Lazarus Group’s Famous Chollima unit has been caught “live on camera” running its remote IT worker scheme, after researchers funneled its operatives into fake laptops that were actually long‑running sandbox environments under full surveillance.
The sting exposes in unprecedented detail how North Korean operators use identity theft, rented identities, and off‑the‑shelf tools to embed themselves in Western finance and crypto firms quietly.
The operation began when NorthScan’s Heiner García impersonated a U.S. developer who had been spammed on GitHub by a recruiter calling himself “Aaron” or “Blaze,” who was advertising a “job hunting business” and looking for someone to front technical interviews.
Blaze offered a cut of the salary in exchange for full access to the victim’s laptop, Social Security Number, bank accounts, and identity documents, promising that his “team” of developers would do the real work behind the scenes.
This matches a broader Famous Chollima pattern in which DPRK operators either steal CVs outright or convince mostly junior engineers to “rent” their identities so that North Korean staff can infiltrate U.S. finance, crypto/Web3, healthcare, and even civil engineering firms.
Instead of handing over a real machine, BCA LTD’s Mauro Eldritch and sandbox provider ANY.RUN stood up a “laptop farm” of extended‑runtime virtual machines, each skinned to look like a heavily used developer notebook in the United States.
The analysis environments ran Windows 10 and 11 with realistic usage history, pre‑installed IDEs, browser profiles, and were tunneled through U.S. residential proxies to satisfy the recruiters’ insistence on American‑based talent.
Crucially, the team could watch live screens, file operations, and network flows, while also forcing crashes, rolling back to restore points, and cutting internet access to keep the operators contained and unable to pivot to real targets.
Once Blaze received AnyDesk details and a pre‑agreed password, he connected to the fake laptops. He immediately ran tools like DxDiag and systeminfo to verify hardware, then checked “where is my location” in the browser to make sure the host appeared to be in the U.S. Traffic analysis showed connections coming from IPs associated with Astrill VPN, a service long linked to Lazarus and other DPRK IT worker activity, underscoring the group’s reliance on consumer VPN endpoints to obscure origin.
As the researchers repeatedly induced blue screens, resets, and network glitches, Blaze left pleading Notepad messages for the persona “Andy,” pulled in a colleague using the handle “Assassin,” and spent extended periods trapped in CAPTCHA and failed logins, all while his every move was recorded.
When Blaze finally synced his Chrome profile, the investigators gained clear visibility into Famous Chollima’s toolkit, which leaned heavily on AI‑driven job automation rather than bespoke malware.
Installed extensions included services like Simplify Copilot, AiApply, and Final Round AI to auto‑fill job applications and generate real‑time interview answers, alongside OTP.ee or Authenticator.cc to capture and replay one‑time passwords once they had stolen or rented a victim’s identity.
He also deployed Google Remote Desktop via PowerShell with a fixed PIN and layered it on top of AnyDesk, giving his team persistent access to “employee” laptops in a way that is nearly indistinguishable from normal remote‑work tooling to an unsuspecting employer.
The operation lands amid sustained U.S. law‑enforcement pressure on North Korea’s remote IT worker schemes, including a June 2025 case that detailed more than 100 infiltrated companies, over 80 stolen U.S. identities, and searches of dozens of physical “laptop farms” on American soil.
Subsequent actions in late 2025 sought over $15 million in penalties tied to DPRK IT workers and emphasized that these roles have enabled theft of crypto assets, source code, and even export‑controlled defense data.
Investigators say the Lazarus honeypot shows how moving human‑driven intrusions into controlled sandboxes can expose full attack chains from GitHub spam and Telegram recruiting, to KYC abuse, VPN infrastructure, and remote‑desktop tooling, and argue that employers must respond with tighter identity verification, device‑control policies, and greater skepticism of “too good to be true” remote‑work offers.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
