North Korea’s Cyber Strategy: IT Worker Infiltration and Threats to U.S. Cybersecurity
Intel and Analysis Team on October 6, 2025
Introduction
North Korea’s cyber strategy combines high-visibility, state-sponsored campaigns with low-visibility, revenue-driven infiltration in order to pursue intelligence collection and disruption, and to avoid sanctions. As a state-sponsor, the Democratic Peoples Republic of Korea (DPRK)-linked groups such as the Lazarus Group (aka APT38), Andariel, and Kimsuky have executed some of the most high-profile attacks. These include the 2014 Sony Pictures breach, the 2016 Bangladesh Bank heist, and the 2017 WannaCry ransomware outbreak. Additional sophisticated attacks include espionage campaigns against defense contractors, think-tanks, and multimillion-dollar financial heists from cryptocurrency exchanges worldwide. Concurrently, Pyongyang fields thousands of “remote IT workers” who embed themselves in targeted organizations under the guise of legitimate software developers, system administrators, and cloud engineers. These remote IT workers operate through networks with codenames such as Jasper Sleet, Storm-1877, and Moonstone Sleet. The operatives leverage forged credentials, virtual private networks, and legitimate remote-management tools to establish insider access. Once hired by an organization, the operatives install backdoors, exfiltrate intellectual property, and facilitate follow-on ransomware or extortion attacks. Leading cybersecurity firms estimate North Korean IT infiltrators have compromised hundreds of U.S. corporations, from technology and manufacturing to transportation and defense. There is an immediate need for integrated defenses within the international community, including robust threat intelligence sharing, enhanced vetting, monitoring of remote personnel, and strengthened public-private collaboration to detect and deter both overt and covert DPRK cyber operations.[1],[2],[3],[4],[5],[6],[7],[8],[9],[10],[11]
Background and Strategic Objectives
North Korea’s cyber strategy emerged in the late 1990’s with the establishment of Bureau 121, a highly secretive cyberwarfare agency within North Korea’s Reconnaissance General Bureau (RGB). The RGB is North Korea’s premier foreign intelligence agency, which is responsible for clandestine operations including intelligence gathering, psychological warfare, and special operations abroad. Over time, the regime has cultivated elite cyber talent through rigorous training at institutions like the University of Automation in Pyongyang, after which, the RGB would deploy operatives abroad to generate revenue and conduct cyberattacks. The Lazarus Group, which is among the most notorious North Korean advanced persistent threat (APT) units and widely believed to be a component of Bureau 121, gained global attention following after the aforementioned the 2014 Sony Pictures hack and the 2017 WannaCry ransomware attack. These events marked North Korea’s transition from regional cyber provocations to globally disruptive operations.[12],[13]
In addition to the Lazarus Group, the RGB also oversees the groups Kimsuky and Andariel. While Lazarus focuses on large-scale financial theft and disruptive malware attacks, Kimsuky specializes in espionage targeting think tanks, journalists, and government entities. Andariel conducts intrusions into defense and industrial systems, often stealing sensitive data. These groups frequently collaborate, as demonstrated in coordinated attacks on South Korean defense firms where each unit played a distinct role in infiltrating networks and exfiltrating data. The RGB’s centralized control ensures strategic alignment across the many operations and makes North Korea’s cyber network a potent extension of its geopolitical ambitions.[14],[15],[16]
North Korea’s cyber agenda has served as a critical tool for circumventing international sanctions and funding its weapons programs. Following the imposition of UN sanctions in 2016, the regime pivoted toward financially motivated cybercrime, particularly targeting cryptocurrency exchanges. In 2024 alone, North Korea reportedly stole $1.34 billion in digital assets, with the Lazarus Group breaching Bybit for a record $1.5 billion in 2025. These funds are believed to directly support the Pyeongyang’s nuclear and missile development programs. Beyond financial gain, North Korean cyber units aim to gather intelligence on adversaries. Focusing heavily on the United States and South Korea, DPRK continuously strides to disrupt critical infrastructure, including at defense contractors and medical institutions. According to South Korea’s National Intelligence Service (NIS), 80 % of cyberattack attempts against South Korea’s public sector by state-sponsored or international hacking groups are attributed to North Korea, amounting to approximately 1.3 million attempts per day. The use of disguised IT workers abroad further amplifies the regime’s reach, enabling covert infiltration of foreign systems under the guise of legitimate employment.[17],[18]
