Famous Chollima North Korean overseas IT-worker fraud campaign
Campaign
Summary
Hide ▲
Show ▼
The North Korean overseas IT-worker fraud campaign remains active, creating ongoing data-theft and extortion risk for U.S. and international employers. Operators use fraudulent documents, stolen identities, and false personas to secure remote work through platforms including GitHub and WorkSpace.ru. The operation is linked to Famous Chollima and related aliases and is used to support illicit revenue generation for the regime.
Related Happenings
US Scam Center Strike Force indictments and domain seizures against scam centers
Law Enforcement
First: 24.04.2026 19:48
Last: 24.04.2026 19:48
Sources 1
About this happening:
US authorities **indicted** two people and **seized** scam infrastructure in a **financial-fraud** case targeting Southeast Asian scam centers, disrupting operations used to scam...
US Scam Center Strike Force indictments and domain seizures against scam centers
Law EnforcementAbout this happening: US authorities **indicted** two people and **seized** scam infrastructure in a **financial-fraud** case targeting Southeast Asian scam centers, disrupting operations used to scam...
North Korean remote IT worker scam operation targeting American companies
Campaign
First: 16.04.2026 19:00
Last: 16.04.2026 19:00
Sources 1
About this happening:
A long-running **North Korean remote IT worker scam operation** used **stolen identities** and fake placements to embed operators inside **more than 100 American companies**. The...
North Korean remote IT worker scam operation targeting American companies
CampaignAbout this happening: A long-running **North Korean remote IT worker scam operation** used **stolen identities** and fake placements to embed operators inside **more than 100 American companies**. The...
Kejia Wang and Zhenxing Wang sentencing in DPRK IT worker fraud case
Law Enforcement
First: 16.04.2026 11:32
Last: 16.04.2026 11:32
Sources 1
About this happening:
A court sentenced Kejia Wang and Zhenxing Wang to prison for helping run a DPRK-linked remote IT worker fraud scheme. The operation used stolen identities, fake websites, shell co...
Kejia Wang and Zhenxing Wang sentencing in DPRK IT worker fraud case
Law EnforcementAbout this happening: A court sentenced Kejia Wang and Zhenxing Wang to prison for helping run a DPRK-linked remote IT worker fraud scheme. The operation used stolen identities, fake websites, shell co...
Latest development: 16.04.2026 19:00
The US Justice Department announced sentences of 108 months for Kejia Wang and 92 months for Zhenxing Wang for helping run a DPRK remote IT worker scheme that used stolen identities of at least 80 American citizens to deceive more than 100 American companies, generate more than $5m for the Democratic People’s Republic of Korea, and enable access to sensitive data and source code from victim firms; the operation used home addresses to receive laptops and gave overseas IT workers in North Korea remote access.
OFAC sanctions DPRK IT worker scheme network
Regulatory/Legal Action
First: 18.03.2026 19:26
Last: 18.03.2026 19:26
Sources 1
How related:
The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) announced a fresh round of sanctions against two individuals and two entities for their role in the North Korean remote information technology (IT) worker scheme to generate illicit revenue for the regime's weapons of mass destruction and ballistic missile programs.
About this happening:
**OFAC** sanctioned **Ryujong Credit Bank**, **KMCTC**, and **eight individuals** tied to **North Korean cryptocurrency laundering** and **fraudulent IT worker schemes**. The **U....
OFAC sanctions DPRK IT worker scheme network
Regulatory/Legal ActionHow related: The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) announced a fresh round of sanctions against two individuals and two entities for their role in the North Korean remote information technology (IT) worker scheme to generate illicit revenue for the regime's weapons of mass destruction and ballistic missile programs.
About this happening: **OFAC** sanctioned **Ryujong Credit Bank**, **KMCTC**, and **eight individuals** tied to **North Korean cryptocurrency laundering** and **fraudulent IT worker schemes**. The **U....
North Korean stolen-identity IT job campaign against U.S. companies
Campaign
First: 20.02.2026 11:00
Last: 20.02.2026 11:00
Sources 1
About this happening:
A **North Korea-linked** IT-worker campaign used **stolen identities** and **proxy accounts** to fraudulently place remote workers at **40 U.S. companies**, creating unauthorized...
North Korean stolen-identity IT job campaign against U.S. companies
CampaignAbout this happening: A **North Korea-linked** IT-worker campaign used **stolen identities** and **proxy accounts** to fraudulently place remote workers at **40 U.S. companies**, creating unauthorized...
Timeline
-
02.12.2025 17:02 1 articles · 5mo ago
Famous Chollima live capture exposes identity takeover toolkit
Technical Analysis UpdateMauro Eldritch, BCA LTD, NorthScan, and ANY.RUN captured Famous Chollima operators from Lazarus Group live inside controlled sandbox environments that mimicked developer laptops. The operators used AI-driven job tools such as Simplify Copilot, AiApply, and Final Round AI, browser-based OTP.ee and Authenticator.cc for 2FA handling, Google Remote Desktop with a fixed PIN for persistent host control, and Astrill VPN routing while asking for ID, SSN, Gmail, LinkedIn, and banking details to support identity theft and workstation takeover.
Show sources
- Researchers Capture Lazarus APT's Remote-Worker Scheme Live on Camera — thehackernews.com — 02.12.2025 17:02
-
14.11.2025 22:11 3 articles · 6mo ago
DOJ announces guilty pleas in North Korean IT-worker fraud case
Legal Policy Action UpdateThe U.S. Department of Justice announces guilty pleas by five individuals for aiding North Korea's remote IT worker fraud and cryptocurrency theft schemes, including using own, false, or stolen identities to place DPRK agents at American firms and generate more than $2.2 million for the North Korean government.
Show sources
- Five plead guilty to helping North Koreans infiltrate US firms — www.bleepingcomputer.com — 14.11.2025 22:11
- U.S. Treasury Sanctions DPRK IT-Worker Scheme, Exposing $600K Crypto Transfers and $1M+ Profits — thehackernews.com — 28.08.2025 11:53
- U.S. Sanctions 10 North Korean Entities for Laundering $12.7M in Crypto and IT Fraud — thehackernews.com — 05.11.2025 12:55