DPRK Remote IT Worker Scheme Uses Impersonated Real LinkedIn Accounts to Infiltrate Employers
North Korean (DPRK) operatives running the long-standing “remote IT worker” scheme have escalated their tradecraft by applying for remote roles using real LinkedIn accounts of legitimate professionals they are impersonating, rather than relying primarily on fully synthetic personas. Reporting attributes the finding to analysis shared by Security Alliance (SEAL), noting that the hijacked/impersonated profiles can appear highly credible—sometimes featuring verified workplace emails and identity badges—making initial recruiter screening and identity verification more difficult.
The operation’s objectives remain consistent: generate revenue for the regime (including via salary payments later moved through cryptocurrency laundering techniques such as chain-hopping/token swapping and use of DEXs/bridges) while also enabling access to sensitive corporate environments for espionage, persistence, and potential follow-on extortion. The activity is described as high-volume and is tracked under multiple names in the security community (including Jasper Sleet, PurpleDelta, and Wagemole), with prior research noting that once placed, these operators can obtain administrative access to codebases and blend in using living-off-the-land techniques within enterprise infrastructure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Security Alliance reports shift to impersonating real LinkedIn users
On 2026-02-10, Security Alliance said DPRK IT worker operatives had evolved their job-fraud tactics by impersonating legitimate professionals and mirroring real LinkedIn profiles instead of relying mainly on fabricated personas. The approach included using credibility signals such as workplace emails and identity badges while controlling applicant communications to intercept recruiting outreach and job offers.
CrowdStrike splits Labyrinth Chollima into three DPRK clusters
CrowdStrike reported that the DPRK threat activity previously tracked as Labyrinth Chollima had segmented into Labyrinth Chollima, Golden Chollima, and Pressure Chollima. The clusters were said to continue sharing tools, infrastructure, and similar HR-themed tradecraft.
Contagious Interview campaign targets job seekers with malware
In a parallel LinkedIn-centered operation, DPRK actors used fake hiring processes to trick targets into running malicious code, including GitHub clones and npm package installs. Reported payloads and techniques included BeaverTail, InvisibleFerret, EtherHiding, malicious VS Code task files, and the Koalemos JavaScript RAT.
DPRK IT worker scheme uses fake remote-job identities
North Korean operatives ran a long-standing campaign to obtain remote IT jobs at global organizations using fabricated or synthetic identities. The activity was intended to generate revenue for the regime and potentially provide access to victim corporate networks.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
DPRK Operatives Impersonate Professionals on LinkedIn to Infiltrate Companies
thehackernews.com
Open sourceDPRK IT Workers Impersonating Individuals Using Real LinkedIn Accounts to Apply for Remote Roles - Cyber Security News
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
North Korean Fake IT Worker Network Infiltrates Western Firms and Funds Pyongyang
U.S. authorities and multiple security firms detailed a large North Korean scheme in which operatives use stolen or fabricated identities to win remote IT jobs at Western companies, then send the earnings back to Pyongyang in violation of sanctions. Research from IBM X-Force, Flare, Microsoft, LevelBlue, and others described a mature ecosystem of recruiters, facilitators, brokers, laptop-farm operators, and Western collaborators that helps workers pass interviews, receive corporate devices, mask their locations with VPNs, and clear payroll and compliance checks. Estimates cited across the reporting say more than 100,000 workers operating across dozens of countries may be generating roughly **$500 million annually**, while some cases also involved data theft, source-code exfiltration, extortion, and malware activity after hiring. The U.S. Treasury's Office of Foreign Assets Control sanctioned six individuals and two entities tied to the operation, while U.S. courts sentenced three Americans, including a former Army soldier, for helping North Korean workers use false identities and laptop farms to obtain jobs at U.S. companies. Investigations also exposed operational tradecraft including use of **Astrill VPN**, **NetKey/OConnect**, **IP Messenger**, freelance platforms, AI-generated resumes and headshots, and U.S.-based hardware relays such as PiKVM-enabled laptop farms; one hired worker was removed within 10 days after suspicious logins from China and Missouri triggered detection. Researchers and federal advisories warned that remote hiring has become an insider-threat and sanctions-compliance risk, urging tighter identity verification, live skills testing, device and geolocation controls, least-privilege access, and joint oversight by HR, recruiters, and security teams.
Jun 23, 2026
North Korean IT Worker Infiltration of Remote Hiring Pipelines
Reporting highlighted ongoing **North Korean IT worker** operations in which individuals use **stolen identities, falsified resumes, and AI-enabled deepfakes** to obtain remote roles at Western companies, creating direct insider-risk exposure once hired. The activity was described as affecting **thousands** of workers and **Fortune 500** employers, with claims of "**3,000 hands on keyboards**" and roughly "**30,000 different email addresses**" in use to support multiple personas, generating wages that can total **hundreds of millions of dollars annually** and help fund the North Korean regime. Recommended screening and verification measures focused on practical controls for remote hiring, including prompting candidates to **perform live actions on video** (e.g., wave), validating **IP address/geolocation consistency** with claimed location, and probing discrepancies in a candidate’s stated whereabouts. The reporting framed these checks as necessary to counter identity fraud and synthetic media used to pass interviews and onboarding, and to reduce the likelihood of granting network access to sanctioned or malicious actors operating under false identities.
May 8, 2026
North Korean Lazarus Group's Remote IT Worker Identity Rental Scheme
Security researchers have uncovered and documented a sophisticated scheme by North Korea's Lazarus Group, specifically its Famous Chollima division, to infiltrate Western companies by recruiting remote IT workers under false pretenses. The operation involves North Korean agents posing as recruiters who target engineers and developers, convincing them to rent out their identities and computers. These compromised individuals act as figureheads, allowing Lazarus operatives to pass interviews, gain employment, and use the victims' devices as proxies to conceal their true location and activities. Researchers, including Mauro Eldritch of BCA LTD and the NorthScan initiative, managed to capture the scheme live by deploying controlled sandbox environments that mimicked real developer laptops, enabling them to observe the attackers' tactics in real time. The scheme leverages social engineering, AI-driven interview techniques, and deepfake technology to bypass security checks and secure positions at high-profile companies, particularly in finance, crypto, healthcare, and engineering sectors. Victims are offered a share of the salary, typically 20-35%, in exchange for their cooperation, but they bear all legal and reputational risks if the operation is discovered. The investigation also revealed that Lazarus operatives spammed GitHub repositories with recruitment messages to attract more candidates. This exposure provides critical insight into North Korea's ongoing efforts to generate revenue and conduct espionage through remote access to Western corporate networks.
Mar 21, 2026