North Korean Hackers For Hire

Hackers operating under the direction of the North Korean government are working on a new form of subversion. By pretending to be legitimate remote workers to get jobs in Western companies, they aim to carry out financial fraud and IP theft, to generate revenue for the  President Kim's regime. 

According to the  FBI, North Korean IT workers are extorting US companies which have hired them, by exploiting  access privileges to steal source code.

A new report from Google’s Threat Intelligence Group (GTIG), explores how these these covert activities have grown significantly, extending beyond the US to the EU.

Freelance software developers are the target of an ongoing campaign that leverages job interview-themed lures to deliver cross-platform malware families known as BeaverTail.  In this exploit, North Korean operatives create fake identities and pose as job seekers to secure remote work usually in the tech and programming sectors. The money they make is sent back to the North Korean government to support its activities

Subject matter expert, Craig WattThreat Intelligence Consultant at Quorum Cyber, comments that "North Korean IT workers are likely tasked with obtaining remote IT jobs, with their salary then funnelled back to Pyongyang. This almost certainly carries the objective of countering UN sanctions with the North Korea demonstrating no intention of negotiating away its strategic weapons programs, which is perceived as a guarantor of regime security and national pride"

Indeed, US government authorities have continued to highlight this criminal activity, with the Department of Justice recently indicting five individuals involved in the operation. These individuals were found to have fraudulently obtained work with at least 64 US firms.

Despite increasing awareness and legal actions, such as the indictment, this scheme continues to thrive. The GTIG report confirms that these North Korean IT workers are usually aiming at organisations in both the US and Europe. “The IT Worker actively sought employment with multiple organizations within Europe, particularly those within the defense industrial base and government sectors. This individual demonstrated a pattern of providing fabricated references, building a rapport with job recruiters, and using additional personas they controlled to vouch for their credibility...

“Separately, additional investigations uncovered other IT worker personas seeking employment in Germany and Portugal, alongside login credentials for user accounts of European job websites and human capital management platforms,” says the Report.

This expansion is a response to mounting challenges faced by covert North Korean operatives in getting jobs in the US. Along with the geographic expansion, N. Korean IT workers are evolving their tactics. The Report highlights an increase in extortion campaigns and a shift towards conducting operations within corporate virtualised infrastructures, which allows for greater anonymity and control. 

Some workers have even been detected managing multiple personas across both Europe and the US, targeting sensitive sectors such as defence and government organisations. For companies that unknowingly hire these workers, the risks are significant, including potential espionage, data theft, and operational disruption. 

The Google report emphasises the growing complexity of these schemes, with facilitators located in multiple countries helping to circumvent identity verification and facilitate the movement of corporate assets across borders.

Google   |   Google    |   TechRadar   |   WeLiveSecurity    |   I-HLS   |   Hacker News   |    Cybersecoop   | 

US Dept. of Justice   |   eSentire

Image: Ideogram

You Might Also Read:

US Nationals Indicted For Fraudulent Remote IT Work:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Do You Need Security That Starts With “Prove It”?
How Companies Can Manage Third-Party Vendor Risk »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

ThreatConnect

ThreatConnect

ThreatConnect is an enterprise threat intelligence platform by Cyber Squared bridging incident response, defense, and threat analysis for InfoSec & DFIR teams.

Business Intelligence Associates (BIA)

Business Intelligence Associates (BIA)

BIA's TotalDiscovery is a defensible and cost-effective corporate preservation and legal compliance software solution.

Casaba Security

Casaba Security

Casaba are specialists in software security providing managed Software Development Lifecycle services as well as products for security testing.

First National Technology Solutions (FNTS)

First National Technology Solutions (FNTS)

First National Technology Solutions is a leading provider of flexible, customized hosted and remote managed services including IT security and compliance.

Data61

Data61

Data61 is Australia’s leading digital research network offering the research capabilities, IP and collaboration programs to unleash the country’s digital & data-driven potential.

DigiSec360

DigiSec360

DigiSec360 is a technology firm focused on the human element of cybersecurity.

CloudSphere

CloudSphere

CloudSphere’s flagship Cloud Governance Platform enables enterprises and cloud service providers to simplify and optimize cloud migration, management, and governance.

Gijima

Gijima

Gijima is one of SA’s leading ICT companies in Cloud & Outsourcing, Systems integration, Human Capital Management & Training, Cybersecurity, and Unified Communications.

Littlefish

Littlefish

Littlefish provide world-class, award-winning Managed IT and Cyber Security Services, delivered from our 24/7 UK service centres.

Nisos

Nisos

Nisos provides unrivaled protection of your reputation and assets through the practice of Active Defense.

C2 Risk

C2 Risk

C2 Risk are focussed on risk analytics for information assurance, privacy and ESG (Environmental, Social, and Governance).

Hudson Rock

Hudson Rock

Hudson Rock’s products — Cavalier & Bayonet — are powered by our cybercrime database, composed of millions of machines compromised by Infostealers in global malware spreading campaigns.

PDI Technologies

PDI Technologies

PDI Technologies helps convenience retail and petroleum wholesale businesses around the globe increase efficiency and profitability by securely connecting their data and operations.

Permiso Security

Permiso Security

Permiso combines industry leading Identity Security Posture Management with Identity Threat Detection and Response, leaving no place to hide for identity threats lurking in your environment.

Ncontracts

Ncontracts

Our mission at Ncontracts is to continually improve our clients’ ability to manage risk and compliance.

Cyberscore

Cyberscore

CyberScore specialize in digital security assessments that preventively make digital environments safer against malicious attacks from inside and outside.