{ "id": "cd2914b7-3d46-4728-8d04-71aa0d9afde0", "created_at": "2026-04-06T00:16:01.599505Z", "updated_at": "2026-04-10T03:36:17.188585Z", "deleted_at": null, "sha1_hash": "56adf824e620fffa433647d8e6c3a7b90c8677cb", "title": "North Korea’s Fraudulent IT Employment Scheme: A Cybersecurity Threat", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 91636, "plain_text": "North Korea’s Fraudulent IT Employment Scheme: A\r\nCybersecurity Threat\r\nBy Insikt Group®\r\nArchived: 2026-04-05 14:15:02 UTC\r\nExecutive Summary\r\nIn an era in which remote work has become the norm, North Korea has seized the opportunity to manipulate\r\nhiring processes, using fraudulent information technology (IT) employment to generate revenue for the regime.\r\nNorth Korean IT workers infiltrate international companies and secure remote positions under false identities.\r\nThese operatives not only violate international sanctions but also pose severe cybersecurity threats, engaging in\r\nfraud and data theft and potentially disrupting business operations.\r\nBeyond financial fraud, these IT workers have been linked to cyber espionage. Insikt Group tracks PurpleBravo\r\n(formerly Threat Activity Group 120 [TAG-120]), a North Korean-linked cluster that overlaps with the\r\n“Contagious Interview” campaign, which primarily targets software developers in the cryptocurrency industry.\r\nThe campaign employs malware such as BeaverTail, an infostealer that gathers sensitive information;\r\nInvisibleFerret, a cross-platform Python backdoor; and OtterCookie, a tool used to establish persistent access on\r\ncompromised systems. At least three organizations in the broader cryptocurrency space were targeted by\r\nPurpleBravo between October and November 2024: a market-making company, an online casino, and a software\r\ndevelopment company.\r\nThe findings also highlight North Korea’s expansion into other areas of fraud, with the establishment of front\r\ncompanies that mimic legitimate IT firms. TAG-121, a separate cluster of activity, has been identified as operating\r\na network of these companies across China. Each front company spoofs a different legitimate organization by\r\ncopying large parts of their website. These entities create an added layer of deniability and make detection more\r\nchallenging, allowing North Korean actors to further embed themselves in global IT supply chains.\r\nThe implications of this threat are far-reaching. Organizations that unknowingly hire North Korean IT workers\r\nmay be in violation of international sanctions, exposing themselves to legal and financial repercussions. More\r\ncritically, these workers almost certainly act as insider threats, stealing proprietary information, introducing\r\nbackdoors, or facilitating larger cyber operations. Given North Korea’s history of financial theft, the risks extend\r\nbeyond individual companies to the broader global financial system and national security interests.\r\nTo mitigate these threats, organizations must adopt stringent identity verification measures, ensuring that remote\r\nhires undergo thorough screening. This includes requiring video interviews, notarized identification documents,\r\nand continuous monitoring of remote workers for anomalies. Employers should also implement technical controls\r\nhttps://www.recordedfuture.com/research/inside-the-scam-north-koreas-it-worker-threat\r\nPage 1 of 6\n\nto detect unauthorized access, restrict data exposure, and flag suspicious remote connections. Awareness and\r\ntraining for human resources (HR) teams and IT security personnel are essential in preventing these actors from\r\ninfiltrating critical business operations.\r\nWhile the threat posed by North Korean IT workers is a fraud issue, it is also a key component of a sophisticated\r\ncyber strategy that financially sustains an internationally sanctioned regime. As these operations continue to\r\nevolve, businesses, governments, and cybersecurity organizations must work together to close the gaps that enable\r\nNorth Korea to exploit the remote work environment.\r\nKey Findings\r\nNorth Korea’s use of IT workers to secure fraudulent employment and execute coordinated cyber\r\ncampaigns highlights its evolving tactics to fund its military programs while undermining global\r\nintellectual property security.