North Korean Hackers For Hire

Uploaded on 2025-04-14 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, INTELLIGENCE-Hot Spots-North Korea, FREE TO VIEW

Hackers operating under the direction of the North Korean government are working on a new form of subversion. By pretending to be legitimate remote workers to get jobs in Western companies, they aim to carry out financial fraud and IP theft, to generate revenue for the  President Kim's regime. 

According to the  FBI, North Korean IT workers are extorting US companies which have hired them, by exploiting  access privileges to steal source code.

A new report from Google’s Threat Intelligence Group (GTIG), explores how these these covert activities have grown significantly, extending beyond the US to the EU.

Freelance software developers are the target of an ongoing campaign that leverages job interview-themed lures to deliver cross-platform malware families known as BeaverTail.  In this exploit, North Korean operatives create fake identities and pose as job seekers to secure remote work usually in the tech and programming sectors. The money they make is sent back to the North Korean government to support its activities

Subject matter expert, Craig WattThreat Intelligence Consultant at Quorum Cyber, comments that "North Korean IT workers are likely tasked with obtaining remote IT jobs, with their salary then funnelled back to Pyongyang. This almost certainly carries the objective of countering UN sanctions with the North Korea demonstrating no intention of negotiating away its strategic weapons programs, which is perceived as a guarantor of regime security and national pride"

Indeed, US government authorities have continued to highlight this criminal activity, with the Department of Justice recently indicting five individuals involved in the operation. These individuals were found to have fraudulently obtained work with at least 64 US firms.

Despite increasing awareness and legal actions, such as the indictment, this scheme continues to thrive. The GTIG report confirms that these North Korean IT workers are usually aiming at organisations in both the US and Europe. “The IT Worker actively sought employment with multiple organizations within Europe, particularly those within the defense industrial base and government sectors. This individual demonstrated a pattern of providing fabricated references, building a rapport with job recruiters, and using additional personas they controlled to vouch for their credibility...

“Separately, additional investigations uncovered other IT worker personas seeking employment in Germany and Portugal, alongside login credentials for user accounts of European job websites and human capital management platforms,” says the Report.

This expansion is a response to mounting challenges faced by covert North Korean operatives in getting jobs in the US. Along with the geographic expansion, N. Korean IT workers are evolving their tactics. The Report highlights an increase in extortion campaigns and a shift towards conducting operations within corporate virtualised infrastructures, which allows for greater anonymity and control. 

Some workers have even been detected managing multiple personas across both Europe and the US, targeting sensitive sectors such as defence and government organisations. For companies that unknowingly hire these workers, the risks are significant, including potential espionage, data theft, and operational disruption. 

The Google report emphasises the growing complexity of these schemes, with facilitators located in multiple countries helping to circumvent identity verification and facilitate the movement of corporate assets across borders.

Google   |   Google    |   TechRadar   |   WeLiveSecurity    |   I-HLS   |   Hacker News   |    Cybersecoop   | 

US Dept. of Justice   |   eSentire

Image: Ideogram

You Might Also Read:

US Nationals Indicted For Fraudulent Remote IT Work:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Do You Need Security That Starts With “Prove It”?
How Companies Can Manage Third-Party Vendor Risk »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

SecuDrive

SecuDrive

SecuDrive, provides hardware encrypted external storage devices to protect a company’s sensitive and important data.

StackRox

StackRox

StackRox delivers a container-native security platform that adapts detection and response to new threats.

Fair Isaac Corporation (FICO)

Fair Isaac Corporation (FICO)

FICO provides analytics software and tools used across multiple industries to manage risk, fight fraud, optimize operations and meet strict government regulations.

Antiy Labs

Antiy Labs

Antiy Labs is a vender of antivirus engine and solution, providing the best-in-breed antivirus engine and next generation antivirus services for confronting PC malware and mobile malware.

WISeKey

WISeKey

WISeKey is a leading cybersecurity company currently deploying large scale digital identity ecosystems for people and objects using Blockchain, AI and IoT.

Cybersecurity Professionals

Cybersecurity Professionals

Search vacancies from top cyber security jobs worldwide on CyberSecurity Professionals. View IT security jobs or upload your CV to be seen by recruiters from industry leading firms.

Computer Network Defence (CND)

Computer Network Defence (CND)

Computer Network Defence (CND) are a Broad-Spectrum Cyber Security Consultancy and Recruitment Agency.

Scout Ventures

Scout Ventures

Scout Ventures is an early stage venture capital firm that is making the world a better, safer place by cultivating standout frontier technologies.

ActZero

ActZero

ActZero’s security platform leverages proprietary AI-based systems and full-stack visibility to detect, analyze, contain, and disrupt threats.

Bitbone

Bitbone

Bitbone develop IT infrastructure and IT security solutions that create long-term value.

Sentrium Security

Sentrium Security

Sentrium is committed to helping organisations protect their technology, information and people. Our range of bespoke services provide solutions to tackle a broad range of cyber security challenges.

Infiot

Infiot

Infiot is a pioneer in enabling secure, reliable access with zero trust security, network optimization, edge-intelligence and AI driven operations for all remote users, devices, sites and cloud.

Mailinblack

Mailinblack

Mailinblack protects your organisation against email threats with an innovative solution that meets your security requirements.

Primus Institute of Technology

Primus Institute of Technology

At Primus Institute of Technology our mission is to inspire, support, and empower current and aspiring IT professionals through training and career development workshops.

Kolide

Kolide

Kolide ensures that if a device isn't secure, it can't access your apps.

Continent 8 Technologies

Continent 8 Technologies

Continent 8 Technologies is the leading provider of managed hosting, connectivity, cloud and cybersecurity solutions to the global online gambling industry.