IT Worker Infiltration Tactics
The infiltration by North Korean IT workers is a state-backed initiative designed to generate revenue, gather intelligence, and enable broader cyber operations. Operatives present themselves as freelance developers or remote employees, often using stolen or fabricated identities to pass background checks. They employ VPNs, proxy servers, and remote monitoring tools to disguise their true location, frequently operating from North Korea, China, or Russia. Many of the would-be hires secure contracts through platforms like Upwork, Freelancer, LinkedIn, and GitHub, where they build convincing developer profiles and portfolios. Advanced deception techniques include AI-generated profile photos, voice-changing software, and falsified employment histories. Once hired, these workers may initially perform legitimate tasks to build trust before leveraging access for data theft, financial fraud, or insertion of malicious code.6,[19]
DPRK’s IT worker operations focus on sectors that provide both high revenue potential and valuable technical access. Software development roles are a primary target, offering opportunities to insert backdoors or exfiltrate proprietary code. Blockchain and cryptocurrency firms are especially attractive due to the regime’s emphasis on stealing digital assets to bypass sanctions. Campaigns, such as “Contagious Interview,” have specifically targeted crypto developers. Artificial intelligence companies are pursued for both commercial and military applications, while cybersecurity firms are infiltrated to gain insight into defensive tools and exploit zero-day vulnerabilities. By embedding operatives in these industries, North Korea not only secures illicit income but also positions itself to undermine its adversaries’ infrastructure from within.6,[8],[20],[21]
In one (1) documented case involving the U.S.-based fintech startup company Starter Labs, a North Korean operative used a stolen American identity and secured a remote developer position within the company. The worker gained access to payment processing systems and sensitive financial Application Programming Interface (APIs). While initially delivering high-quality code, the operative quietly siphoned transaction data and credentials which were later linked to fraudulent transfers and cryptocurrency theft. Investigators found that the individual had been operating from a “laptop farm” in China and remotely accessed the company-issued device via AnyDesk. This infiltration not only caused direct financial losses, but also exposed the firm to regulatory penalties for unknowingly employing a sanctioned worker. Another incident involved DPRK-linked actors using stolen credentials to infiltrate a U.S. software company’s private GitHub repository. The attackers posed as legitimate contractors and cloned sensitive source code for proprietary security tools. For weeks they maintained access by creating hidden admin accounts and leveraging proxy infrastructure to avoid detection. The stolen code was later tied to malware development efforts attributed to the Lazarus Group, suggesting the breach was part of a broader campaign to weaponize stolen intellectual property. This case underscores how infiltration by North Korean IT workers can serve as both a direct revenue stream and a force multiplier for state-sponsored cyber operations targeting the U.S. and its allies.19,21,[22],[23],[24]
Cyberattack Patterns and U.S. Vulnerabilities
In November 2014, the Lazarus Group launched a destructive cyberattack on Sony Pictures Entertainment. The breach was reportedly in retaliation for the comedy film, The Interview, which featured two (2) fictional American journalists tasked with interviewing Supreme Leader Kim Jong Un. The retaliatory cyberattack resulted in the theft and public release of vast amounts of confidential data including unreleased films, employee records, and internal communications. The attackers deployed wiper malware to destroy data on Sony’s systems, which crippled operations for weeks. This incident demonstrated North Korea’s willingness to use cyberattacks as a tool of political coercion, targeting not only infrastructure but also free expression in the U.S.
