North Korean Lazarus Group's Remote IT Worker Identity Rental Scheme
Security researchers have uncovered and documented a sophisticated scheme by North Korea's Lazarus Group, specifically its Famous Chollima division, to infiltrate Western companies by recruiting remote IT workers under false pretenses. The operation involves North Korean agents posing as recruiters who target engineers and developers, convincing them to rent out their identities and computers. These compromised individuals act as figureheads, allowing Lazarus operatives to pass interviews, gain employment, and use the victims' devices as proxies to conceal their true location and activities. Researchers, including Mauro Eldritch of BCA LTD and the NorthScan initiative, managed to capture the scheme live by deploying controlled sandbox environments that mimicked real developer laptops, enabling them to observe the attackers' tactics in real time.
The scheme leverages social engineering, AI-driven interview techniques, and deepfake technology to bypass security checks and secure positions at high-profile companies, particularly in finance, crypto, healthcare, and engineering sectors. Victims are offered a share of the salary, typically 20-35%, in exchange for their cooperation, but they bear all legal and reputational risks if the operation is discovered. The investigation also revealed that Lazarus operatives spammed GitHub repositories with recruitment messages to attract more candidates. This exposure provides critical insight into North Korea's ongoing efforts to generate revenue and conduct espionage through remote access to Western corporate networks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Joint research publicly links the scheme to Lazarus/Famous Chollima
BCA LTD, NorthScan, and ANY.RUN publicly reported that the observed fake IT worker operation was tied to North Korea’s Famous Chollima cluster, associated with the Lazarus Group. The report warned that remote hiring workflows can be exploited to gain access to internal systems and sensitive data at Western organizations.
Investigators observe live Famous Chollima remote-worker tradecraft
Inside the honeypot, researchers recorded operators using Astrill VPN, host reconnaissance commands, AI browser extensions, OTP and authentication tooling, and Google Remote Desktop configured through PowerShell for persistent remote access. The activity showed an emphasis on account takeover and remote control rather than traditional malware deployment.
Researchers deploy ANY.RUN laptop-farm honeypot to monitor operators
After the recruiter demanded sensitive identity and access artifacts, the researchers shifted to a controlled laptop-farm honeypot built with long-running ANY.RUN interactive sandbox systems disguised as developer laptops. This allowed them to safely observe the full workflow without exposing real endpoints.
Recruiter solicits identity data and frontman access for fake employment
During the engagement, the recruiter requested extensive personal information and 24/7 remote access to a laptop via tools such as AnyDesk, and offered 20% to 35% of salary for help acting as a frontman in interviews. The scheme relied on identity rental, anti-camera or deepfake interview tactics, and AI-assisted job application support.
Researchers engage DPRK recruiter posing as a U.S. developer
Researchers from BCA LTD and NorthScan contacted a recruiter persona known as “Aaron” or “Blaze” after encountering GitHub spam posts, while impersonating a U.S.-based developer. The recruiter sought to place North Korean IT workers into Western companies using rented, stolen, or borrowed identities.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Researchers spotted Lazarus’s remote IT workers in action
securityaffairs.com
Open sourceNorth Korean IT worker recruitment tactics exposed
scworld.com
Open sourceResearchers Capture Lazarus APT's Remote-Worker Scheme Live on Camera
thehackernews.com
Open sourceNorth Korea lures engineers to rent identities in fake IT worker scheme
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
North Korean Fake IT Worker Network Infiltrates Western Firms and Funds Pyongyang
U.S. authorities and multiple security firms detailed a large North Korean scheme in which operatives use stolen or fabricated identities to win remote IT jobs at Western companies, then send the earnings back to Pyongyang in violation of sanctions. Research from IBM X-Force, Flare, Microsoft, LevelBlue, and others described a mature ecosystem of recruiters, facilitators, brokers, laptop-farm operators, and Western collaborators that helps workers pass interviews, receive corporate devices, mask their locations with VPNs, and clear payroll and compliance checks. Estimates cited across the reporting say more than 100,000 workers operating across dozens of countries may be generating roughly **$500 million annually**, while some cases also involved data theft, source-code exfiltration, extortion, and malware activity after hiring. The U.S. Treasury's Office of Foreign Assets Control sanctioned six individuals and two entities tied to the operation, while U.S. courts sentenced three Americans, including a former Army soldier, for helping North Korean workers use false identities and laptop farms to obtain jobs at U.S. companies. Investigations also exposed operational tradecraft including use of **Astrill VPN**, **NetKey/OConnect**, **IP Messenger**, freelance platforms, AI-generated resumes and headshots, and U.S.-based hardware relays such as PiKVM-enabled laptop farms; one hired worker was removed within 10 days after suspicious logins from China and Missouri triggered detection. Researchers and federal advisories warned that remote hiring has become an insider-threat and sanctions-compliance risk, urging tighter identity verification, live skills testing, device and geolocation controls, least-privilege access, and joint oversight by HR, recruiters, and security teams.
Jun 23, 2026
DPRK Remote IT Worker Scheme Uses Impersonated Real LinkedIn Accounts to Infiltrate Employers
North Korean (**DPRK**) operatives running the long-standing “remote IT worker” scheme have escalated their tradecraft by applying for remote roles using **real LinkedIn accounts of legitimate professionals they are impersonating**, rather than relying primarily on fully synthetic personas. Reporting attributes the finding to analysis shared by **Security Alliance (SEAL)**, noting that the hijacked/impersonated profiles can appear highly credible—sometimes featuring *verified workplace emails* and *identity badges*—making initial recruiter screening and identity verification more difficult. The operation’s objectives remain consistent: generate revenue for the regime (including via salary payments later moved through cryptocurrency laundering techniques such as **chain-hopping/token swapping** and use of **DEXs/bridges**) while also enabling **access to sensitive corporate environments** for espionage, persistence, and potential follow-on extortion. The activity is described as high-volume and is tracked under multiple names in the security community (including **Jasper Sleet**, **PurpleDelta**, and **Wagemole**), with prior research noting that once placed, these operators can obtain administrative access to codebases and blend in using living-off-the-land techniques within enterprise infrastructure.
Mar 21, 2026
North Korean IT Worker Infiltration of Remote Hiring Pipelines
Reporting highlighted ongoing **North Korean IT worker** operations in which individuals use **stolen identities, falsified resumes, and AI-enabled deepfakes** to obtain remote roles at Western companies, creating direct insider-risk exposure once hired. The activity was described as affecting **thousands** of workers and **Fortune 500** employers, with claims of "**3,000 hands on keyboards**" and roughly "**30,000 different email addresses**" in use to support multiple personas, generating wages that can total **hundreds of millions of dollars annually** and help fund the North Korean regime. Recommended screening and verification measures focused on practical controls for remote hiring, including prompting candidates to **perform live actions on video** (e.g., wave), validating **IP address/geolocation consistency** with claimed location, and probing discrepancies in a candidate’s stated whereabouts. The reporting framed these checks as necessary to counter identity fraud and synthetic media used to pass interviews and onboarding, and to reduce the likelihood of granting network access to sanctioned or malicious actors operating under false identities.
May 8, 2026