A routine help-wanted ad almost led to an “insider threat from hell” for one Western company last year. Research from the security firm LevelBlue, shared with Hackread.com, reveals how a suspected North Korean hacker bypassed standard hiring checks to land a remote IT position, only to be caught and terminated within just 10 days.
The individual was hired on 15 August 2025 and assigned to work with sensitive Salesforce data. While the onboarding seemed normal, the firm’s security stack was already flagging anomalies. According to LevelBlue’s SpiderLabs threat intel team, the detection was made possible by combining crowdsourced threat data with behavioural analytics, a system that learns how a genuine employee acts so it can spot a fake one.
The Missouri Mistake
The operative’s undoing began with a simple geographic slip-up. Initially, Cybereason XDR, a security monitoring platform, established a baseline showing the worker was consistently logging in from China. However, on 21 August, a high-severity alert was triggered when a login attempt suddenly originated from an unmanaged device in St. Louis, Missouri.
Researchers explained in their blog post that the worker was using Astrill VPN to hide their actual location. They further noted that this specific VPN is a “high-fidelity indicator” of North Korean activity, as previously seen, groups like the Lazarus Group and their subgroups, such as Contagious Interview, rely on Astrill because it can bypass China’s Great Firewall.
Astill VPN also allows hackers to tunnel traffic through US exit nodes and disguises as legitimate domestic employees while managing their command-and-control infrastructure. By 25 August, the company revoked the employee’s EntraID account, ending the threat before any damage could be done.
An Industrial-Scale Scheme
It is worth noting that this wasn’t a solo effort. Joint research from Flare and IBM X-Force indicates these workers are part of an organized state-sponsored ecosystem. These operatives are usually elite graduates from schools like the University of Sciences in Pyongyang and are linked to front organisations such as the Willow Tree Economic Technology Exchange Centre.
Research further reveals that these teams use internal management platforms like RB Site and NetkeyRegister to track job applications and download software updates. While some workers engage in Data Exfiltration (stealing company secrets), their primary goal is generally revenue. These workers can earn over $300,000 (£230,000) annually, providing a vital stream of cash for the North Korean regime’s weapons programmes.
Nevertheless, as remote hiring continues to expand, this case shows that the person behind the screen might be part of a global fraud network. To stay safe, companies should always verify that a new hire’s login locations match their reported home address and keep a close eye on any use of unauthorised personal devices or VPNs during the onboarding phase.
