North Korean hackers are deploying a sophisticated scheme, posing as legitimate remote IT workers to infiltrate companies globally and funnel illicit funds back to Pyongyang, according to recent cybersecurity research. This operation, active since at least 2017, has evolved into a multi-continental enterprise, targeting new industries and larger organizations. The primary goal is to generate revenue to support the regime’s weapons programs, circumventing international sanctions.
State-sponsored operatives meticulously craft stolen identities, fabricate impressive resumes, and secure fake professional credentials to land remote software development roles. Particularly in the United States and Europe, these individuals have successfully gained employment. During virtual interviews, they often steer conversations away from video calls, citing technical issues, while an accomplice typically appears on camera. Individual operatives can earn substantial salaries, potentially up to $300,000 annually, with a significant portion, estimated up to 90 percent, reportedly remitted to North Korea to fund its missile and weapons of mass destruction initiatives.
VPN Abuse and Residential IP Deception by North Korean Hackers
A critical element of this widespread cybersecurity threat involves the covert use of virtual private networks (VPNs) to obscure the operatives’ true locations. Analysis by Team Cymru, prompted by a cryptocurrency security researcher’s flagging of the domain luckyguys[.]site, revealed extensive network activity linked to this infrastructure. This domain was identified as being associated with payments made by DPRK-connected fake IT workers.
At the time of analysis, the domain resolved to IP address 163.245.219[.]19. Researchers examining 30 days of network traffic associated with this infrastructure uncovered a broader operational picture. The findings illustrate how these operatives communicate, manage their activities, and transfer funds without immediately alerting security teams.
The investigation highlighted a heavy reliance on specific VPN services to mask their origins. Astrill VPN accounted for 37.5 percent of observed traffic, followed by Mullvad at 32.25 percent, and Proton VPN at 6.25 percent. These services enable the operatives to route their internet traffic through exit nodes located in the United States, creating the illusion of being ordinary domestic employees.
Furthermore, network activity analysis revealed connections to popular services like Gmail, ChatGPT, and Workana. Workana, a freelance platform, has emerged as a notable channel through which these threat actors seek remote employment under false pretenses.
Adding to their operational sophistication, the group also employs techniques to mask their network presence more effectively. Team Cymru’s research indicated communication with both American and Latvian residential IP addresses during the review period. This strongly suggests the utilization of home-based systems or so-called laptop farms, where actual laptops provided by employers are managed from residences overseen by U.S.-based facilitators.
The rapid decline in network traffic observed immediately after the public disclosure of the luckyguys[.]site domain underscores the operators’ vigilance. This swift abandonment of identified infrastructure is a well-documented pattern of behavior by the Democratic People’s Republic of Korea (DPRK), indicative of their strategy to quickly pivot once their operations are exposed.
In response to escalating law enforcement pressure, particularly in the United States, these North Korean IT worker schemes have become increasingly aggressive. Since late 2024, operatives have reportedly escalated their tactics to include extortion, stealing sensitive data and source code from their employers before demanding ransom payments. In March 2026, the U.S. Department of the Treasury’s Office of Foreign Assets Control sanctioned six individuals and two entities deemed directly involved in these fraudulent activities. Various threat intelligence teams also track this operation under aliases such as Coral Sleet, PurpleDelta, and Wagemole.
Organizations are advised to implement several key recommendations based on these findings. Residential IP addresses should no longer be assumed as inherently trustworthy, as they can be components of proxy or money laundering networks. Increased scrutiny of VPN usage, particularly from providers previously linked to DPRK activities, is warranted as a potential risk indicator. Freelance hiring channels, especially those operating on global platforms, represent a significant infiltration vector that requires enhanced vetting during the employee onboarding process. Network traffic connecting to IP addresses 216.158.225[.]144 and 163.245.219[.]19 should be flagged for immediate investigation. Particular caution is advised for residential IPs exhibiting proxy-hosting behaviors, as these may be part of the infrastructure supporting malicious operations.
The continued evolution of these tactics by North Korean state-sponsored groups highlights the ongoing need for robust cybersecurity measures and international cooperation. The reliance on disguised identities and sophisticated network masking techniques presents an evolving challenge for businesses worldwide. Future efforts will likely focus on further attribution and the disruption of the financial flows that sustain these cybercrime operations.