\r\nInsikt Group assesses that PurpleBravo has targeted at least seven entities, three of which are in the\r\ncryptocurrency sector, including a market-making firm, an online casino, and a software company.\r\nInsikt Group found evidence that PurpleBravo uses Astrill VPN to manage its command-and-control (C2)\r\nservers.\r\nPurpleBravo was found posting job advertisements on at least three hiring websites, Telegram, and GitHub.\r\nInsikt Group identified at least seven suspected North Korean-linked front companies operating in China\r\nspoofing legitimate IT firms in China, India, Pakistan, Ukraine, and the United States (US).\r\nOrganizations should implement robust technical safeguards, such as, where feasible, disabling remote\r\ndesktop software, conducting regular checks of open ports across networks, deploying insider threat\r\nmonitoring, and geolocating devices.\r\nInsikt Group expects to continue to see groups like PurpleBravo and TAG-121 exploit the remote work\r\nenvironment, threatening global IT supply chains and intellectual property.\r\nNorth Korea’s shift toward fraudulent remote employment and front companies will likely outpace\r\ntraditional hiring protocol checks, driving organizations and governments to adopt more rigorous identity\r\nverification, enhanced remote work security, and robust international intelligence-sharing to counter this\r\nexpanding threat.\r\nBackground\r\nOn January 23, 2025, the US Department of Justice (US DOJ) indicted two North Korean nationals and three\r\nfacilitators for remote worker fraud that enriched the North Korean regime. In the indictment, the US DOJ\r\ndescribed a six-year scheme in which two US citizens and one Mexican national conspired with North Korean IT\r\nworkers to remotely work for at least 64 US companies. Payments from ten companies generated at least $866,255\r\nin revenue that was laundered through a Chinese bank account. In addition to the indictment, stories of\r\norganizations and individuals that have come across North Korean IT workers can be regularly found in open\r\nsources (1, 2, 3). Besides sanctions violations, the threat from these workers, whether stealing sensitive data or\r\ninstalling malware on internal systems, presents unique challenges to organizations, especially in remote work\r\nenvironments.\r\nhttps://www.recordedfuture.com/research/inside-the-scam-north-koreas-it-worker-threat\r\nPage 2 of 6\n\nNorth Korea remains highly isolated from the outside world due to the regime’s strict control over goods, people,\r\nand information, as well as international sanctions placed upon the country. Despite this, Pyongyang’s leadership\r\nis well-versed in exploiting emerging technologies to fund its operations. As sanctions have tightened, the regime\r\nadapted by escalating illicit activities, including smuggling and cybercrime. In recent years, the regime has\r\nachieved significant success in stealing from traditional financial institutions and digital assets like\r\ncryptocurrency. Between 2020 and 2024, the rise of remote work created new opportunities for North Korea to\r\ndeploy skilled IT workers who infiltrate global companies under false identities. Their activities directly support\r\nthe regime’s military programs while posing a significant threat to industries reliant on intellectual property.\r\nResearch into North Korean IT workers has focused on the following aspects of the threat: North Korean IT\r\nworkers gaining fraudulent employment through proxies; North Korean front companies, often in the software\r\ndevelopment space, imitating legitimate organizations; and fake employment opportunities targeting software\r\ndevelopers in cryptocurrency and AI, among other industries. Other research has established links between IT\r\nworkers and ongoing malicious campaigns by North Korean threat actors.\r\nThreat Analysis\r\nPurpleBravo\r\nThe Contagious Interview campaign, first documented in November 2023, targeted software developers primarily\r\nin the cryptocurrency space and was attributed to North Korea. The campaign used the JavaScript infostealer\r\nBeaverTail, the cross-platform Python backdoor InvisibleFerret, and most recently OtterCookie, a new backdoor\r\nidentified in December 2024. The group responsible for this activity is known as CL-STA-0240, Famous\r\nChollima, and Tenacious Pungsan in open sources. Insikt Group has given this cluster of activity the designation\r\nPurpleBravo (formerly TAG-120).