In May 2017, the WannaCry ransomware outbreak infected more than 200,000 systems across 150 countries that included hospitals, corporations, and government agencies. The U.S. Department of Justice later charged a North Korean programmer for his role in developing and deploying the malware. WannaCry also exploited a leaked NSA-developed Windows vulnerability “EternalBlue” to spread rapidly, encrypt files, and demand Bitcoin ransom payments. While the attack caused billions in damages globally, it also revealed North Korea’s capacity to weaponize advanced exploits for indiscriminate disruption, blurring the line between cybercrime and cyberwarfare. Additionally in March 2022, the Lazarus Group was linked to the theft of approximately $615 million in cryptocurrency from the Ronin blockchain network, which supports the popular game Axie Infinity. The U.S. Department of the Treasury sanctioned the wallet address used in the heist and confirmed it was controlled by DPRK operatives. This attack highlighted North Korea’s strategic pivot toward targeting the blockchain and decentralized finance platforms, exploiting their often-lax security to generate funds for weapons programs. It remains one (1) of the largest cryptocurrency thefts in history and a prime example of how cybercrime directly supports the regime’s geopolitical ambitions.[25],[26],[27]
North Korean cyber units employ a variety of attack vectors to infiltrate targets. Phishing and social engineering remain core tactics within DPRK, with operatives posing as recruiters, investors, or colleagues to trick victims into downloading malware. Supply chain compromises have also emerged as a favored method, such as the 2023 JumpCloud incident where DPRK actors inserted malicious code into a trusted software-as-a-service provider’s update processes to reach downstream customers. Additionally, North Korean hackers have demonstrated the ability to exploit zero-day vulnerabilities favoring cryptocurrency platforms and defense-related systems to gain privileged access before patches are available. The widespread adoption of remote work has also expanded their attack surface. According to the Federal Bureau of Investigation (FBI), North Korean IT workers have successfully posed as U.S.-based contractors using a mix of stolen identities, AI-enhanced photos, and “laptop farms” in the United States to spoof local logins. Many companies lack robust identity verification processes for remote hires and rely on easily forged documents and virtual interviews. This decentralized hiring environment allows DPRK operatives to embed themselves in sensitive roles from software development to cybersecurity where they can exfiltrate proprietary data or insert malicious code. Despite repeated federal advisories, many private-sector organizations remain unaware of the scale and sophistication of North Korea’s cyber tactics. The FBI has warned that DPRK IT workers often blend legitimate work with covert operations, which makes detection difficult until significant damage is done. Smaller firms, startups, and even some large enterprises often underestimate the risk and may assume that they are too minor to be targeted. This lack of awareness combined with insufficient employee training on phishing and social engineering leaves U.S. businesses vulnerable to infiltration, data theft, and extortion while also directly funding North Korea’s sanctioned weapons programs.[28],[29],[30],[31],[32],[33]
Policy Recommendations
The FBI recommends that one (1) tory background checks for all remote hires. This should include direct verification of prior employment and education with listed institutions, cross-referencing identification documents with multiple databases, and the use of live on-camera verification to confirm the applicant’s location and identity. The FBI advises that companies should also scrutinize identifying documents for inconsistencies and require in-person or verified biometric checks whenever possible. Additionally, the FBI states companies should delay granting system access until all vetting is complete. These measures can help prevent the onboarding of operatives using stolen or fabricated identities. Given that many DPRK operatives are embedded in software development roles, organizations could also deploy AI-driven anomaly detection tools to monitor code contributions and system interactions. Such tools can flag unusual coding patterns, unauthorized repository access, or the insertion of obscure code that could serve as a backdoor. The North Korean IT workers’ combination of legitimate work with covert malicious activity makes behavioral analytics essential for early detection. By integrating these systems into DevSecOps pipelines, companies can identify suspicious acts or access attempts in near real-time and reduce the risk of long-term compromise. Human resources and hiring managers are often the first line of defense against infiltration, yet may lack the training to spot red flags in applications or interviews. Regular cyber hygiene training should cover common DPRK tactics such as the use of AI-generated profile photos, deep-faked video interviews, and “facilitators” who attend meetings on behalf of operatives. Training could also emphasize the importance of verifying digital footprints, such as checking for duplicate or recycled resumes and recognizing anomalies in communication patterns. Equipping HR teams with this knowledge can significantly reduce the likelihood of inadvertently hiring a sanctioned individual.[1],[6],[7],[34]
