Key Findings

• North Korean IT operatives are applying to remote positions using real LinkedIn accounts of individuals they are impersonating

• The goal is to secure jobs at Western companies and conduct espionage, data theft, and ransomware attacks

• The threat is tracked by the cybersecurity community as Jasper Sleet, PurpleDelta, and Wagemole

• The impersonated LinkedIn profiles often have verified workplace emails and identity badges to appear legitimate

• Once employed, the DPRK workers transfer their salaries in cryptocurrency through money laundering techniques

• To counter the threat, individuals should post warnings on their social media and verify applicant accounts

Background

The IT worker threat is a long-running operation mounted by North Korea in which operatives from the country pose as remote workers to secure jobs in Western companies and elsewhere under stolen or fabricated identities. The end goal of these efforts is two-pronged: to generate a steady revenue stream to fund the nation's weapons programs, and to conduct espionage by stealing sensitive data, and in some cases, demanding ransoms to avoid leaking the information.

Impersonation Tactics

North Korean operatives are now applying to remote positions using real LinkedIn accounts of individuals they are impersonating. These profiles often have verified workplace emails and identity badges, which the DPRK operatives hope will make their fraudulent applications appear legitimate.

Money Laundering Techniques

Once their salaries are paid, the DPRK IT workers transfer the cryptocurrency through a variety of different money laundering techniques, such as chain-hopping and token swapping, to complicate the tracing of funds.

Contagious Interview Campaign

Running parallel to the IT worker scheme is another social engineering campaign dubbed "Contagious Interview" that involves using fake hiring flows to lure prospective targets into interviews after approaching them on LinkedIn with job offers. The malicious phase of the attack kicks in when individuals presenting themselves as recruiters and hiring managers instruct targets to complete a skill assessment that eventually leads to them executing malicious code.

Koalemos RAT Campaign

Another variant of the intrusion set involves the use of malicious npm packages to deploy a modular JavaScript remote access trojan (RAT) framework dubbed Koalemos via a loader. The RAT is designed to enter a beacon loop to retrieve tasks from an external server, execute them, send encrypted responses, and maintain persistent access to the victim's machine.

Countermeasures

To counter the threat, individuals who suspect their identities are being misappropriated in fraudulent job applications are advised to consider posting a warning on their social media accounts, along with listing their official communication channels and the verification method to contact them (e.g., company email). Businesses are also advised to validate the accounts listed by candidates and ensure they are controlled by the email provided.

Sources

• https://thehackernews.com/2026/02/dprk-operatives-impersonate.html

• https://www.threads.com/@thehackernews/post/DUlkBJ-E_iy/north-korean-operatives-are-using-real-linked-in-accounts-to-land-remote-it

• https://x.com/TheCyberSecHub/status/2021280594681004110

• https://www.linkedin.com/posts/cyber-news-live_dprk-operatives-impersonate-professionals-activity-7427089856440283136-UT3s