How We Identified Fake North Korean IT Workers Using Identity Matching

Last year, detailed reports from cybersecurity firms like Mandiant and unsealed federal charges shone a spotlight on the widespread issue of the Democratic People’s Republic of Korea (DPRK) fraudulent remote IT workers.

The flurry of illicit activity piqued our interest at SpyCloud, where we closely track cybercriminal activity and research emerging threats. Our new research shows roughly 10% of Fortune 500 companies interacting and potentially inadvertently hiring DPRK IT workers.

How do we know this? Well, let’s dig in.

How the hiring fraud schemes work

In these schemes, individuals acting on behalf of the North Korean government participate in what’s broadly become known as hiring fraud, obtaining remote work positions in software engineering and IT under fraudulent identities at US organizations. Their paychecks then presumably go towards funding the North Korean regime. The FBI has also warned that these individuals are increasingly engaging in data-theft extortion against the companies that have inadvertently hired them.

Unfortunately for the participants in these schemes, they are just as susceptible to being infected by malware as anyone else. With that in mind, we found a starting point for a deeper investigation, picked up a trail, and it led our researchers to some interesting insights.

SpyCloud has observed many of these DPRK fraudulent IT workers inadvertently infect their own workstations with commodity infostealer malware. Like other infostealer malware infections, the logs that are harvested from these infections are then sold and shared on the darknet, where SpyCloud recaptures, classifies, and parses them in bulk.

What can we learn from a malware infection log? Self-infection insights from when bad actors infect themselves

Stealer logs generally contain an infected user’s system information, account login credentials, and browser cookies. In addition, they can also contain more detailed information like browsing history, desktop files, installed software, running processes, data scraped from notes applications, and screenshots from the device.

Because of this, malware logs can reveal substantial information about these workers’ daily digital activities, give us insight into their TTPs, and allow us to identify organizations where they have applied and potentially been hired.

How we were able to identify DPRK workers participating in hiring fraud

In order to narrow down our infostealer malware data to identify the self-infections out of our database of billions of malware records, we initially started by using the following basic pivoting logic:

Astrill VPN

Often we start a search like this within the SpyCloud Investigations solution using IP addresses. Like most of the DPRK’s cyber operations, the individuals involved appear to be located outside of North Korea, with many operating out of Chinese provinces near the North Korean border. This is mostly out of operational necessity; North Korea has extremely limited access to electricity and virtually no internet access. Mandiant published a list of IP addresses that they observed being used by DPRK remote workers. Many of these IP addresses are associated with the Astrill VPN service, a popular VPN in China. SPUR also published a much more extensive list of Astrill VPN IPs.

Job boards

Astrill VPN has been heavily used by DPRK IT workers, but it’s also popular for a wide variety of other typical Chinese users to bypass the “great firewall” when browsing the internet. The easiest way to narrow down our search further was to look for logs where the infected user appeared to be applying to a lot of jobs on Western recruiting websites such as Upwork, Taleo, Workday, iCIMS, and Greenhouse.

Confirmation

After looking for logs that fit this profile, we wanted to explore deeper within each of the remaining infostealer logs to find other clues that match the profile of a workstation being used for this activity. Some additional indicators that can further corroborate a likely fraudulent DPRK remote IT worker log include:

Accounts for job and professional sites (like LinkedIn) that appear to fit into multiple distinct personas, but which all appear to share the same reused password
Accounts for remote management software (like AnyDesk or TeamViewer) which the remote IT workers use to remotely access corporate devices in the US at “laptop farms”
Accounts for websites used in persona creation, such as websites for purchasing stolen social security numbers, AI-powered tools for easily creating resumes, AI assistive writing tools, and AI image editing tools used to create and edit professional headshots

The smoking guns

Once we narrowed it down even further and determined that the IP address and account credentials in a log likely fit the profile of a fraudulent IT worker, we were able to look for even more compelling pieces of evidence. Generally, we found these either within the log itself, or by using OSINT methods to access and review some of the public accounts created by the IT workers like GitHub accounts, LinkedIn accounts, or resumes posted to filesharing sites.

In some logs, we were even able to find files that had been exfiltrated from the workstation’s Desktop or Documents folders that clearly showed side-by-side resumes: a resume taken from a real developer or IT worker in the US, and a copied fraudulent resume with very minor changes like the name, contact information, and professional headshot.

Feedback loop

After using this process to find DPRK remote IT worker self-infections, we were able to find additional high-value indicators to serve as initial pivot points and repeat the process.

Impact: The Fortune 500 and beyond

This process has enabled us to begin to identify the extensiveness of the DPRK campaign, confirming its impact on hundreds of US companies. Our team at SpyCloud estimates about 10% of Fortune 500 companies interacting and potentially inadvertently hiring DPRK IT workers – likely a conservative estimate because we don’t have visibility into every DPRK remote worker workstation, as not all have been infected by infostealer malware.

With evidence of this happening as far back as 2018, the threat continues to gain traction and teams are really only now beginning to unravel the unprecedented scale of these hirings.

Our hope is by raising awareness of the issue, security teams can better combat existing risks and prevent unknowingly hiring and granting business access to these individuals in the future.

With that being said, the tools needed for identity analysis typically sit with security or IT, yet your HR team is likely vetting job candidates. As part of your business practices evolution, it’s important for operations and security teams to unite and collaborate on new, cross-functional workflows and playbooks that protect your entire organization from emerging threats that slip past traditional protective measures.

Learn more about how SpyCloud Investigations uncovers hidden risks like hiring fraud.

Keep reading

Cybersecurity Industry Statistics: ATO, Ransomware, Breaches & Fraud

March 28, 2025
Becca Thies

SpyCloud’s updated list of cybersecurity statistics highlights the most common types of cyberattacks, along with how to protect employees, vendors, & consumers.

Cyberattack Trends

SpyCloud’s 2025 Identity Exposure Report: Breaking Down the Identity Threat Landscape

March 19, 2025
Team SpyCloud

Uncover the latest identity security threats in the 2025 Identity Exposure Report. Learn how cybercriminals are exploiting stolen data and what you can do to stop them.

Cyberattack Trends

Safeguarding the Modern Identity: Why It’s Time for a Shift to Holistic Identity Threat Protection

March 19, 2025
Heather Smith

Redefining threat protection is crucial as attackers weaponize stolen identities. In this blog, learn how to go beyond user accounts to secure today’s expanding identity perimeter and reduce risk.

Cyberattack Trends

Check your darknet exposure

By submitting your email, you agree to receive email from SpyCloud related to this request.