The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) will continue to expand sanctions against cryptocurrency wallets linked to DPRK cyber operations that are used in the laundering of stolen digital assets like the Axie Infinity hack. The sanctioning of these wallets disrupts the regime’s ability to convert stolen funds into usable currency and signals the importance of compliance to exchanges and DeFi platforms. Enhanced blockchain analytic partnerships between government agencies and private firms can further improve identification and freeze illicit funds before they are cashed out. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued multiple advisories on DPRK IT worker threats, but deeper operational collaboration with private firms is needed. This could include secure information-sharing platforms, joint threat-hunting exercises, and rapid incident response teams dedicated to suspected DPRK infiltration cases. By fostering real-time intelligence exchange, companies can receive actionable indicators of compromise (IOCs) and behavioral profiles of known DPRK tactics, techniques, and procedures (TTPs), enabling faster detection and mitigation. A sustained public awareness campaign, similar to those used for phishing and ransomware, could be launched to educate businesses, staffing agencies, and freelance platforms about the DPRK IT worker threat. This campaign could leverage case studies, red flag checklists, and provide reporting hotlines to encourage proactive defense measures. Normalizing vigilance and making infiltration awareness part of the standard cybersecurity culture the U.S. can reduce the pool of potential victims and disrupt lucrative and persistent cyber-enabled revenue streams for North Korea.[1],[35],[36]
Conclusion
North Korea’s IT worker infiltration campaign represents a calculated fusion of cybercrime, espionage, and sanctions evasion that exploits the structural vulnerabilities of the global remote work economy. By embedding DPRK operatives in the U.S. and allied companies under fabricated or stolen identities, Pyongyang has created a low-cost operational environment that produces high-yield methods to generate hard currency, steal proprietary technology, and position itself for follow-on cyber operations. These actors leverage sophisticated tradecraft, such as AI-generated resumes, manipulated video feeds, VPN obfuscation, and U.S. based facilitators, to bypass conventional hiring safeguards and gain trusted access to sensitive systems. The revenue streams from these operations, the most preferred being stolen cryptocurrency, directly fund the regime’s nuclear and ballistic missile programs and transforms from what might appear to be isolated hiring fraud into a strategic national security threat. Countering this threat will require a sustained, multi-layered response that integrates corporate due diligence with government-led disruption campaigns. The private sector must adopt enhanced identity verification, continuous behavioral monitoring, and tailored training for HR and hiring managers to detect infiltration attempts before access is granted.[1],[23],[37]
[1] Federal Bureau of Investigation. (2025, July 23). North Korean IT Workers Threats to U.S. Businesses. DOJ. Retrieved from https://www.ic3.gov/PSA/2025/PSA250723-4.
[2] U.S. Department of the Treasury. (2020, March 2). Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus Group. Retrieved from https://home.treasury.gov/news/press-releases/sm924.
[3] United States Attorney’s Office. (2021, February 17). 3 North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyber-attacks and Financial Crimes Across the Globe. DOJ. Retrieved from https://www.justice.gov/usao-cdca/pr/3-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyber-attacks-and.
[4] Bruce, T. (2025, July 8). Sanctioning Malicious North Korean Cyber Actors. Department of State. Retrieved from https://www.state.gov/releases/office-of-the-spokesperson/2025/07/sanctioning-malicious-north-korean-cyber-actors/.
[5] U.S. Department of State. (2025, August 27). U.S.-ROK-Japan Joint Statement on DPRK Information Technology Workers. Retrieved from https://www.state.gov/releases/2025/08/u-s-rok-japan-joint-statement-on-dprk-information-technology-workers/.
[6] Microsoft Threat Intelligence. (2025, June 30). Jasper Sleet: North Korean remote IT workers’ evolving tactics to infiltrate organizations. Retrieved from https://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/.
[7] Starks, C., Barnhart, M. et al. (2024, September 23). Staying a Step Ahead: Mitigating the DPRK IT Worker Threat. Google Cloud Threat Intelligence. Retrieved from https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat.