\r\nPurpleBravo’s Fraudulent Profiles\r\nOn December 3, 2024, a developer posted a blog about their experience with a suspected PurpleBravo operator.\r\nAn individual claiming to be a recruiter contacted them about a job offer and then followed up with an interview.\r\nDuring the interview, the interviewer asked the developer to download a coding challenge from a repository. The\r\ndeveloper realized there was a malicious function in the file and ended the interview. While the developer does not\r\nattribute the malware or actor, Insikt Group assesses with high confidence the file is a BeaverTail infostealer.\r\nThe interviewer used a LinkedIn account with the name Javier Fiesco, who describes themself as the CTO of\r\nAgencyHill99. Further investigation into Javier Fiesco uncovered an individual with the same name available for\r\nwork on remote3, a Web3 development job board. The website agencyhill99[.]com was registered on Hostinger on\r\nSeptember 13, 2024. As of early February 2025, this website no longer resolved, but it previously displayed a\r\nHostinger landing page. Research into AgencyHill99 uncovered a job posting seeking a developer with blockchain\r\nknowledge on levels[.]fyi, with the following contact info:\r\nContact us: alexander@agencyhill99[.]com\r\nRecruiter: vision.founder1004@gmail[.]com\r\nhttps://www.recordedfuture.com/research/inside-the-scam-north-koreas-it-worker-threat\r\nPage 3 of 6\n\nPivoting on the text in the job description returned two private job postings on Upwork (1, 2). Additionally, a\r\nprofile with the name of Lucifer, and what appears to be an AI-generated headshot, who works for AgencyHill99\r\nwas observed on the website DoraHacks, which is a hackathon, bounty, and grant organization. The profile on\r\nDoraHacks states that AgencyHill99 is looking to hire a developer. Insikt Group also discovered a company with\r\nthe name Agencyhill99 on the website Intch, a part-time and remote job platform. The company posted a “Part-Time IT Developer Opportunity” by an individual with the name Newton Curtis, who is a recruiter at\r\nAgencyHill99.\r\nInsikt Group found several posts in Telegram channels from individuals with @agencyhill99[.]com email\r\naddresses advertising jobs. Below is a summary of the posts:\r\nOn September 16, 2024, an account with the username Dale_V and email address\r\nayat@agencyhill99[.]com posted in the Telegram channel “freelancerclients” that they were looking to hire\r\na developer.\r\nOn September 26, 2024, an account with the username jaxtonhol and email address\r\nysai@agencyhill99[.]com posted in the Telegram channel “indeedemploijobeur” that they were looking to\r\nhire a developer. On the same day, the account Dale_V using the email ysai@agencyhill99[.]com posted in\r\nthe Telegram channel “cryptolux_b” that they were looking to hire a blockchain developer. They posted the\r\nsame message in the “itkita”, “andexzuxiaomichat”, and “usvacancy” channels. On September 27, 2024,\r\nDale_V posted the same message in the “crypto_brazil” and “cryptolux_br” channels.\r\nOn October 2, 2024, Dale_V posted the same message with a new email address,\r\nsam@agencyhill99[.]com, in the “fortifiedx_chat”, “family_indonesia_uae_ph”, “cryptolux_br”, and\r\n“freelancerclients” channels.\r\nOn October 3, 2024, a user in an Indonesian-language Telegram channel posted a screenshot of an email\r\nmessage they received from PurpleBravo operators.\r\nOn October 9, 2024, Dale_V posted job advertisements in the “andexzuxiaomichat”,\r\n“family_indonesia_uae_ph”, “cryptolux_br”, “crypto_brazil”, and “freelancerclients” channels.\r\nOn October 22, 2024, Dale_V posted in the Telegram channel “hiringofm” seeking individuals to help\r\nmaintain a game called Destiny War, and added the X link, hxxps://twitter[.]com/destinywarnft. It is\r\nunclear if the actor controls this X account or game.