Full Report
The information technology (IT) workers associated with the Democratic People's Republic of Korea (DPRK) are now applying to remote positions using real LinkedIn accounts of individuals they're impersonating, marking a new escalation of the fraudulent scheme. "These profiles often have verified workplace emails and identity badges, which DPRK operatives hope will make their fraudulent
Analysis Summary
# Threat Actor: DPRK Information Technology (IT) Workers
## Attribution & Identity
* **Attribution:** Democratic People's Republic of Korea (DPRK)
* **Known Aliases/Associated Groups:** Jasper Sleet, PurpleDelta, Wagemole (Broader tracking names for the remote worker scheme).
## Activity Summary
DPRK IT workers are applying for remote positions using stolen or fabricated identities, representing an escalation where operatives now use *real LinkedIn accounts* of individuals they are impersonating. These fake profiles often include verified workplace emails and identity badges to appear legitimate. The objective is two-fold: generating revenue to fund DPRK's weapons programs and conducting espionage via theft of sensitive data. In some cases, they engage in ransomware demands to prevent data leaks. This activity is described as a "high-volume revenue engine" for the regime.
## Tactics, Techniques & Procedures
- Impersonating professionals on LinkedIn using verified credentials (work emails, ID badges) belonging to real individuals.
- Securing remote jobs in Western companies under fabricated or stolen identities.
- Leveraging acquired company access to steal sensitive data and gain administrative access to codebases.
- Establishing "living-off-the-land" persistence within corporate infrastructure.
- Utilizing cryptocurrency to transfer illicit salary income, employing chain-hopping and token swapping via decentralized exchanges and bridge protocols to launder funds.
- **Associated Social Engineering (Parallel Campaign - Contagious Interview):** Luring targets via fake job offers on LinkedIn, instructing them (while posing as recruiters) to complete skill assessments that lead to the execution of malicious code (e.g., cloning a GitHub repo and running commands to install an npm package).
## Targeting
* **Sectors:** Information Technology (IT), Digital Asset Infrastructure (mentioned case).
* **Geography:** Western companies; specific mention of Norwegian businesses being impacted.
* **Victims:** Companies targeted for remote hiring; specific individuals whose identities are being impersonated on LinkedIn.
## Tools & Infrastructure
* **Malware Families Used:** Not explicitly named, but execution is triggered via malicious commands upon running skill assessment code (proxy for malware execution).
* **Infrastructure:** Decentralized Exchanges (DEX) and bridge protocols used for cryptocurrency laundering.
## Implications
This scheme represents a significant escalation in financial cybercrime and espionage, effectively weaponizing legitimate professional networks (LinkedIn) to secure persistent, high-trust access inside target organizations. The use of verified credentials increases the success rate of infiltration. The funds generated directly support the DPRK's weapons and nuclear programs.
## Mitigations
- **For Individuals:** Post warnings on social media accounts if identity is misappropriated, clearly listing official communication channels and verification methods.
- **For Organizations:** Always validate that accounts listed by candidates are controlled by the provided email address; perform simple checks such as requesting users to connect on LinkedIn to verify digital account ownership and control.
- **For Security Teams:** Be vigilant regarding new hires who gain administrative access or persist using dual-use system tools (Living-off-the-Land techniques).
- **For Finance/Compliance:** Monitor cryptocurrency transactions linked to illicit inflows for chain-hopping and token-swapping patterns.