[8] Dutta, T. (2025, May 13). Researchers Uncovered North Korean Nationals Remote IT Worker Fraud Scheme. Cyber Security News. Retrieved from https://cybersecuritynews.com/remote-it-worker-fraud-scheme/.
[9] Johns Hopkins. (2017). The 2014 North Korean Cyber Attack on Sony and Lessons for US Government Actions in Cyberspace. Retrieved from https://apps.dtic.mil/sti/pdfs/AD1046744.pdf.
[10] Martelle, M. and Tropeano, R. (2019, February 20). Tainted Trove. National Security Archive. Retrieved from https://nsarchive.gwu.edu/news/cyber-vault/2019-02-20/tainted-trove.
[11] Cybersecurity & Infrastructure Security Agency. (2018, June 7). Indicators Associated with WannaCry Ransomware. CISA. Retrieved from https://www.cisa.gov/news-events/alerts/2017/05/12/indicators-associated-wannacry-ransomware#top.
[12] Wallace, Z. (2023, March 20). The Lazarus Group: Understanding North Korean Cybercrime. ThreatStop. Retrieved from https://www.threatstop.com/blog/the-lazarus-group-understanding-north-korean-cybercrime.
[13] Digital Finance News. (2025, August 9). An In-Depth Analysis of the Lazarus Group: North Korea’s State-Sponsored Cyber Entity. Retrieved from https://digitalfinancenews.com/research-reports/an-in-depth-analysis-of-the-lazarus-group-north-koreas-state-sponsored-cyber-entity/.
[14] Boram, P. (2024, April 23). 3 N.K. hacking groups execute concerted attacks on 10 S. Korean defense firms: police. Yonhap News Agency. Retrieved from https://en.yna.co.kr/view/AEN20240423004200315.
[15] Barnhart, M., Cantos, M. et al. (2022, March 23). Not So Lazarus: Mapping DPRK Cyber Threat Groups to Government Organizations. Google Cloud Threat Intelligence. Retrieved from https://cloud.google.com/blog/topics/threat-intelligence/mapping-dprk-groups-to-government/.
[16] U.S. Department of the Treasury. (2019, September 13). Treasury Sanctions North Korea State-Sponsored Malicious Cyber Groups. Retrieved from https://home.treasury.gov/news/press-releases/sm774.
[17] Bae, S. (2025, April 1). Deterrence Under Pressure: Sustaining U.S.-ROK Cyber Cooperation Against North Korea. Center For Strategic & International Studies. Retrieved from https://www.csis.org/analysis/deterrence-under-pressure-sustaining-us-rok-cyber-cooperation-against-north-korea.
[18] Stent, D. (2024, May 27). How North Korea’s Cryptocurrency Theft Supports Foreign Policy Goals. Georgetown Journal of International Affairs. Retrieved from https://gjia.georgetown.edu/2024/05/27/how-north-koreas-cryptocurrency-theft-supports-foreign-policy-goals/.
[19] Dutta, T. (2025, March 20). North Korean IT Workers Exploiting GitHub to Attack Organizations Worldwide. Cybersecurity News. Retrieved from https://cybersecuritynews.com/north-korean-it-workers-exploiting-github/.
[20] Insikt Group. (2025, February 13). Cyber Threat Analysis: North Korea, Inside the Scam: North Korea’s IT Worker Threat. Recorded Future. Retrieved from https://assets.recordedfuture.com/insikt-report-pdfs/2025/cta-nk-2025-0213.pdf.
[21] FlashPoint. (2025, May 12). Flashpoint Investigation: Uncovering the DPRK’s Remote IT Worker Fraud Scheme. Retrieved from https://flashpoint.io/blog/flashpoint-investigation-uncovering-the-dprks-remote-it-worker-fraud-scheme/?CRO1=control_%233007.
[22] FINTECH Circle. (2025, April 14). How North Korea IT Workers Are Infiltrating Fortune 500 Companies-And What it Means for Global Cybersecurity. Retrieved from https://fintechcircle.com/insights/how-north-korean-it-workers-are-infiltrating-fortune-500-companies-and-what-it-means-for-global-cybersecurity/.
