North Korean Hackers Escalate IT Worker Fraud with Stolen LinkedIn Identities

In a brazen new escalation of cyber deception, North Korean IT workers are now hijacking real LinkedIn profiles to apply for remote jobs, using verified workplace emails and identity badges to lend an air of legitimacy to their fraudulent schemes.

Security researchers from the Security Alliance (SEAL) revealed that operatives from the Democratic People’s Republic of Korea (DPRK) have moved beyond traditional fake profiles, instead impersonating actual professionals on LinkedIn to infiltrate Western companies and generate revenue streams that directly fund North Korea’s weapons programs.

This sophisticated scam, tracked under multiple aliases including Jasper Sleet, PurpleDelta, and Wagemole, represents one of the most persistent cyber threats facing global businesses today. The operation has evolved into a “high-volume revenue engine” for the regime, according to cybersecurity firm Silent Push, enabling North Korean operatives to gain administrative access to sensitive codebases and establish persistent footholds within corporate infrastructure.

Once hired and paid, these fraudulent workers employ elaborate cryptocurrency laundering techniques. Blockchain analysis firm Chainalysis reports that DPRK operatives use chain-hopping and token swapping through decentralized exchanges and bridge protocols to obscure the trail of stolen funds, making it nearly impossible to trace the money back to its source.

The threat has become so pervasive that the Norwegian Police Security Service (PST) recently issued a warning about “several cases” over the past year where Norwegian businesses were tricked into hiring North Korean IT workers in remote positions. PST emphasized that the salaries paid to these operatives likely finance North Korea’s weapons and nuclear weapons programs.

To combat this growing threat, security experts recommend that professionals whose identities may have been stolen should post warnings on their social media accounts, clearly listing their official communication channels and verification methods. Companies are advised to implement strict verification protocols, such as requiring candidates to connect on LinkedIn during the hiring process to confirm account ownership.

The Contagious Interview Campaign: A New Wave of Social Engineering

Running parallel to the IT worker scheme is an equally dangerous operation dubbed “Contagious Interview,” where North Korean hackers use fake hiring flows to lure tech workers with job offers on LinkedIn. The attack begins when individuals posing as recruiters and hiring managers instruct targets to complete skill assessments that ultimately lead to malware execution.

In one documented case targeting tech workers with a hiring process mimicking digital asset infrastructure company Fireblocks, attackers asked candidates to clone GitHub repositories and run commands to install malicious npm packages. The campaign employs “EtherHiding,” a novel technique that leverages blockchain smart contracts to host and retrieve command-and-control infrastructure, making the malicious payload more resilient to takedowns.

Security researcher Ori Hershko explained that these steps trigger the execution of malicious code hidden within the project, resulting in malware being downloaded and executed on the victim’s system, giving attackers persistent access.

Recent variants of the Contagious Interview campaign have been observed using malicious Microsoft VS Code task files to execute JavaScript malware disguised as web fonts. These attacks ultimately deploy sophisticated tools like BeaverTail and InvisibleFerret, allowing persistent access and enabling the theft of cryptocurrency wallets and browser credentials, according to reports from Abstract Security and OpenSourceMalware.

The Koalemos RAT: A Modular JavaScript Threat

Another variant documented by Panther security researchers involves the deployment of Koalemos, a modular JavaScript remote access trojan (RAT) framework delivered through malicious npm packages. This RAT enters a beacon loop, retrieving tasks from external servers, executing them, sending encrypted responses, and sleeping for random intervals before repeating the cycle.

Koalemos supports 12 different commands for conducting filesystem operations, transferring files, running discovery instructions (such as whoami), and executing arbitrary code. The RAT performs DNS-based execution gating and engagement date validation before downloading and spawning as a detached process, providing full remote access capabilities to attackers.

North Korea’s Cyber Army Splits into Specialized Units

In a significant development, cybersecurity firm CrowdStrike revealed that the prolific North Korean hacking crew known as Labyrinth Chollima has evolved into three separate clusters with distinct objectives and tradecraft: the core Labyrinth Chollima group, Golden Chollima (also known as AppleJeus, Citrine Sleet, and UNC4736), and Pressure Chollima (aka Jade Sleet, TraderTraitor, and UNC4899).

Despite their newfound independence, these adversaries continue to share tools and infrastructure, suggesting centralized coordination within the DPRK cyber apparatus. Golden Chollima focuses on consistent, smaller-scale cryptocurrency thefts in economically developed regions, while Pressure Chollima pursues high-value heists targeting organizations with significant digital asset holdings.

Labyrinth Chollima, meanwhile, focuses on cyber espionage, using sophisticated tools like the FudModule rootkit to achieve stealth. The group is also attributed to Operation Dream Job, another job-centered social engineering campaign designed to deliver malware for intelligence gathering.

CrowdStrike noted that shared infrastructure elements and tool cross-pollination indicate these units maintain close coordination, employing remarkably similar tradecraft including supply chain compromises, HR-themed social engineering campaigns, trojanized legitimate software, and malicious Node.js and Python packages.

Tags & Viral Phrases

North Korean hackers, IT worker fraud, LinkedIn identity theft, remote job scams, cyber espionage, cryptocurrency theft, Lazarus Group, FudModule rootkit, Koalemos RAT, Contagious Interview campaign, Operation Dream Job, North Korea weapons funding, blockchain money laundering, EtherHiding technique, BeaverTail malware, InvisibleFerret, npm package attacks, VS Code malware, social engineering 2.0, corporate infiltration, digital asset theft, cyber warfare, state-sponsored hacking, job application scams, identity verification, cryptocurrency laundering, supply chain compromise, HR-themed attacks, North Korea cyber units, Golden Chollima, Pressure Chollima, Labyrinth Chollima, TraderTraitor, AppleJeus, Jade Sleet, cyber deception, remote work security, digital identity theft, blockchain forensics, command-and-control infrastructure, malware persistence, cyber threat intelligence, state-sponsored cybercrime, North Korea sanctions evasion, digital warfare, corporate cybersecurity, hiring fraud, tech worker scams, cryptocurrency wallet theft, browser credential theft, cyber defense, threat actor evolution, North Korea cyber capabilities, international cybercrime, financial cyber warfare

,