\r\nOn November 13, 2024, the Telegram user jaxtonhol posted in the Telegram channel “near_jobs” seeking\r\nblockchain engineers. The same user posted again on December 7, 2024, in the same channel with the\r\nemail address ysai@agencyhill99[.]com.\r\nOn November 30, 2024, a Telegram user posted asking if a job offer on LinkedIn from the account\r\nmentioned above, Javier Feisco associated with Agencyhill99, was legitimate and shared a screenshot of\r\nthe message.\r\nGitHub Repository\r\nInsikt Group discovered a GitHub repository named agencyhill99 with the email address\r\nadmin@agencyhill99[.]com. A GitHub user, dev-astro-star, made several commits to the repository between\r\nOctober 9 and 19, 2024. Based on the commits, it appears the website used Firebase, a Google backend service for\r\nweb applications. The user added a button to download a file at the Google Drive link\r\nhttps://drive.google[.]com/uc?id=166zcmpqj-C7NPltm4iwRolz8XuxqZIXt, which is no longer accessible. The\r\nhttps://www.recordedfuture.com/research/inside-the-scam-north-koreas-it-worker-threat\r\nPage 4 of 6\n\nemail address admin@agencyhill99[.]com was also added to the repository, along with the Telegram channel\r\nhxxps://t[.]me/+2AurfGZWxZo0MDgx, which is also no longer live. The user also added a download link to\r\nhxxp://65.108.20[.]73/BattleTank[.]exe, which is no longer live and was later updated to\r\nhxxp://65.108.20[.]73[:]3000/BattleTank[.]exe. Port 3000 was open from October 20, 2024, to November 22,\r\n2024, on 65.108.20[.]73. The link was then updated to hxxp://locahost[:]3000/BattleTank[.]rar.\r\nPurpleBravo Malware and Infrastructure\r\nPurpleBravo uses the malware families BeaverTail, InvisibleFerret, and OtterCookie. BeaverTail is a malware\r\nfamily initially distributed via NPM packages as a JavaScript payload and later as executables and downloaders\r\ntargeting Windows and macOS environments. BeaverTail also acts as an infostealer, gathering cryptocurrency\r\nwallet and browser information. InvisibleFerret is a collection of post-compromise payloads that collectively act\r\nas a backdoor in victim environments. InvisibleFerret introduces additional malicious payloads into victim\r\nenvironments, performs information stealing and fingerprinting actions within the victim environment, and\r\nleverages legitimate protocols and software for C2 communications. Like InvisibleFerret, OtterCookie is a post-compromise malware family used as a backdoor, which establishes C2 connectivity via Socket[.]IO, receives and\r\nexecutes shell commands from C2 servers, and exfiltrates sensitive victim data.\r\nInsikt Group analyzed BeaverTail, InvisibleFerret, and OtterCookie malware samples (See Appendix B for\r\nrelated file hashes). The BeaverTail samples were identified as PE variants targeting Windows environments.\r\nThese samples included URLs linked to freeconference[.]com, a legitimate conferencing website, which aligns\r\nwith Unit42’s findings of Contagious Interview payloads posing as FreeConference executables. The OtterCookie\r\nsamples were two separate versions of the malware family; however, static analysis of these samples included\r\nstrings that demonstrated both samples’ ability to gather and send system fingerprinting information to attacker C2\r\nservers, including strings that indicated OtterCookie is capable of identifying cryptocurrency assets and sensitive\r\ninformation found in specific file types by using regex patterns, including executables, photos, and config and env\r\nfiles, among others.\r\nThe InvisibleFerret samples analyzed were Python scripts with the following functionalities:\r\nDetermining victim device location via local IP address lookup\r\nFingerprinting device details (user and hostname)\r\nConnecting to a Base64-encoded C2 address via HTTP POST requests\r\nPerforming local directory discovery using hard-coded strings\r\nCreating a reverse shell for SSH session management and data exfiltration\r\nCopying clipboard data, keylogging, and tracking mouse movements.\r\nPrevious samples of InvisibleFerret were analyzed by Zscaler, which described a two-part infection chain in which\r\nthe initial reconnaissance took place over HTTP traffic and FTP was used for data exfiltration, as shown in Figure\r\n2.