Russian IP Networks Fuel North Korea’s Global Cybercrime and Espionage Campaigns

A revealing new report from Trend Micro uncovers how Russian IP infrastructure is playing a pivotal role in North Korea’s global cyber operations, powering everything from cryptocurrency thefts to fake job interviews designed to implant malware. This cooperation—or at the very least, strategic proximity and overlap—raises questions about cyber alliances in the shadowy corners of geopolitical conflict.

At the main of the report is Void Dokkaebi, also known as Famous Chollima—a threat group aligned with the Democratic People’s Republic of Korea (DPRK). According to Trend Research:

“North Korea-aligned actors use the Russian IP ranges to connect to dozens of VPS servers over RDP, then perform tasks like interacting on job recruitment sites and accessing cryptocurrency-related services.”

These operations rely heavily on five specific Russian IP ranges located in Khasan and Khabarovsk, two regions known for their geographic and cultural links to North Korea. Khasan, for instance, lies just a mile from the DPRK border and hosts the Korea-Russia Friendship Bridge, over which a fiber optic cable was laid in 2017, believed to enhance North Korea’s internet reach.

Trend Micro researchers traced numerous attacks back to a fake blockchain company called BlockNovas[.]com, which posed as a Web3 startup on LinkedIn and other platforms. Applicants were asked to run code samples or install “camera updates” as part of the process, ultimately getting infected with malware like Beavertail, FrostyFerret, or GolangGhost.

“Applicants were enticed to download and execute malware to solve a fictitious problem with their laptop camera during an automated job interviewing process.”

Fake CTO profiles, credible LinkedIn presence, and GitLab repositories helped establish legitimacy. Even more disturbing: BlockNovas was found using instructional videos recorded from RDP sessions showing how to set up malware servers and crack crypto wallets.

The infrastructure reveals a layered anonymization stack:

• VPN services (notably Astrill VPN)
• RDP-accessed VPS servers
• Proxy tools like CCProxy

“The Russian IP ranges… connect to numerous VPS servers around the world using RDP and then do tasks from there, like communicating through apps like Skype, Telegram, Discord and Slack.”

Researchers identified direct connections between Russian IPs and command-and-control servers, including sessions logged at IP 188.43.33.251, which also received a Dropbox confirmation email during a malware setup video.

Void Dokkaebi’s primary mission appears to be stealing cryptocurrency from IT professionals in the U.S., Ukraine, Germany, and beyond. But that’s not where it ends.

“When initial access is established… handing over that access to teams more interested in espionage is a logical step.”

With code execution on developer machines, attackers can exfiltrate credentials, crypto keys, and sensitive corporate documents—and potentially escalate to cyber espionage.

While direct cooperation between Russian and North Korean governments is not conclusively proven, the infrastructure overlap is too coordinated—and too strategic—to ignore.

“It is plausible, with low to medium confidence, that some form of intentional cooperation or infrastructure sharing exists between North Korea and Russian entities.”

The rise of state-aligned cybercrime-as-a-service, facilitated by transnational infrastructure and fake online personas, signals a dangerous new era. The lines between espionage, cybercrime, and information warfare are blurring—one RDP session at a time.

Related Posts:

• Expert: North Korean hackers harvest 11,000 Bitcoins in 2017
• Lazarus APT Targets Job Seekers with “Contagious Interview” Campaign Using ClickFix Technique
• Midnight Blizzard Targets 100+ Organizations in RDP Phishing Attack
• North Korean Threat Actors Targeting Tech Job Seekers with Contagious Interview Campaign