{
	"id": "c62bbd58-ba95-4c93-a84a-b2611c51d022",
	"created_at": "2026-04-06T01:30:18.993795Z",
	"updated_at": "2026-04-10T13:12:25.227563Z",
	"deleted_at": null,
	"sha1_hash": "36102b9cf0b1835f82faf657ce827e5d8fb4f049",
	"title": "The North Korea worker problem is bigger than you think",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 42930,
	"plain_text": "The North Korea worker problem is bigger than you think\r\nBy Matt Kapko\r\nPublished: 2025-03-31 · Archived: 2026-04-06 00:16:49 UTC\r\nNorth Korean nationals have infiltrated businesses across the globe with a more expansive level of organization\r\nand deep-rooted access than previously thought, insider risk management firm DTEX told CyberScoop. \r\nThis swarm of technical North Korean experts isn’t just intruding businesses as ad hoc freelance IT workers;\r\nthey’ve gained full-time employment as engineers and specialists of various skill sets with the highest degree of\r\naccess in enterprise systems.\r\n“We work with a fair cross-section of the Fortune Global 2000 organizations, and right now we have active\r\ninvestigations going on with 7% of our customer base,” Mohan Koo, co-founder and president of DTEX, said in\r\nan interview. DTEX has a couple hundred customers and estimates thousands of critical infrastructure\r\norganizations have been infiltrated by North Korean operatives.\r\n“Some of the roles that we’re investigating, the infiltrators that we’re investigating right now, have actually got the\r\nkeys to the kingdom,” Koo said. “They have privileged-access rights. They have the ability to turn on access and\r\nturn off access for other workers. They have the ability to install and uninstall software. They have the ability to\r\nwrite code.”\r\nDTEX’s ongoing research indicates the North Korean regime’s yearslong scheme goes much deeper than contract\r\nwork and extends to roles beyond traditional IT. The Justice and Treasury Departments have issued indictments\r\nand sanctioned people and entities allegedly involved in North Korea’s effort to send thousands of specialized\r\ntechnical professionals outside of the country to secure freelance jobs under false pretenses and funnel their wages\r\nback to Pyongyang.\r\nMultiple threat hunters have observed a surge of insider threat activity linked to North Korea. Adam Meyers, head\r\nof CrowdStrike’s counter adversary operations, last month said a “tremendous amount of companies” have\r\nunknowingly hired North Koreans for technical development roles.\r\nNearly 40% of the incident response cases CrowdStrike worked on last year involving the North Korea state-backed group it tracks as Famous Chollima were insider-threat operations. Insider threats accounted for 5% of\r\nPalo Alto Networks’ Unit 42 incident response cases last year, and the number of those tied to North Korea tripled\r\nin 2024.\r\nOftentimes, organizations unknowingly hire multiple North Korean nationals. “It’s typically not just one,” said\r\nRob Schuett, director of insider intelligence investigations at DTEX. \r\n“A single compromise is just the beginning,” he said. “It’s kind of like an insect infestation in your home. You see\r\nthat one insect and you may be able to spray that one with chemicals and get rid of it, or move it outside.\r\nHowever, you know that in the walls and the cracks and the crevices there’s a bigger problem underfoot.”\r\nhttps://cyberscoop.com/north-korea-technical-workers-full-time-jobs/\r\nPage 1 of 4\n\nQuick pivots, hops to other networks\r\nOnce a North Korean national is hired and starts the employment onboarding process, they move quickly to\r\nfurther infiltrate the organization. \r\nThey move into virtual desktop infrastructure environments, using access granted from one entity to pivot to a\r\nthird party, often a trusted partner.\r\n“That opens up the whole threat of the supply chain being infiltrated, and that’s a very, very complex problem,”\r\nKoo said. \r\nDTEX’s investigation into insider threats backed by North Korea reached an “alarming conclusion,” Koo said, a\r\nshocking reality that the extent of known compromise is widespread and likely more prevalent than confirmed\r\nthus far. \r\n“We’re only really catching the dumb ones, the ones that are making OpSec mistakes, and they’re pivoting around\r\nin places that we didn’t know were infiltrated,” Schuett said. This means, North Korean technical workers are\r\nprobably operating in dozens of infiltrated organizations, including those they aren’t employed by,\r\nsimultaneously. \r\nNorth Korean nationals are also installing various remote access tools, which are approved for use and often blend\r\nin to typical onboarding activities, when most employees set up and gain initial access to work systems.\r\n“They’re using a specific identity and a specific individual to gain employment, and that individual’s skill set is\r\nspecifically targeted to gain employment at the organization,” Koo said. “But once they’ve gained employment,\r\nit’s just an access right, and then they use these remote tools to enable the others to do the work.”\r\nNorth Koreans are doing the job — better than most\r\nThe threat posed by North Korean technical workers stands out, compared to other nation-state backed activity,\r\nbecause they’re doing the work companies are paying them to do. “In some cases, they’re doing a better job than\r\nmost,” Koo said.\r\nWith multiple people performing tasks assigned to one person, pulling in assistance from thousands of experts in\r\nany given field, these employees may become a rock star in the eyes of their employer. To the organization, it\r\nlooks like their best employee is doing an inordinate amount of work.