North Korean Hackers For Hire

Uploaded on 2025-04-14 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, INTELLIGENCE-Hot Spots-North Korea, FREE TO VIEW

Hackers operating under the direction of the North Korean government are working on a new form of subversion. By pretending to be legitimate remote workers to get jobs in Western companies, they aim to carry out financial fraud and IP theft, to generate revenue for the President Kim's regime.

According to the FBI, North Korean IT workers are extorting US companies which have hired them, by exploiting access privileges to steal source code.

A new report from Google’s Threat Intelligence Group (GTIG), explores how these these covert activities have grown significantly, extending beyond the US to the EU.

Freelance software developers are the target of an ongoing campaign that leverages job interview-themed lures to deliver cross-platform malware families known as BeaverTail. In this exploit, North Korean operatives create fake identities and pose as job seekers to secure remote work usually in the tech and programming sectors. The money they make is sent back to the North Korean government to support its activities

Subject matter expert, Craig Watt, Threat Intelligence Consultant at Quorum Cyber, comments that "North Korean IT workers are likely tasked with obtaining remote IT jobs, with their salary then funnelled back to Pyongyang. This almost certainly carries the objective of countering UN sanctions with the North Korea demonstrating no intention of negotiating away its strategic weapons programs, which is perceived as a guarantor of regime security and national pride"

Indeed, US government authorities have continued to highlight this criminal activity, with the Department of Justice recently indicting five individuals involved in the operation. These individuals were found to have fraudulently obtained work with at least 64 US firms.

Despite increasing awareness and legal actions, such as the indictment, this scheme continues to thrive. The GTIG report confirms that these North Korean IT workers are usually aiming at organisations in both the US and Europe. “The IT Worker actively sought employment with multiple organizations within Europe, particularly those within the defense industrial base and government sectors. This individual demonstrated a pattern of providing fabricated references, building a rapport with job recruiters, and using additional personas they controlled to vouch for their credibility...

“Separately, additional investigations uncovered other IT worker personas seeking employment in Germany and Portugal, alongside login credentials for user accounts of European job websites and human capital management platforms,” says the Report.

This expansion is a response to mounting challenges faced by covert North Korean operatives in getting jobs in the US. Along with the geographic expansion, N. Korean IT workers are evolving their tactics. The Report highlights an increase in extortion campaigns and a shift towards conducting operations within corporate virtualised infrastructures, which allows for greater anonymity and control.

Some workers have even been detected managing multiple personas across both Europe and the US, targeting sensitive sectors such as defence and government organisations. For companies that unknowingly hire these workers, the risks are significant, including potential espionage, data theft, and operational disruption.

The Google report emphasises the growing complexity of these schemes, with facilitators located in multiple countries helping to circumvent identity verification and facilitate the movement of corporate assets across borders.

US Dept. of Justice | eSentire

Image: Ideogram

You Might Also Read:

US Nationals Indicted For Fraudulent Remote IT Work:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.