North Korean hackers have stolen billions in crypto by posing as VCs, recruiters and IT workers

A venture capitalist, a recruiter from a big company, and a newly hired remote IT worker might not seem to have much in common, but all have been caught as imposters secretly working for the North Korean regime, according to security researchers.

On Friday at Cyberwarcon, an annual conference in Washington DC focused on disruptive threats in cyberspace, security researchers offered their most up-to-date assessment of the threat from North Korea. The researchers warned of a sustained attempt by the country's hackers to pose as prospective employees seeking work at multinational corporations, with the aim of earning money for the North Korean regime and stealing corporate secrets that benefit its weapons program. These imposters have raked in billions of dollars in stolen cryptocurrency over the past decade to fund the country's nuclear weapons program, dodging a raft of international sanctions.

Microsoft security researcher James Elliott said in a Cyberwarcon talk that North Korean IT workers have already infiltrated "hundreds" of organizations around the world by creating false identities, while relying on U.S.-based facilitators to handle their company-issued workstations and earnings to skirt the financial sanctions that apply to North Koreans.

Researchers investigating the country's cyber capabilities see the rising threat from North Korea today as a nebulous mass of different hacking groups with varying tactics and techniques, but with the collective goal of cryptocurrency theft. The regime faces little risk for its hacks — the country is already beset by sanctions.

One group of North Korean hackers that Microsoft calls "Ruby Sleet" compromised aerospace and defense companies with the aim of stealing industry secrets that could help further develop its weapons and navigation systems.

Microsoft detailed in a blog post another group of North Korean hackers, which it calls "Sapphire Sleet," who masqueraded as recruiters and as a venture capitalist in campaigns aimed at stealing cryptocurrency from individuals and companies. After contacting their target with a lure or initial outreach, the North Korean hackers would set up a virtual meeting, but the meeting was actually designed to load improperly.

In the fake-VC scenario, the imposter would then pressure the victim into downloading malware disguised as a tool to fix the broken virtual meeting. In the fake-recruiter campaign, the imposter would ask the prospective candidate to download and complete a skills assessment, which actually contained malware. Once installed, the malware can access other material on the computer, including cryptocurrency wallets. Microsoft said the hackers stole at least $10 million in cryptocurrency over a six-month period alone.

But by far the most persistent and difficult campaign to combat is the effort by North Korean hackers to get hired as remote workers at big companies, piggybacking off the remote-working boom that began during the Covid-19 pandemic.

Microsoft called out North Korea's IT workers as a "triple threat" for their ability to deceptively gain employment with big companies and  earn money for the North Korean regime, while also stealing company secrets and intellectual property, then extorting the companies with threats of revealing the information.

Of the hundreds of companies that have inadvertently hired a North Korean spy, only a handful of companies have publicly come forward as victims. Security company KnowBe4 said earlier this year that it was tricked into hiring a North Korean employee , but the company blocked the worker's remote access once it realized it had been duped, and it said no company data was taken.

How North Korean IT workers dupe companies into hiring them

A typical North Korean IT worker campaign creates a series of online accounts, like a LinkedIn profile and GitHub page, to establish a level of professional credibility. The IT worker can generate false identities using AI, including using face-swapping and voice-changing technology.

Once hired, the company ships off the employee's new laptop to a home address in the United States that, unbeknownst to the company, is run by a facilitator, who is tasked with setting up farms of company-issued laptops. The facilitator also installs remote access software on the laptops, allowing the North Korean spies on the other side of the world to remotely log in without revealing their true location.

Microsoft said it's also observed the country's spies operating not only out of North Korea but also Russia and China, two close allies of the breakaway nation, making it more difficult for companies to identify suspected North Korean spies in their networks.

Microsoft's Elliott said the company caught a lucky break when it received an inadvertently public repository belonging to a North Korean IT worker, containing spreadsheets and documents that broke down the campaign in detail, including the dossiers of false identities and resumes that the North Korean IT workers were using to get hired and the amount of money made during the operation. Elliott described the repos as having the "entire playbooks" for the hackers to carry out identity theft.

The North Koreans would also use tricks that could expose them as fakes, like immediately verifying their false identities' LinkedIn accounts as soon as they got a company email address to give the accounts a greater perception of legitimacy.

This wasn't the only example that researchers gave of the hackers' sloppiness that helped uncover the true nature of their operations.

Hoi Myong, and a researcher who goes by the handle SttyK, said they identified suspected North Korean IT workers in part by contacting them to reveal holes in their false identities, which are not always constructed carefully.

In their Cyberwarcon talk, Myong and SttyK said they spoke with one suspected North Korean IT worker who claimed to be Japanese, but would make linguistic mistakes in their messages, such as using words or phrases that don't inherently exist within the Japanese language. The IT worker's identity had other flaws, such as claiming to own a bank account in China but having an IP address that located the individual in Russia.

The U.S. government has already levied sanctions against North Korean-linked organizations in recent years in response to the IT workers scheme. The FBI has also warned that malicious actors are frequently using AI-generated imagery , or "deepfakes," often sourced from stolen identities, to land tech jobs. In 2024, U.S. prosecutors brought charges against multiple individuals with running the laptop farms that facilitate skirting  sanctions.

But companies also have to do better vetting of their would-be employees, the researchers urged.

"They're not going away," said Elliott. "They're gonna be here for a long time."