TL,DR:
- State-sponsored North Korean IT workers are using fraudulent identities to gain remote employment at US companies, creating a significant insider threat and corporate espionage risk.
- These actors are being identified through their own operational security failures, as their self-infection with infostealer malware exposes their TTPs, reused passwords, and fraudulent personas to security researchers.
- Security teams should investigate for this threat by hunting for key indicators, including the use of specific VPNs (e.g., Astrill), suspicious job board activity, and multiple personas linked by reused credentials.
- Prevent future infiltration by collaborating with HR to enhance candidate vetting by incorporating identity intelligence and identity analysis into the hiring workflow to detect fraudulent applicants.
Last year, detailed advisories from cybersecurity firms like Mandiant and unsealed federal charges shone a spotlight on the widespread issue of the Democratic People’s Republic of Korea (DPRK) fraudulent remote IT workers.
The flurry of illicit activity piqued our interest at SpyCloud, where we closely track cybercriminal activity and research emerging threats. Research now shows nearly all of the Fortune 500 interacting and potentially inadvertently hiring DPRK IT workers.
When we took a look at our own data lake, we found some interesting supportive findings.
How the employment fraud schemes work
In these schemes, individuals acting on behalf of the North Korean government participate in what’s broadly become known as employment fraud, obtaining remote work positions in software engineering and IT under fraudulent identities at US organizations. Their paychecks then presumably go towards funding the North Korean regime. The FBI has also warned that these individuals are increasingly engaging in corporate espionage and data theft extortion against the companies that have inadvertently hired them.
Unfortunately for the participants in these schemes, they are just as susceptible to being infected by malware as anyone else. With that in mind, we found a starting point for a deeper investigation, picked up a trail, and it led our researchers to some interesting insights.
SpyCloud has observed many of these DPRK fraudulent IT workers inadvertently infect their own workstations with commodity infostealer malware. Like other infostealer malware infections, the logs that are harvested from these infections are then sold and shared on the darknet, where SpyCloud recaptures, classifies, and parses them in bulk.
What can we learn from a malware infection log? Self-infection insights from when bad actors infect themselves
Stealer logs generally contain an infected user’s system information, account login credentials, and browser cookies. In addition, they can also contain more detailed information like browsing history, desktop files, installed software, running processes, data scraped from notes applications, and screenshots from the device.
Because of this, malware logs can reveal substantial information about these workers’ daily digital activities, give us insight into their TTPs, and allow us to identify organizations where they have applied and potentially been hired.
How SpyCloud was able to identify DPRK workers participating in this employment scheme
In order to narrow down our infostealer malware data to identify the self-infections out of our database of billions of malware records, we initially started by using the following basic pivoting logic:
01
Astrill VPN
Often we start a search like this within the SpyCloud Investigations solution using IP addresses. Like most of the DPRK’s cyber operations, the individuals involved appear to be located outside of North Korea, with many operating out of Chinese provinces near the North Korean border. This is mostly out of operational necessity; North Korea has extremely limited access to electricity and virtually no internet access. Mandiant published a list of IP addresses that they observed being used by DPRK remote workers. Many of these IP addresses are associated with the Astrill VPN service, a popular VPN in China. SPUR also published a much more extensive list of Astrill VPN IP addresses.
02
Job boards
Astrill VPN has been heavily used by DPRK IT workers, but it’s also popular for a wide variety of other typical Chinese users to bypass the “great firewall” when browsing the internet. The easiest way to narrow down our search further was to look for logs where the infected user appeared to be applying to a lot of jobs on Western recruiting websites such as Upwork, Taleo, Workday, iCIMS, and Greenhouse.
03
Confirmation
After looking for logs that fit this profile, we wanted to explore deeper within each of the remaining infostealer logs to find other clues that match the profile of a workstation being used for this activity. Some additional indicators that can further corroborate a likely fraudulent DPRK remote IT worker log include:
- Accounts for job and professional sites (like LinkedIn) that appear to fit into multiple distinct personas, but which all appear to share the same reused password or password patterns
- Accounts for remote management software (like AnyDesk or TeamViewer) which the remote IT workers use to remotely access corporate devices in the US at "laptop farms"
- Accounts for websites used in persona creation, such as websites for purchasing stolen social security numbers, AI-powered tools for easily creating resumes, AI assistive writing tools, and AI image editing tools used to create and edit professional headshots
04
The smoking guns
Once we narrowed it down even further and determined that the IP address and account credentials in a log likely fit the profile of a fraudulent IT worker, we were able to look for even more compelling pieces of evidence. Generally, we found these either within the log itself, or by using OSINT methods to access and review some of the public accounts created by the IT workers like GitHub accounts, LinkedIn accounts, or resumes posted to filesharing sites.