[23] Yee, I., Rebane, T. et al. (2025, August 5). Inside North Korea’s effort to infiltrate US Companies. CNN. Retrieved from https://www.cnn.com/interactive/2025/08/05/world/north-korea-it-worker-scheme-vis-intl-hnk/index.html.
[24] Himmelsbach, V. (2025, October 1). North Korean agents infiltrated Atlanta mans business as ‘super talented’ IT workers, then stole $1M in crypto. MSN. Retrieved from https://www.msn.com/en-us/crime/general/like-i-was-in-a-movie-north-korean-agents-infiltrated-this-atlanta-man-s-business-as-super-duper-talented-it-workers-then-stole-1m-in-crypto/ar-AA1NEKbd.
[25] Department of Justice. (2018, September 6). North Korea Regime-Backed Programmer Charged with Conspiracy to Conduct Multiple Cyber Attacks and Intrusions. DOJ. Retrieved from https://www.justice.gov/archives/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and.
[26] Kan, M. (2018, September 6). US Charges North Korea for WannaCry, Sony Pictures Hacks. PCMag. Retrieved from https://www.pcmag.com/news/us-charges-north-korean-for-wannacry-sony-pictures-hacks.
[27] Reuters. (2022, April 15). U.S. links North Korea hacker group to Axie Infinity crypto theft. CBS News. Retrieved from https://www.nbcnews.com/tech/crypto/north-korea-lazarus-axie-infinity-crypto-theft-rcna24518.
[28] Microsoft Threat Intelligence. (2024, November 22). Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON. Microsoft Defender Threat Intelligence. Retrieved from https://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/.
[29] Larsen, A., Kelly, D. et al. (2023, July 24). North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack. Google Cloud Threat Intelligence. Retrieved from https://cloud.google.com/blog/topics/threat-intelligence/north-korea-supply-chain/.
[30] Paganini, P. (2024, October 19). North Korea-Linked APT37 Exploited IE Zero-Day In A Recent Attack. Security Affairs. Retrieved from https://securityaffairs.com/169983/apt/north-korea-apt37-ie-zero-day.html.
[31] Perry, B., Kinslow, T. et al. (2025, March 20). FBI Warns of Hidden Threats in Remote Hiring: Are North Korean Hackers Your Newest Employees. National Law Review. Retrieved from https://natlawreview.com/article/fbi-warns-hidden-threats-remote-hiring-are-north-korean-hackers-your-newest.
[32] Martinez, A. (2025, April 25). North Korean Hackers Pose as Remote Workers to Infiltrate U.S. Firms. Forbes. Retrieved from https://www.forbes.com/sites/alonzomartinez/2025/04/25/north-korean-hackers-pose-as-remote-workers-to-infiltrate-us-firms/.
[33] Federal Bureau of Investigation. (2025, January 23). North Korean IT Workers Conducting Data Extortion. DOJ. Retrieved from https://www.ic3.gov/PSA/2025/PSA250123.
[34] Verosint Team. (2025, August 21). Detect and Stop North Korean IT Worker Infiltration. Retrieved from https://verosint.com/post/detect-and-stop-north-korean-it-worker-infiltration.
[35] Office of Foreign Assets Control. (2022, May 16). Publication of North Korea Information Technology Workers Advisory. U.S. Department of the Treasury. Retrieved from https://ofac.treasury.gov/recent-actions/20220516.
[36] Department of Justice. (2025, January 23). Two North Korean Nationals and Three Facilitators Indicted for Multi-Year Fraudulent Remote Information Technology Worker Scheme that Generated Revenue for the Democratic People’s Republic of Korea. DOJ. Retrieved from https://www.justice.gov/opa/pr/two-north-korean-nationals-and-three-facilitators-indicted-multi-year-fraudulent-remote.
[37] Cyber Centaurs Team. (2024, October 26). Unmasking North Korean IT Infiltration. Retrieved from https://cybercentaurs.com/blog/unmasking-north-korean-it-infiltration/.