{
	"id": "16904b16-0ca2-4b48-a242-17dfd407d093",
	"created_at": "2026-04-06T00:08:57.758256Z",
	"updated_at": "2026-04-10T03:21:59.677585Z",
	"deleted_at": null,
	"sha1_hash": "331a8b28c90929275e938e101c80de6811fa6303",
	"title": "Internet Crime Complaint Center (IC3)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 41242,
	"plain_text": "Internet Crime Complaint Center (IC3)\r\nPublished: 2025-01-23 · Archived: 2026-04-05 19:50:41 UTC\r\nThe Federal Bureau of Investigation (FBI) is providing an update to previously shared guidance regarding\r\nDemocratic People's Republic of Korea (North Korea) Information Technology (IT) workers to raise public\r\nawareness of their increasingly malicious activity, which has recently included data extortion. FBI is warning the\r\npublic, private sector, and international community about North Korean IT workers' continued victimization of\r\nUS-based businesses. In recent months, in addition to data extortion, FBI has observed North Korean IT workers\r\nleveraging unlawful access to company networks to exfiltrate proprietary and sensitive data, facilitate cyber-criminal activities, and conduct revenue-generating activity on behalf of the regime.\r\nExtortion and Theft of Sensitive Company Data\r\nAfter being discovered on company networks, North Korean IT workers have extorted victims by holding\r\nstolen proprietary data and code hostage until the companies meet ransom demands. In some instances,\r\nNorth Korean IT workers have publicly released victim companies' proprietary code.\r\nNorth Korean IT workers have copied company code repositories, such as GitHub, to their own user\r\nprofiles and personal cloud accounts. While not uncommon among software developers, this activity\r\nrepresents a large-scale risk of theft of company code.\r\nNorth Korean IT workers could attempt to harvest sensitive company credentials and session cookies to\r\ninitiate work sessions from non-company devices and for further compromise opportunities.\r\nTips to Protect Your Business\r\nRecommendations for Data Monitoring\r\nPractice the Principle of Least Privilege on your networks, to include disabling local administrator accounts\r\nand limiting privileges for installing remote desktop applications.\r\nMonitor and investigate unusual network traffic, to include remote connections to devices or the\r\ninstallation/presence of prohibited remote desktop protocols or software. North Korean IT workers often\r\nhave multiple logins into one account in a short period of time from various IP addresses, often associated\r\nwith different countries.\r\nMonitor network logs and browser session activity to identify data exfiltration through easily accessible\r\nmeans such as shared drives, cloud accounts, and private code repositories.\r\nMonitor endpoints for the use of software that allows for multiple audio/video calls to take place\r\nconcurrently.\r\nRecommendations for Strengthening Remote-Hiring Processes\r\nImplement identity-verification processes during interviewing, onboarding, and throughout the\r\nemployment of any remote worker. Cross-check HR systems for other applicants with the same resume\r\nhttps://www.ic3.gov/PSA/2025/PSA250123\r\nPage 1 of 2\n\ncontent and/or contact information. North Korean IT workers have been observed using artificial\r\nintelligence and face-swapping technology during video job interviews to obfuscate their true identities.\r\nEducate HR staff, hiring managers, and development teams regarding the North Korean IT worker threat,\r\nspecifically focusing on changes in address or payment platforms during the onboarding process.\r\nReview each applicant's communication accounts as North Korean IT workers have reused phone numbers\r\n(particularly voice-over-IP numbers) and email addresses, on multiple resumes purportedly belonging to\r\ndifferent applicants.\r\nVerify third-party staffing firms conduct robust hiring practices and routinely audit those practices.\r\nUse \"soft\" interview questions to ask applicants for specific details about their location or education\r\nbackground. North Korean IT workers often claim to have attended non-US educational institutions.\r\nCheck applicant resumes for typos and unusual nomenclature.\r\nComplete as much of the hiring and onboarding process as possible in person.\r\nReporting\r\nIf you suspect you have been approached or victimized by a North Korean IT worker, FBI recommends taking the\r\nfollowing actions:\r\nReport the suspicious activity to the FBI's Internet Crime Complaint Center (IC3) at www.IC3.gov as\r\nquickly as possible.\r\nEvaluate network activity from the suspected employee and their assigned device(s), and use internal\r\nintrusion-detection software to capture activity on the suspected device(s).\r\nReference\r\nIn 2022 and 2023, the United States, along with foreign partners, issued public advisories regarding how North\r\nKorean IT workers operate and provided red-flag indicators and due-diligence measures for businesses to avoid\r\nhiring North Korean freelance developers. In May 2024, FBI provided further guidance regarding North Korean\r\nIT workers and their use of witting and unwitting US-based individuals.\r\nSource: https://www.ic3.gov/PSA/2025/PSA250123\r\nhttps://www.ic3.gov/PSA/2025/PSA250123\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.ic3.gov/PSA/2025/PSA250123"
	],
	"report_names": [
		"PSA250123"
	],
	"threat_actors": [],
	"ts_created_at": 1775434137,
	"ts_updated_at": 1775791319,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/331a8b28c90929275e938e101c80de6811fa6303.pdf",
		"text": "https://archive.orkl.eu/331a8b28c90929275e938e101c80de6811fa6303.txt",
		"img": "https://archive.orkl.eu/331a8b28c90929275e938e101c80de6811fa6303.jpg"
	}
}