Unmasking DPRK Cyber Threat Actors: Fake IT Worker Infrastructure
Contents
April 22, 2026
Unmasking DPRK Cyber Threat Actors: Fake IT Worker Infrastructure & Post-Exposure Analysis
This investigation was initiated after reporting by cryptocurrency security researcher ZachXBT, who identified the domain luckyguys[.]site as being linked to payments associated with DPRK-linked fake IT workers. At the time of analysis, the domain resolved to 163.245.219[.]19, and this report examines 30 days of network activity associated with that infrastructure.
ZachXBT has an established track record of uncovering illicit financial activity within the cryptocurrency ecosystem, with prior disclosures frequently correlating with subsequent law enforcement action. As such, infrastructure identified in his reporting warrants heightened scrutiny.
VPN Usage Patterns
Analysis of VPN-related connections to the identified IP revealed a highly concentrated usage pattern:
- Astrill VPN: 37.5%
- Mullvad: 32.25%
- Proton VPN: 6.25%
The prominence of Astrill VPN is notable, as it has been repeatedly associated with DPRK IT worker activity in prior reporting by organizations such as GitLab and Flare.io.
Temporal analysis further showed …
Unmasking DPRK Cyber Threat Actors: Fake IT Worker Infrastructure & Post-Exposure Analysis
This investigation was initiated after reporting by cryptocurrency security researcher ZachXBT, who identified the domain luckyguys[.]site as being linked to payments associated with DPRK-linked fake IT workers. At the time of analysis, the domain resolved to 163.245.219[.]19, and this report examines 30 days of network activity associated with that infrastructure.
ZachXBT has an established track record of uncovering illicit financial activity within the cryptocurrency ecosystem, with prior disclosures frequently correlating with subsequent law enforcement action. As such, infrastructure identified in his reporting warrants heightened scrutiny.
VPN Usage Patterns
Analysis of VPN-related connections to the identified IP revealed a highly concentrated usage pattern:
- Astrill VPN: 37.5%
- Mullvad: 32.25%
- Proton VPN: 6.25%
The prominence of Astrill VPN is notable, as it has been repeatedly associated with DPRK IT worker activity in prior reporting by organizations such as GitLab and Flare.io.
Temporal analysis further showed …
IoC
http://luckyguys.site
https://www.group-ib.com/blog/dprk-fake-remote-developers/
http://163.245.219.19
http://216.158.225.144
https://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/
https://6068438.fs1.hubspotusercontent-na1.net/hubfs/6068438/dprk-it-worker-scam-mitigation.pdf
https://flare.io/learn/resources/north-korean-infiltrator-threat
216.158.225.144
163.245.219.19
https://www.group-ib.com/blog/dprk-fake-remote-developers/
http://163.245.219.19
http://216.158.225.144
https://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/
https://6068438.fs1.hubspotusercontent-na1.net/hubfs/6068438/dprk-it-worker-scam-mitigation.pdf
https://flare.io/learn/resources/north-korean-infiltrator-threat
216.158.225.144
163.245.219.19