\r\nYet, DTEX discovered multiple red flags as it began tracking suspected North Korean workers’ activities on their\r\nwork machines. \r\n“What we see with the DPRK worker is completely anomalous compared to everybody else, meaning you’ll see a\r\nlogin time that runs an extremely long amount of time and then there is no logout activity,” Schuett said.\r\n“They’ll run impossible amounts of times for a human being to endure to work, so they’ll go like four to five days\r\nat a time before you’ll see another logout, if you even see one,” he said.\r\nhttps://cyberscoop.com/north-korea-technical-workers-full-time-jobs/\r\nPage 2 of 4\n\nThis heightened and unimaginable level of productivity occurs because North Korean workers open remote\r\nsessions and share their desktop with other alleged co-conspirators with similar specialized skills. Spikes in\r\nactivity are attributed to the handover period, from one shift worker to the next, or when multiple people are\r\nworking side by side, shadowing each other.\r\nWhile the average time lapsed between North Korean worker logins and logoffs or the unlocking and locking of\r\nmachines is six to seven days, DTEX observed one instance of unrelenting activity that went on for three weeks.\r\nFinancially motivated by salaries now, but what’s next?\r\nFor now, North Korean technical workers are focused on attaining employment, doing those jobs, and sending the\r\nmoney they earn back to Pyongyang. \r\nNorth Korean technical workers generate hundreds of millions of dollars for the North Korean regime, according\r\nto Unit 42.\r\nThe potential for follow-on activity, including espionage, extortion and disruptive attacks on critical infrastructure\r\nis abundant.\r\n“For any of us to be naive enough to think that that’s all they’re ever going to do is ridiculous,” Koo said. “We\r\nhave to be vigilant because, at the point that they decide to weaponize in a different way, they have the access to\r\ndo it.”\r\nWhile it remains hypothetical, Koo said it’s “inconceivable” to think North Korean technical professionals\r\nworking for an unknown number of businesses around the globe won’t plant a backdoor, switch off critical\r\ninfrastructure or otherwise commit sabotage at some point.\r\n“It just requires the right point in time where they have that motivation to do so,” he said. \r\nSecurity professionals acknowledge it’s difficult for organizations to identify a potential insider threat from job\r\napplicants, but not impossible. \r\nRequiring remote job candidates to be on camera and show government-issued identification is a good practice,\r\nbut not fool-proof. Paying attention to what people do on camera — looking away, possibly taking prompts from\r\nsomeone else helping them through the interview — can provide meaningful insights, Schuett said.\r\n“We can see other people in the room with them taking an interview,” Schuett said. “I don’t know about you, but\r\nwhen I’m applying for a job, I’m probably not doing it in a Starbucks or some other public location.”\r\nOther potential tells include long pauses and inconsistencies on candidates’ resumes, such as claimed expertise in\r\ntechnologies before they were developed and widely available.\r\nHuman resources professionals and recruiters are the first line of defense against North Korean insider threats. But\r\nif they pass that stage and make it to employment, companies can still look for idiosyncrasies, such as lack of\r\ncommunication in meetings, emails or collaboration platforms, to spot potential problems.\r\nhttps://cyberscoop.com/north-korea-technical-workers-full-time-jobs/\r\nPage 3 of 4\n\nNorth Korean technical workers “don’t ask how your kid did in soccer last night,” Schuett said. “They don’t talk\r\nabout the new, cool restaurant they found, because they can’t.”\r\nSource: https://cyberscoop.com/north-korea-technical-workers-full-time-jobs/\r\nhttps://cyberscoop.com/north-korea-technical-workers-full-time-jobs/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cyberscoop.com/north-korea-technical-workers-full-time-jobs/"
	],
	"report_names": [
		"north-korea-technical-workers-full-time-jobs"
	],
	"threat_actors": [
		{
			"id": "7187a642-699d-44b2-9c69-498c80bce81f",
			"created_at": "2025-08-07T02:03:25.105688Z",
			"updated_at": "2026-04-10T02:00:03.78394Z",
			"deleted_at": null,
			"main_name": "NICKEL TAPESTRY",
			"aliases": [
				"CL-STA-0237 ",
				"CL-STA-0241 ",
				"DPRK IT Workers",
				"Famous Chollima ",
				"Jasper Sleet Microsoft",
				"Purpledelta Recorded Future",
				"Storm-0287 ",
				"UNC5267 ",
				"Wagemole "
			],
			"source_name": "Secureworks:NICKEL TAPESTRY",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d05e8567-9517-4bd8-a952-5e8d66f68923",
			"created_at": "2024-11-13T13:15:31.114471Z",
			"updated_at": "2026-04-10T02:00:03.761535Z",
			"deleted_at": null,
			"main_name": "WageMole",
			"aliases": [
				"Void Dokkaebi",
				"WaterPlum",
				"PurpleBravo",
				"Famous Chollima",
				"UNC5267",
				"Wagemole",
				"Nickel Tapestry",
				"Storm-1877"
			],
			"source_name": "MISPGALAXY:WageMole",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439018,
	"ts_updated_at": 1775826745,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/36102b9cf0b1835f82faf657ce827e5d8fb4f049.pdf",
		"text": "https://archive.orkl.eu/36102b9cf0b1835f82faf657ce827e5d8fb4f049.txt",
		"img": "https://archive.orkl.eu/36102b9cf0b1835f82faf657ce827e5d8fb4f049.jpg"
	}
}