North Korean operatives are increasingly using real LinkedIn identities to infiltrate companies, applying for remote jobs under stolen or fabricated profiles as part of a long-running revenue and espionage operation. Security researchers and government agencies warn that the campaign is expanding in scale and sophistication.

The operation involves IT workers associated with the Democratic People’s Republic of Korea posing as remote professionals to secure employment inside Western firms. Once hired, they generate revenue for the regime and, in some cases, gain access to sensitive systems and intellectual property.

According to Security Alliance (SEAL), the group recently escalated its tactics by impersonating real LinkedIn users with verified employment records.

“These profiles often have verified workplace emails and identity badges, which DPRK operatives hope will make their fraudulent applications appear legitimate,” SEAL stated in public disclosures.

This marks a shift from previously fabricated identities toward hijacking credible professional accounts, increasing the likelihood that HR teams will accept the candidates as genuine.

The DPRK Remote Worker Revenue Engine

Cybersecurity firm Silent Push described the program as a high-volume revenue operation designed to funnel money back to North Korea.

“The DPRK remote worker program functions as a revenue engine while also providing administrative access into corporate environments,” Silent Push said in its threat analysis.

Once salaries are paid, funds are laundered through cryptocurrency channels.

Blockchain analytics firm Chainalysis explained how the money trail is obscured:

“Chainalysis closely tracks the inclusion of crypto addresses in sanctions designations targeting DPRK IT worker schemes, as well as open-source information on this threat. We closely monitor how the DPRK is using cryptocurrency to generate revenue, move and consolidate funds, and launder proceeds by using fictitious accounts at mainstream exchanges or by leveraging likely unregulated over-the-counter traders.” — Chainalysis analysis.

These tactics help convert legitimate salary payments into untraceable revenue streams that support state programs.

Norwegian PST Confirms Local Impact

The Norwegian Police Security Service (PST) recently confirmed that businesses in Norway have been affected by the scheme.

“The businesses have been tricked into hiring what are likely North Korean IT workers in home office positions,” PST stated in its advisory.

PST further warned that income from such employment likely contributes to North Korea’s weapons and nuclear programs.

This confirms the global reach of the campaign, extending beyond the United States into Europe and other regions.

Contagious Interview Campaign Expands Malware Delivery

Running parallel to the IT worker fraud scheme is a social engineering campaign known as Contagious Interview. This operation targets tech professionals through fake recruitment processes on LinkedIn.

Victims are approached by individuals posing as recruiters and asked to complete coding tests or skill assessments. Those assessments contain malicious payloads disguised as legitimate software tasks.

Security researcher Ori Hershko documented one such campaign that impersonated the digital asset company Fireblocks.

“The campaign employed EtherHiding, leveraging blockchain smart contracts to host and retrieve command-and-control infrastructure,” Hershko said.

Once candidates clone repositories and run installation commands, malware such as BeaverTail and InvisibleFerret is deployed, enabling credential theft and cryptocurrency wallet compromise.

Recent reports from Abstract Security and OpenSourceMalware also identified malicious Visual Studio Code task files being used to execute JavaScript malware during fake interview processes.

Koalemos RAT and Malicious npm Packages

Another variant tied to DPRK-linked activity involves malicious npm packages delivering a modular JavaScript remote access trojan called Koalemos.

Security researcher Alessandra Rizzo explained how the loader behaves:

“The initial loader performs DNS-based execution gating and engagement date validation before downloading and spawning the RAT module as a detached process,” Rizzo reported.

The RAT then establishes encrypted command-and-control communication and supports commands for file transfer, system discovery, and arbitrary execution.

Malicious npm package names observed include:

• env-workflow-test
• sra-test-test
• vg-medallia-digital
• vg-dev-env

CrowdStrike: Labyrinth Chollima Evolves Into Specialized Units

CrowdStrike recently revealed that the broader North Korean threat cluster known as Labyrinth Chollima has segmented into distinct operational groups.

The clusters include:

Group	Primary Focus
Labyrinth Chollima	Cyber espionage operations
Golden Chollima	Cryptocurrency theft campaigns
Pressure Chollima	High-value digital asset heists

These groups are widely assessed to be linked to the Lazarus Group, also known as Hidden Cobra.

Despite tactical differences, they share infrastructure and social engineering playbooks centered around employment and recruitment themes.

Key Warning Signs for Organizations

To reduce risk from DPRK infiltration campaigns, companies should:

• Verify LinkedIn account ownership through controlled email validation
• Require live video interviews with identity confirmation
• Restrict repository access until background checks are complete
• Monitor npm dependencies and third-party packages for anomalies
• Flag cryptocurrency payment requests or unusual payroll instructions

Key Warning Signs for Organizations

To reduce risk from DPRK infiltration campaigns, companies should:

Why This Matters Globally

The DPRK IT worker and Contagious Interview campaigns reflect a broader geopolitical strategy. Cyber operations serve two purposes:

1. Revenue generation through employment fraud and cryptocurrency theft
2. Espionage and persistent access inside Western enterprises

Rather than noisy ransomware attacks, these operations rely on stealth, social engineering, and long-term presence.

The convergence of identity abuse, remote work culture, and software supply chain trust creates fertile ground for infiltration.

FAQ: DPRK LinkedIn and Recruitment Campaigns

What is the DPRK IT worker scheme?
It is a long-running operation where North Korean operatives pose as remote IT workers to secure employment and generate revenue.

How are LinkedIn accounts being abused?
Operatives impersonate real professionals or use verified employment credentials to pass hiring checks.

What is Contagious Interview?
A malware campaign using fake recruitment processes to deliver malicious code during job assessments.

Is cryptocurrency laundering involved?
Yes. Chain-hopping and token swapping are used to obscure salary payments.

Are government agencies warning about this?
Yes. Norway’s PST confirmed cases affecting local businesses.