In some logs, we were even able to find files that had been exfiltrated from the workstation’s Desktop or Documents folders that clearly showed side-by-side resumes: a resume taken from a real developer or IT worker in the US, and a copied fraudulent resume with very minor changes like the name, contact information, and professional headshot.
05
Feedback loop
After using this process to find DPRK remote IT worker self-infections, we were able to find additional high-value indicators to serve as initial pivot points and repeat the process.
Impact: The Fortune 500 and beyond
This process has enabled us to begin to identify the extensiveness of the DPRK campaign, confirming its impact on hundreds of US companies who are interacting and potentially inadvertently hiring DPRK IT workers.
With evidence of this happening as far back as 2018, the threat continues to gain traction and teams are really only now beginning to unravel the unprecedented scale of these hirings.
Our hope is by raising awareness of the issue, security teams can better combat existing risks and prevent unknowingly hiring and granting business access to these individuals in the future.
With that being said, the tools needed for identity analysis typically sit with security or IT, yet your HR team is likely vetting job candidates. As part of your business practices evolution, it’s important for operations and security teams to unite and collaborate on new, cross-functional workflows and playbooks that protect your entire organization from emerging threats that slip past traditional protective measures.
Learn more about how SpyCloud Investigations uncovers hidden risks like employment fraud.
FAQs
North Korean state-sponsored IT workers operating remote employment fraud schemes are susceptible to the same infostealer malware infections as any other user. When DPRK workers accidentally infect their own workstations with commodity infostealers, the resulting malware logs — containing system information, account credentials, browser cookies, browsing history, installed software, running processes, and in some cases desktop files and screenshots — are sold and shared on the darknet. SpyCloud recaptures, classifies, and parses these logs in bulk. Because the logs reflect the full digital activity of the infected device, researchers can use them to reconstruct the operator’s TTPs, identify multiple fraudulent personas, and trace connections to the organizations they have applied to or been hired by — turning the attackers’ own operational security failures into an intelligence source.
SpyCloud researchers use a layered pivoting process to identify DPRK fraudulent IT worker infections within a database of billions of malware records. The initial filter combines two signals: IP addresses associated with Astrill VPN — a service heavily used by DPRK operators working from Chinese provinces near the North Korean border — and browsing activity showing extensive use of Western job boards including Upwork, Workday, Taleo, iCIMS, and Greenhouse. From there, additional indicators narrow the identification further: multiple professional personas (LinkedIn profiles, GitHub accounts, resumes) that share reused passwords or password patterns; accounts for remote management tools like AnyDesk and TeamViewer, used to control US-based laptop farms; accounts for persona-creation services including sites that sell stolen Social Security numbers, AI resume builders, and AI headshot editors; and in some cases, desktop files containing side-by-side copies of a real developer’s resume alongside a near-identical fraudulent version with a different name, contact details, and photo.
Traditional background checks verify the identity presented by the candidate — they do not detect whether that identity is stolen, fabricated, or shared across multiple fraudulent personas. DPRK IT workers operate with professionally constructed false identities, AI-generated headshots, and resumes copied from real US developers with minor alterations. Background check processes that rely on submitted credentials cannot identify that the same underlying operator is applying across multiple companies under different names, or that the identity documents being presented belong to someone else. Detecting this threat requires cross-referencing candidate identity attributes against darknet intelligence — including breach records, malware logs, and credential reuse patterns — to identify signals of fraudulent identity construction that no document review would surface. This is why integrating identity intelligence into pre-hire workflows, in collaboration between security and HR teams, is the operational gap the DPRK campaign has exploited at scale.
Prevention requires combining identity intelligence with the hiring workflow — a cross-functional effort between security and HR teams that most organizations have not yet formalized. The key operational steps are: using infostealer-sourced identity data to check candidate identities for signals of fabrication or theft before extending offers; looking for credential reuse patterns that link a candidate’s professional profiles to other personas or darknet records; flagging candidates whose contact details, devices, or access patterns suggest routing through known DPRK infrastructure such as Astrill VPN; and building HR-security collaboration playbooks that route high-risk candidate signals to security review before access is granted. SpyCloud Investigations enables security teams to run these identity correlation checks — pivoting from a submitted email address or name to surface connected records across breach data, malware logs, and professional profiles — as part of a pre-hire vetting process rather than a post-incident investigation.
Keep reading
