North Korean IT operatives are taking their remote work scams a step further. Instead of relying only on fake profiles, they are now submitting job applications using real LinkedIn accounts stolen or impersonated from legitimate professionals.
According to the Security Alliance (SEAL), these accounts often include verified company email addresses and identity badges, making the applicants appear credible at first glance. The goal is simple: blend in well enough to pass early screening and secure remote roles.
This activity is part of a long-running operation in which individuals linked to the Democratic People’s Republic of Korea pose as overseas IT workers. Using stolen or fabricated identities, they target companies across the U.S., Europe, and other regions. Within the cybersecurity community, this activity is tracked under multiple names, including Jasper Sleet, PurpleDelta, and Wagemole.
The scheme serves multiple purposes. Salaries earned through these jobs help generate revenue for North Korea’s weapons programs. At the same time, the attackers gain access to internal systems, sensitive data, and proprietary code. In some cases, the operation escalates into extortion, with threats to leak stolen information unless ransoms are paid.
Cybersecurity firm Silent Push recently described the operation as a large-scale revenue machine, noting that compromised roles often grant administrative access to critical environments. This allows the attackers to embed themselves quietly in corporate networks using legitimate tools and workflows, making detection harder.
Once payments are received, the funds are laundered through cryptocurrency. Chainalysis reported that DPRK-linked actors rely heavily on techniques like token swapping and chain-hopping. By moving assets across decentralized exchanges and blockchain bridges, they make it far more difficult to trace the money back to its source.
To reduce the risk, SEAL recommends that individuals who suspect their identities are being misused publicly clarify their official contact channels on social media. Employers are also urged to verify that a candidate actually controls the accounts they list. Simple steps, such as asking applicants to connect via LinkedIn using their stated email address, can quickly expose impersonation attempts.
The issue is not limited to one region. Norway’s Police Security Service recently warned that several local companies were affected over the past year after unknowingly hiring what were likely North Korean IT workers for remote roles. Authorities believe the income from these positions ultimately supports North Korea’s military and nuclear programs.
Alongside these job fraud efforts is another social engineering campaign known as “Contagious Interview.” In this scheme, attackers pose as recruiters and lure professionals into fake hiring processes. Victims are asked to complete technical assessments that secretly deliver malware.
In one incident, attackers impersonated a hiring workflow similar to that of a well-known digital asset infrastructure company. Candidates were instructed to clone a GitHub repository and run setup commands that installed a malicious npm package, triggering infection.
Some versions of this campaign use a technique called EtherHiding, where blockchain smart contracts are abused to host and retrieve command-and-control infrastructure. This approach makes takedowns more difficult and helps the malware stay operational longer.
More recent variants have shifted tactics again, embedding malicious code inside Microsoft VS Code task files. These scripts execute JavaScript malware disguised as harmless web fonts, eventually deploying tools like BeaverTail and InvisibleFerret. Once installed, these implants enable long-term access and theft of browser data and cryptocurrency wallets.
Another related threat involves a modular JavaScript remote access trojan known as Koalemos. Delivered through malicious npm packages, the malware is loaded by an initial script that checks DNS conditions and validates timing before execution. Once active, Koalemos communicates with external servers, executes commands, transfers files, and periodically sleeps to avoid detection.
The trojan supports a wide range of functions, including system discovery, filesystem access, and arbitrary code execution. Several npm packages tied to this activity have already been identified.
At a broader level, CrowdStrike reports that the North Korean group known as Labyrinth Chollima has split into three specialized units. Each focuses on different objectives, ranging from cryptocurrency theft to high-end espionage. While these subgroups operate independently, they continue to share infrastructure and tooling, pointing to centralized coordination.
Some units focus on frequent, smaller cryptocurrency thefts, while others pursue large, high-value targets using advanced implants. Labyrinth Chollima itself is primarily focused on intelligence collection and stealthy persistence, often relying on job-themed lures similar to those seen in the Contagious Interview campaign.
Despite evolving structures and branding, the tradecraft remains consistent. These groups rely heavily on social engineering, supply chain abuse, trojanized software, and malicious open-source packages. Together, they form a coordinated ecosystem that continues to exploit trust in hiring processes and developer tools worldwide.