\r\nInsikt Group identified 21 PurpleBravo servers between August 2024 and February 2025 (see Appendix B for the\r\ncomplete list). The majority of servers use Tier[.]Net hosting, with Majestic Hosting, Stark Industries, Leaseweb\r\nSingapore, and Kaopu Cloud HK also being used in this campaign. Insikt Group has previously observed other\r\nhttps://www.recordedfuture.com/research/inside-the-scam-north-koreas-it-worker-threat\r\nPage 5 of 6\n\nNorth Korean threat groups favor many of these hosting providers. In addition to the C2 servers, using Recorded\r\nFuture Network Intelligence, Insikt Group observed at least seven suspected victims between September 2024 and\r\nFebruary 13, 2025. The victims are located in at least six countries, including the United Arab Emirates, Costa\r\nRica, India, Vietnam, Türkiye, and South Korea. Open-source research identified Astrill VPN as a favored service\r\nby North Korean IT workers, with evidence that they use the service with remote administration tools. Insikt\r\nGroup also observed network traffic between known Astrill VPN endpoints and PurpleBravo servers,\r\ncorroborating this connection.\r\nAt least three victims in the cryptocurrency space were identified in the findings summarized below:\r\nOn October 3, 2024, Insikt Group observed likely reconnaissance traffic between a BeaverTail C2 and a\r\nmarket-making company in the cryptocurrency space based in the United Arab Emirates. Shortly after the\r\nreconnaissance traffic, we observed likely exfiltration FTP traffic between the same IP addresses.\r\nOn October 15, 2024, Insikt Group observed likely reconnaissance traffic between a BeaverTail C2 and a\r\ngambling company that offers online games and sells slot machines in the cryptocurrency space. The\r\ncompany is registered in Costa Rica. Reconnaissance traffic followed by FTP exfiltration traffic was\r\nobserved between the C2 and the company's infrastructure on November 25 and 26, 2024.\r\nOn October 2, 2024, Insikt Group observed potential FTP exfiltration traffic between a BeaverTail C2 and\r\na software development company based in India that builds blockchain, AI, and mobile, among other\r\napplications.\r\nTo read the entire analysis, click here to download the report as a PDF.\r\nSource: https://www.recordedfuture.com/research/inside-the-scam-north-koreas-it-worker-threat\r\nhttps://www.recordedfuture.com/research/inside-the-scam-north-koreas-it-worker-threat\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "references": [ "https://www.recordedfuture.com/research/inside-the-scam-north-koreas-it-worker-threat" ], "report_names": [ "inside-the-scam-north-koreas-it-worker-threat" ], "threat_actors": [ { "id": "32e2c6f9-a1f5-42bc-ac1d-5d9dc301cf0e", "created_at": "2025-08-07T02:03:25.078429Z", "updated_at": "2026-04-10T02:00:03.811418Z", "deleted_at": null, "main_name": "NICKEL ALLEY", "aliases": [ "CL-STA-0240 ", "Purplebravo Recorded Future", "Storm-1877 ", "Tenacious Pungsan " ], "source_name": "Secureworks:NICKEL ALLEY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "d05e8567-9517-4bd8-a952-5e8d66f68923", "created_at": "2024-11-13T13:15:31.114471Z", "updated_at": "2026-04-10T02:00:03.761535Z", "deleted_at": null, "main_name": "WageMole", "aliases": [ "Void Dokkaebi", "WaterPlum", "PurpleBravo", "Famous Chollima", "UNC5267", "Wagemole", "Nickel Tapestry", "Storm-1877" ], "source_name": "MISPGALAXY:WageMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ef59a0d9-c556-4448-8553-ed28f315d352", "created_at": "2025-06-29T02:01:57.047978Z", "updated_at": "2026-04-10T02:00:04.744218Z", "deleted_at": null, "main_name": "Operation Contagious Interview", "aliases": [ "Jasper Sleet", "Nickel Tapestry", "Operation Contagious Interview", "PurpleBravo", "Storm-0287", "Tenacious Pungsan", "UNC5267", "Wagemole", "WaterPlum" ], "source_name": "ETDA:Operation Contagious Interview", "tools": [ "BeaverTail", "InvisibleFerret", "OtterCookie", "PylangGhost" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434561, "ts_updated_at": 1775792177, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/56adf824e620fffa433647d8e6c3a7b90c8677cb.pdf", "text": "https://archive.orkl.eu/56adf824e620fffa433647d8e6c3a7b90c8677cb.txt", "img": "https://archive.orkl.eu/56adf824e620fffa433647d8e6c3a7b90c8677cb.jpg" } }