North Korea has been running one of the most quietly effective cyber fraud operations in recent years.
State-sponsored operatives working for the Pyongyang regime have been posing as legitimate remote IT workers to get hired by companies around the world, earning salaries that flow directly back to fund the country’s weapons programs.
This scheme, active since at least 2017, has grown into a multi-continent operation that continues to expand into new industries and target larger organizations.
The operatives rely on stolen identities, fabricated resumes, and fake professional credentials to land remote software development jobs at foreign companies, particularly in the United States and Europe.
During job interviews, North Korean workers often redirect conversations from video calls to phone or text-based formats, citing technical difficulties, while an accomplice appears on camera.
Salaries, which can reach up to $300,000 per year for individual operatives, are funneled back to North Korea, where the regime retains as much as 90 percent of earnings to support its missile and weapons of mass destruction programs.
Team Cymru analysts identified a critical piece of this infrastructure after cryptocurrency security researcher ZachXBT flagged the domain luckyguys[.]site as being linked to payments associated with DPRK-connected fake IT workers.
At the time of analysis, that domain resolved to the IP address 163.245.219[.]19. Researchers then examined 30 days of network activity tied to this infrastructure and uncovered a broader picture of how these workers operate, communicate, and move money without triggering alarms from security teams.
The investigation found that these workers rely on specific virtual private networks to mask their true locations. Traffic analysis showed heavy use of Astrill VPN at 37.5 percent, Mullvad at 32.25 percent, and Proton VPN at 6.25 percent.
These services allow operatives to tunnel traffic through exit nodes in the United States, making them appear as ordinary domestic employees.
Network activity also showed connections to Gmail, ChatGPT, and Workana, a freelance platform that has become a notable channel through which threat actors seek remote jobs under false identities.
As law enforcement pressure has mounted in the United States, these operations have grown more aggressive. Since late 2024, North Korean IT workers have escalated extortion attempts, stealing sensitive data and source code from employers before demanding ransom payments.
The U.S. Department of the Treasury’s Office of Foreign Assets Control sanctioned six individuals and two entities in March 2026 for direct involvement in these schemes. This operation is also tracked under the names Coral Sleet, PurpleDelta, and Wagemole by various threat intelligence teams.
VPN Abuse and Residential IP Deception
One of the most technically significant aspects of this scheme is how operatives conceal their network presence.
Team Cymru’s analysis found that American and Latvian residential IP addresses were communicating with the identified infrastructure during the review period.
This strongly points to the use of home-based systems or laptop farms, where physical laptops provided by employers are placed at residences managed by U.S.-based facilitators.
The rapid drop in network traffic following public disclosure of the luckyguys[.]site domain confirmed that operators were monitoring for exposure and abandoned infrastructure quickly once publicly attributed.
.webp)
This behavior reflects a well-documented DPRK pattern of cycling through infrastructure rapidly after being identified.
Organizations should take the following recommendations into account based on these findings. Residential IP addresses should not be treated as automatically trustworthy, as they may be part of proxy or laundering networks.
VPN usage from providers previously linked to DPRK activity should be treated as a risk signal. Freelance hiring pipelines, particularly through global platforms, represent a key infiltration vector and require closer scrutiny during onboarding.
Network traffic connecting to IP addresses 216.158.225[.]144 and 163.245.219[.]19 should be flagged and investigated. Special caution should apply to residential IPs exhibiting proxy-hosting behavior, as these may support infrastructure serving malicious operations.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
