Escalating Identity Fraud Scheme Targets Remote Positions
North Korean operatives have significantly upgraded their fraudulent job application tactics by using real LinkedIn accounts of legitimate professionals they're impersonating. This marks a dangerous new escalation in the Democratic People's Republic of Korea's (DPRK) long-running IT worker infiltration campaign.
According to Security Alliance (SEAL), these hijacked profiles often include verified workplace emails and identity badges, making the fraudulent applications appear highly legitimate to unsuspecting hiring managers.
The Dual-Purpose Threat
The DPRK IT worker program, also tracked as Jasper Sleet, PurpleDelta, and Wagemole, operates with two primary objectives:
- Revenue Generation: Creating a steady income stream to fund North Korea's weapons and nuclear programs through legitimate salaries
- Espionage and Extortion: Gaining administrative access to sensitive codebases and corporate infrastructure, stealing proprietary data, and in some cases demanding ransoms to prevent data leaks
Money Laundering Through Cryptocurrency
Once salaries are paid to these fraudulent workers, funds are laundered through sophisticated cryptocurrency techniques. As blockchain analysis firm Chainalysis noted in October 2025:
"DPRK IT workers break the link between source and destination of funds on-chain through chain-hopping and token swapping. They leverage smart contracts such as decentralized exchanges and bridge protocols to complicate the tracing of funds."
Norwegian Businesses Hit by Campaign
The Norwegian Police Security Service (PST) issued an advisory last week confirming "several cases" over the past year where Norwegian businesses unknowingly hired likely North Korean IT workers for home office positions. PST stated that salary income from such positions "probably goes to finance the country's weapons and nuclear weapons program."
Contagious Interview Campaign
Running parallel to the IT worker scheme is the "Contagious Interview" campaign, where fake recruiters approach tech professionals on LinkedIn with job offers. The malicious phase begins when candidates are asked to complete skill assessments involving cloning GitHub repositories or running npm packages that trigger malware execution.
In one case targeting digital asset infrastructure company Fireblocks, security researcher Ori Hershko revealed the campaign employed EtherHiding—a novel technique leveraging blockchain smart contracts to host command-and-control infrastructure, making the malicious payload more resilient to takedowns.
Recent variants use malicious Microsoft VS Code task files to execute JavaScript malware disguised as web fonts, ultimately deploying BeaverTail and InvisibleFerret malware for persistent access and cryptocurrency wallet theft.
Koalemos RAT Framework
Panther security researchers documented another intrusion variant involving malicious npm packages deploying a modular JavaScript remote access trojan (RAT) called Koalemos. The RAT enters a beacon loop to retrieve tasks from external servers, execute them, send encrypted responses, and repeat.
Koalemos supports 12 different commands for filesystem operations, file transfers, discovery instructions, and arbitrary code execution. Associated npm packages include:
- env-workflow-test
- sra-test-test
- sra-testing-test
- vg-medallia-digital
- vg-ccc-client
- vg-dev-env
Security researcher Alessandra Rizzo explained: "The initial loader performs DNS-based execution gating and engagement date validation before downloading and spawning the RAT module as a detached process."
Labyrinth Chollima Evolution
CrowdStrike recently revealed that the prolific North Korean hacking crew Labyrinth Chollima has evolved into three specialized operational units:
- Labyrinth Chollima: Core group focused on cyber espionage using tools like the FudModule rootkit
- Golden Chollima (AppleJeus, Citrine Sleet): Targets consistent, smaller-scale cryptocurrency thefts in developed regions
- Pressure Chollima (Jade Sleet, TraderTraitor): Pursues high-value heists with advanced implants targeting organizations with significant digital asset holdings
Defense Recommendations
For Individuals
If you suspect your identity is being misused in fraudulent job applications:
- Post a warning on your social media accounts
- List your official communication channels
- Specify your verification method (e.g., company email)
- Monitor your professional profiles for unauthorized activity
For Organizations
- Validate account ownership: Ask candidates to connect with you on LinkedIn to verify they control the account
- Verify email addresses: Ensure listed accounts match the email provided
- Enhanced background checks: Implement thorough verification for remote positions, especially in IT and development roles
- Code review processes: Scrutinize any code or packages candidates are asked to run during technical assessments
- Monitor cryptocurrency transactions: Implement controls to detect unusual payment patterns
- Employee training: Educate hiring managers and technical teams about DPRK IT worker tactics
TL;DR
- North Korean operatives now use real, hijacked LinkedIn accounts with verified emails and badges to apply for remote IT positions
- The scheme generates revenue for weapons programs while enabling espionage, data theft, and potential ransomware attacks
- Parallel "Contagious Interview" campaign uses fake recruiters and malicious technical assessments to deploy malware like BeaverTail, InvisibleFerret, and Koalemos RAT
- Norwegian businesses confirmed as recent victims; funds are laundered through sophisticated cryptocurrency techniques
- Organizations must validate account ownership, verify email addresses, and implement enhanced screening for remote IT positions
Source: The Hacker News: DPRK Operatives Impersonate Professionals on LinkedIn to Infiltrate Companies