Fraudulent North Korean IT Worker Schemes: From Insider Threats to Extortion
Contents
Secureworks® Counter Threat Unit™ (CTU) researchers have observed patterns and evolutions in IT worker schemes linked to the North Korean government (officially the Democratic People’s Republic of Korea (DPRK)). In these schemes, North Korean nationals use stolen or falsified identities to obtain employment with Western companies under false pretenses. This activity has been documented in the U.S., UK, and Australia.
Across numerous investigations, Secureworks incident responders identified technical and behavioral characteristics associated with these schemes. In some instances, fraudulent workers demanded ransom payments from their former employers after gaining insider access, a tactic not observed in earlier schemes. In one case, a contractor exfiltrated proprietary data almost immediately after starting employment in mid-2024 (see Figure 1). Multiple observed characteristics align with previous fraud schemes conducted by the NICKEL TAPESTRY threat group, which has historically relied on fraudulent workers to generate revenue for the North Korean regime. These funds reportedly contribute to …
Across numerous investigations, Secureworks incident responders identified technical and behavioral characteristics associated with these schemes. In some instances, fraudulent workers demanded ransom payments from their former employers after gaining insider access, a tactic not observed in earlier schemes. In one case, a contractor exfiltrated proprietary data almost immediately after starting employment in mid-2024 (see Figure 1). Multiple observed characteristics align with previous fraud schemes conducted by the NICKEL TAPESTRY threat group, which has historically relied on fraudulent workers to generate revenue for the North Korean regime. These funds reportedly contribute to …