North Korea exploits job market in latest cyberattacks: report

Coin Geek

5 days ago

Getting your Trinity Audio player ready...
In its ongoing campaign to evade sanctions and raise funds, North Korea's innovative hacking army has turned to the international job market, using artificial intelligence (AI) to pose as remote IT workers and offering fake IT jobs to gain access to western companies' cloud systems.
North Korea, or the Democratic People's Republic of Korea (DPRK), has been continuously under some form of sanction since the end of the Korean War in 1953, primarily trade and financial restrictions from the United States. However, the sanctions were dramatically expanded in 2006 after North Korea's first test of its nuclear weapon program, with a number of countries and international bodies imposing additional investment, financial assistance, and travel sanctions.
Up until Russia's illegal invasion of Ukraine in February 2022, North Korea was the most sanctioned country in the world.
Naturally, these sanctions have taken a toll. Accurate data for North Korea can be hard to come by, but in 2023, the Bank of Korea (BOK) estimated North Korea's gross domestic product (GDP) at around $29.6 billion, which would place it around 109th in the world. For comparison, South Korea is 15th, at around $1.7 trillion.
In recent years, North Korea has increasingly turned to hacking and cyberattacks as a way to make and launder money, with the digital asset and blockchain space proving particularly fruitful.
The social media gateway
Last week, Google Cloud published its H2 2025 Cloud Threat Horizons Report, which revealed that the 'Google Threat Intelligence Group' is 'actively tracking' UNC4899, a North Korean hacking operation that successfully hacked two companies after contacting employees via social media.
In both cases, 'under the guise of freelance opportunities for software development work,' UNC4899 attackers successfully convinced the targeted employees of the companies to download and run malware, which established connections between the hacker-controlled command-and-control infrastructures and the target companies' cloud-based systems.
After gaining access, UNC4899 conducted 'several internal reconnaissance activities on the victims' hosts and connected environments, before obtaining credential materials they used to pivot to the victims' cloud environments.'
Eventually, the hacking group had the necessary credentials and information to transfer 'millions worth of cryptocurrency' out of company accounts.
According to cloud security firm Wiz, which also reported on the UNC4899 hacks, this type of cyberattack falls within a cluster of such activity referred to by the U.S. government as 'TraderTraitor.'
'TraderTraitor has conducted several major campaigns since 2020, all sharing common tactics (social engineering, trojanized malware or code) but targeting different parts of the cryptocurrency ecosystem,' explained Wiz.
The U.S. Treasury confirmed that the North Korea-backed entities behind TraderTraitor are tracked as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima.
The former of these, Lazarus Group, is the notorious North Korean hacking organization behind—among other attacks—the record-breaking February 2025 hack of digital asset exchange Bybit, in which the group stole $1.4 billion worth of Ethereum's ETH token—the largest exploit of its kind.
Financial gain is the primary strategic objective of TraderTraitor, but Wiz also warned that it 'may also pursue strategic espionage objectives in the crypto/blockchain sector,' with reports indicating the attackers appear to seek to acquire sensitive cryptocurrency intellectual property and technology.
While infiltrating companies by offering freelance work to existing employees has seen some notable successes for North Korean hackers, it's not the only employment-related avenue proving profitable for the country.
Wolves in sheep's clothing
On August 4, U.S.-based cybersecurity giant CrowdStrike released its '2025 Threat Hunting Report,' in which it highlighted the rise of the 'enterprising adversary.'
In the context of North Korea, the company identified more than 320 incidents over the past 12 months in which state operatives gained fraudulent employment as remote software developers for Western companies.
According to CrowdStrike, this marks a 220% increase from the previous year.
Essentially, the scheme involves North Korean actors using false identities, resumes, and work histories, usually generated by artificial intelligence, to gain employment and earn money for the regime. The fake employees, many of whom don't speak English fluently, then use sophisticated AI to do the majority of the work required of them.
CrowdStrike identified the North Korean hacking group dubbed 'Famous Chollima' as one of the principal offenders, conducting insider threat operations at 'an exceptionally high operational tempo.'
'Famous Chollima has been able to sustain this pace by interweaving GenAI-powered tools that automate and optimize workflows at every stage of the hiring and employment process,' said the report. This includes using generative AI and other AI-powered tools to draft resumes, modify or 'deepfake' their appearance during remote interviews, and translate for them.
'Once hired, Famous Chollima IT workers use GenAI code assistants (such as Microsoft Copilot or VSCodium) and GenAI translation tools to assist with daily tasks and correspondence related to their legitimate job functions,' explained the report. 'These operatives are not fluent in English, likely work three or four jobs simultaneously, and require GenAI to complete their work and manage and respond to multiple streams of communication.'
Once employed, these operatives can also use their position and credentials to gain access to sensitive company data, which they can later use to extort the company.
In this part of the operation, AI tools again come in useful to hackers, as CrowdStrike noted: 'They are using publicly available models to aid their reconnaissance, vulnerability research, and phishing campaign content and payload development.'
CrowdStrike recommended several measures to reduce these attacks, including enhanced identity verification processes during the hiring phase, real-time deepfake challenges during interview or employment assessment sessions, and training programs designed to teach hiring managers and IT personnel to recognize potential insider threats using AI tools.
In order for artificial intelligence (AI) to work right within the law and thrive in the face of growing challenges, it needs to integrate an enterprise blockchain system that ensures data input quality and ownership—allowing it to keep data safe while also guaranteeing the immutability of data. Check out CoinGeek's coverage on this emerging tech to learn more why Enterprise blockchain will be the backbone of AI.
Watch: Blockchain could revolutionize cybersecurity
title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen="">