North Korea’s IT Worker Scam: How the Regime Infiltrates Global Tech Firms for Cyber Espionage

Cybersecurity researchers at Insikt Group have uncovered a sophisticated North Korean IT worker scam designed to infiltrate global tech companies, steal sensitive data, and fund the regime’s military programs. The report exposes how North Korean operatives secure remote jobs under false identities, violating international sanctions while posing critical security threats.

The operation, which has targeted multiple sectors including cryptocurrency, software development, and more, is spearheaded by PurpleBravo (formerly TAG-120), a North Korean-linked threat cluster that exploits hiring platforms, GitHub, and Telegram to embed operatives in Western companies.

“Beyond financial fraud, these IT workers have been linked to cyber espionage,” Insikt Group warns. “Organizations that unknowingly hire North Korean IT workers may be in violation of international sanctions, exposing themselves to legal and financial repercussions.”

The report outlines an alarming trend: North Korean IT specialists, disguised as legitimate developers, apply for freelance and full-time remote positions using forged identities and fake resumes. These operatives often:

• Use front companies mimicking real IT firms in China, India, Pakistan, Ukraine, and the U.S.
• Post fake job listings on hiring websites, GitHub, and Telegram to lure unsuspecting employers.
• Employ VPNs like Astrill VPN to conceal their North Korean origins and spoof IP addresses.
• Engage in cyber theft, introducing backdoors into corporate environments or exfiltrating sensitive data.

One of the key tactics is the use of fraudulent recruitment campaigns to gain insider access to high-value organizations. The Contagious Interview campaign, an attack method linked to PurpleBravo, specifically targets software developers in cryptocurrency firms, using malware-laden coding tests to compromise victims.

“PurpleBravo was active on at least three hiring websites, Telegram, and GitHub, regularly posting job advertisements and updating repositories,” Insikt Group reports.

Insikt Group has identified at least seven entities targeted by PurpleBravo, including:

• A market-making firm
• A blockchain software company

These attacks go beyond financial fraud; North Korean IT workers act as insider threats, providing critical intelligence to Pyongyang while embedding malware within corporate systems. The malware toolkit used in these operations includes:

• BeaverTail – A JavaScript infostealer designed to extract credentials and financial data.
• InvisibleFerret – A cross-platform Python backdoor for remote access and persistent control.
• OtterCookie – A stealthy malware tool that establishes long-term backdoor access.

“Insikt Group found evidence that PurpleBravo uses Astrill VPN to manage its command-and-control (C2) servers,” the report notes.

Beyond individual operatives, North Korea has established entire front companies to enhance its credibility. The TAG-121 cluster operates fake IT firms across China, imitating legitimate software businesses to secure contracts and funnel funds to the regime.

“Each front company spoofs a different legitimate organization by copying large parts of their website,” the report details. These deceptive entities allow North Korea to launder funds and avoid detection, deepening their access to global IT infrastructure.

Some identified front companies include:

• Shenyang Huguo Technology (huguotechltd[.]com)
• Pengzhou Trading (pengzhoutrading[.]com)
• Deep Sea Luc Co. Limited (deepsealuc[.]com)

By infiltrating major IT supply chains, these entities enable state-sponsored cyber espionage, funding North Korea’s sanctions-bypassing economic operations.

“While the threat posed by North Korean IT workers is a fraud issue, it is also a key component of a sophisticated cyber strategy that financially sustains an internationally sanctioned regime,” Insikt Group warns.

Related Posts:

• $5 Million Reward Offered After Indictment of North Korean Cyber Operatives
• North Korean IT Workers Indicted in Elaborate “Laptop Farm” Scheme to Evade Sanctions
• Threat Actors Exploit GitHub to Spread Malware, Targeting Multiple Operating Systems
• Researchers Uncovers Sophisticated Phishing Campaigns Leveraging Cloudflare Workers