North Korean Operatives Exploit Fake IT Worker Scheme to Infiltrate Global Companies
In a sophisticated and ongoing cyber operation, North Korean state-sponsored actors have been impersonating legitimate remote IT workers to infiltrate companies worldwide. This scheme, active since at least 2017, involves operatives using stolen identities, fabricated resumes, and counterfeit professional credentials to secure remote software development positions, particularly targeting firms in the United States and Europe. The salaries earned, which can reach up to $300,000 per year per operative, are funneled back to North Korea, with the regime reportedly retaining up to 90% of these earnings to support its missile and weapons programs.
Modus Operandi
The operatives meticulously construct false identities, often utilizing stolen personal information from real individuals. They create new email accounts and build convincing online profiles to appear legitimate. During job interviews, these individuals frequently redirect conversations from video calls to phone or text-based formats, citing technical difficulties, while an accomplice appears on camera. This tactic helps them avoid detection and successfully secure employment under false pretenses.
Technical Evasion Tactics
To mask their true locations and evade detection, these operatives heavily rely on Virtual Private Networks (VPNs). Analysis has shown significant use of services like Astrill VPN (37.5%), Mullvad (32.25%), and Proton VPN (6.25%). By tunneling their traffic through exit nodes in the United States, they appear as ordinary domestic employees. Additionally, network activity has revealed connections to platforms such as Gmail, ChatGPT, and Workana, a freelance platform that has become a notable channel through which these threat actors seek remote jobs under false identities.
Escalation to Extortion
Since late 2024, there has been an escalation in the tactics employed by these North Korean IT workers. They have begun stealing sensitive data and source code from their employers and subsequently demanding ransom payments. This shift from mere infiltration to active extortion poses a significant threat to the affected organizations, potentially leading to financial losses and reputational damage.
Detection and Response
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has responded by sanctioning six individuals and two entities in March 2026 for their direct involvement in these schemes. This operation is also tracked under various names, including Coral Sleet, PurpleDelta, and Wagemole, by different threat intelligence teams.
Recommendations for Organizations
To mitigate the risks associated with this threat, organizations are advised to implement thorough pre-employment Open-Source Intelligence (OSINT) checks for all remote candidates. This includes verifying phone numbers and IP addresses during the application process, asking targeted questions during interviews that cannot be answered with scripted or AI-generated responses, requiring live screen sharing of verifiable past work, and monitoring for newly created professional profiles with few connections.
By adopting these measures, companies can enhance their defenses against such sophisticated infiltration attempts and protect their sensitive data and intellectual property from being compromised.
