies. Ding used deceitful methods to cover up the theft, including transferring data to his personal Google Cloud account and using an accomplice to fake his presence at work. He also applied to a Shanghai-based talent program sponsored by Beijing, aiming to enhance China's AI capabilities. Ding was originally indicted in March 2024 after lying and not cooperating with Google's internal investigation. He was secretly affiliated with two China-based technology companies and negotiated a role as CTO at one of them. Ding founded his own AI company in China (Shanghai Zhisuan Technology Co.) and served as its CEO, intending to benefit entities controlled by the government of China. Ding faces a maximum sentence of 10 years for each theft count and 15 years for each espionage count.

Open in new tab