Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

WageMole and DeceptiveDevelopment collaboration expands North Korean remote-work identity fraud

Threat Actor Meta
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

A North Korean fraudulent IT-worker network tracked as WageMole is now linked to DeceptiveDevelopment, widening identity-abuse tradecraft and raising the risk of remote-work infiltration at unsuspecting companies. The collaboration uses stolen developer identities harvested from fake recruiter interactions to help workers pose as job seekers. It connects developer-targeted social engineering to a broader ecosystem for placing fraudulent workers into real organizations.

Related Happenings

North Korean remote IT worker scam operation targeting American companies

Campaign
First: 16.04.2026 19:00 Last: 16.04.2026 19:00 Sources 1

About this happening: A long-running **North Korean remote IT worker scam operation** used **stolen identities** and fake placements to embed operators inside **more than 100 American companies**. The...

Open Happening

UNC1069 open-source maintainer social-engineering campaign

Campaign
First: 04.04.2026 23:30 Last: 04.04.2026 23:30 Sources 1

About this happening: UNC1069's **coordinated social-engineering campaign** against **Node.js and npm maintainers** has widened, with multiple developers reporting the same lure pattern and the potenti...

Latest development: 06.04.2026 23:55

Security researcher Taylor Monahan and Socket reported that members of the open source software community, including Socket engineers and CEO Feross Aboukhadijeh, were targeted by the same slow-burn LinkedIn, Slack, and Microsoft Teams social engineering playbook used against Axios maintainer Jason Saayman, indicating the campaign was wider than a single Axios compromise.

Open Happening

North Korean fake-persona remote job infiltration campaign against Western tech companies

Campaign
First: 25.03.2026 17:30 Last: 25.03.2026 17:30 Sources 1

About this happening: A **North Korean** fake-persona campaign is using **remote job applications** to gain **trusted insider access** at **Western tech companies**, creating theft and espionage risk....

Open Happening

Contagious Interview cryptocurrency social-engineering and malware-delivery campaign

Campaign
First: 23.03.2026 20:09 Last: 23.03.2026 20:09 Sources 1

About this happening: A **North Korean** cluster behind **Contagious Interview / WaterPlum** is running a coordinated **malware campaign** against **cryptocurrency professionals**, increasing the risk...

Open Happening

OFAC sanctions DPRK IT worker scheme network

Regulatory/Legal Action
First: 18.03.2026 19:26 Last: 18.03.2026 19:26 Sources 1

About this happening: **OFAC** sanctioned **Ryujong Credit Bank**, **KMCTC**, and **eight individuals** tied to **North Korean cryptocurrency laundering** and **fraudulent IT worker schemes**. The **U....

Open Happening

Timeline

  1. 26.09.2025 15:01 2 articles · 8mo ago

    ESET reports DeceptiveDevelopment collaboration with WageMole

    Initial Disclosure

    North Korean threat actor behind DeceptiveDevelopment supplies stolen developer identities to the fraudulent IT worker network tracked as WageMole, using fake recruiter profiles and job offers on LinkedIn, Upwork, and Freelancer.com to lure developers associated with cryptocurrency and decentralized finance projects and support remote-work impersonation at unsuspecting companies.

    Show sources
    Open in new tab