Deepfakes and Deception: North Korean IT Workers Infiltrating Companies to Fund Regime
Ddos 
Image: Rakesh Krishnan
A new report from Threat Intel Researcher Rakesh Krishnan sheds light on the growing threat posed by North Korean IT workers who are infiltrating the global remote job market using fake identities, deepfakes, and compromised platforms. The findings reveal how these operations fund the regime’s weapons programs while exposing vulnerabilities in global hiring practices.
The report highlights how North Korean operatives have established a strong presence on public developer ecosystems. As Krishnan notes, “DPRK IT Workers have been extensively using Code-Sharing Platforms like GitHub to secure new remote jobs.”
Investigators uncovered around 50 active GitHub accounts tied to suspected DPRK workers, with repositories spanning web apps, Android projects, ReactJS, NodeJS, Docker, and blockchain tools. Notably, several accounts linked to this activity were later deactivated, but many remain active, creating a persistent risk.
Beyond GitHub, these workers also populate platforms like CodeSandbox, Freelancer, RemoteHub, CrowdWorks JP, and Medium to attract employers. “The area of interest spans across Matlab, WebRTC, Google Firebase, AWS, Digital Ocean, Jekyll, Docker, React JS, Node JS, Android Apps, etc.”
The deception extends into resumes and identities. According to the report, “While analyzing each worker’s Freelancing Workplaces, I came to know that they have adopted several nationalities: the US, Ukraine, Poland, Japan, Canada, Russia, and Spain.”
These fabricated resumes—often hosted on LaborX, FlowCV, or custom-built Vercel websites—feature falsified job titles such as Senior Laravel Developer (US), Full Stack Developer (Kazakhstan), Blockchain Developer (Canada), and AI Architect (US).
Alarmingly, some resumes included AI-generated deepfake portraits. Krishnan explains, “A quick glance at the above image will be a genuine image for an untrained eye… With the help of SightEngine, an AI detector, I found the result as DeepFake.”
The report connects these IT workers to several high-profile security incidents:
- Operation Dream Job (2020): Conducted by Lazarus, targeting aerospace and defense job seekers across 12+ countries.
- KnowBe4 Hiring Scandal (2024): The cybersecurity firm unknowingly hired a DPRK worker using a deepfake-enhanced resume.
- Christina Chapman Laptop Farm (2019–2023): A U.S. facilitator hosted laptops for DPRK workers, laundering $17M for the regime.
- Bybit Heist (2025): Lazarus stole $1.4–$1.5 billion in crypto assets during a cold wallet transfer.
The report stresses, “Secret IT workers generate $250m-$600m annually for North Korea, according to a UN Security Council report published in March 2024.”
The findings also emphasize the Russia–North Korea nexus. With labor shortages due to the Ukraine war, Russia has quietly absorbed DPRK IT workers despite UN bans. Krishnan observes: “Recently, it came to limelight that there is a sudden increase in the recruitment of North Korean Workers in Russia as they lacked labor force due to Ukraine Invasion.”
Additionally, DPRK groups like Kimsuky have leveraged Russian infrastructure, including email services and IP addresses, for credential theft and cryptocurrency exchange attacks. The report warns that China’s historical ties to North Korea could further complicate future attribution and enforcement.
Related Posts:
- Beyond Phishing: How AI and Deepfakes Are Powering a New Generation of Scams
- Deepfake Scams on the Rise: CEOs, News Anchors, and Government Officials Impersonated
- DPRK IT Workers: A Global Threat Expanding in Scope and Scale
- $5 Million Reward Offered After Indictment of North Korean Cyber Operatives
- Deepfakes and Deception: The Rise of Synthetic Identities in Remote Work
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
