Editor’s note: This report was authored by Daxton Wirth.

In recent weeks, the ReliaQuest Threat Research team has identified and investigated over 25 North Korean insider threats across its customer base. As part of a growing trend, these state-sponsored operatives infiltrate Western companies under fake identities, often posing as skilled freelancers or contractors to generate revenue for the North Korean regime.

In this report, we’ll deep-dive into three biggest giveaways that can unmask a North Korean insider—critical clues uncovered during our investigations to help you stay ahead of these covert threats:

• Targeting Freelancer and Contractor Roles: Using AI-generated profiles, inflated resumes, and sophisticated tactics, these operatives target contractor and freelancer positions—particularly in full-stack web development.

• Proxy Infrastructure and Mistakes: They leverage proxy tools like Astrill VPN to conceal their activities but occasionally slip up, logging in directly from fixed-line IPs associated with Chinese and Russian providers.

• Exploiting COBO Environments: In businesses with Corporate-Owned, Business-Only (COBO) policies, North Korean operatives abuse keyboard, video, mouse over IP (IP-KVM) devices to maintain stealthy, persistent access. While harder to detect, diligent threat hunting can still uncover traces left behind by these tools.

Even more concerning, these insiders rarely act alone. When one is uncovered, many organizations often find multiple operatives working together, employing improved operational security (OPSEC) measures to avoid detection.

Key Points

North Korean operatives infiltrate Western companies by posing as fake IT workers, channeling profits to fund the regime's weapons programs.

These actors flood job sites with AI-generated bios, exaggerated resumes, and deepfakes, often using mismatched photos across numerous platforms.

To evade detection, they use tools like Astrill VPN; keyboard, video, mouse over IP (IP-KVMs); and VPS (virtual private server) IPs, quickly adapting by renaming tools.

To defend against these threats, businesses must enforce Corporate-Owned, Business-Only (COBO) policies, introduce USB device controls, block unauthorized remote monitoring and management (RMM) tools, and strengthen hiring practices for remote roles. Dynamic threat hunting and geo-based monitoring are also vital to stay ahead of their evolving tactics.

How North Korea Uses Cybercrime to Fund Weapons

North Korea may lack the offensive cyber capabilities of Russia or China, but it punches far above its weight in cyber attacks. Known for ramping up cyber operations during times of crises, North Korea has evolved into a formidable player, pulling off increasingly sophisticated attacks. The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that Pyongyang relies heavily on cybercrime to fund its “weapons of mass destruction” and “ballistic missile” programs. Following sanctions aimed at cutting off traditional funding sources, North Korea has pivoted to cryptocurrency theft and infiltrating companies by posing as fake IT workers to bypass financial restrictions.

North Korea-linked advanced persistent threat (APT) groups like the notorious “Lazarus Group” are both technically skilled and relentless. For nearly a decade, Lazarus has targeted Western financial institutions, delivering malware hidden in LinkedIn job offers to steal millions. Since May 2022, North Korea has escalated its use of proxies—posing as fake IT professionals with impressive resumes to infiltrate companies across the US, UK, and Australia. Initially, these efforts seemed focused on drawing salaries to fund their nuclear ambitions, but these operations have often escalated into intellectual property theft or extortion for bigger payouts.

To pull off these schemes, North Korean operatives build sprawling networks of fake social media profiles—sometimes stealing real identities but often inventing them. Claiming to be US-based, they avoid corporate laptops, opting for personal devices or remote setups via US-based “laptop farms” to maintain their cover. They dodge video calls, come up with excuses to avoid in-person requests, and deploy deepfakes when live interactions are unavoidable. They also exploit rapid address and payment changes to sidestep banking regulations. While any one of these tactics may appear typical for an international IT worker, the combination is a glaring red flag—one that likely points straight to Pyongyang.

Fake Faces, Fake Resumes: Finding Operatives on Job Boards

North Korean operatives are flooding job sites with fake profiles to get hired at scale. We’ve uncovered multiple active LinkedIn accounts following the same playbook: AI-generated profile content and exaggerated skills with years of bogus experience. Although these profiles may look polished, the truth is anything but.

Let’s break down the signs you should look out for to spot these fake candidates.

AI-Generated Faces and Bios

Most of the fake IT worker profiles we identified on LinkedIn are pure fabrications. Their profile pictures? AI-generated spins on stock images—just compare the stock photo on the left to the AI-generated version on the right in Figure 1.

Their “About” and “Experience” sections? Almost entirely AI-written. Even their CVs are often stolen from legitimate, publicly available resumes, tweaked just enough to appear authentic.

Figure 1: Stock image on left used to generate fake image on right

But these scammers don’t stop at LinkedIn. A single user can flood multiple job platforms like Xing, Upwork, Toptal, and 9am. Some even set up their own websites using platforms like jimdosite[.]com or .app sites such as netlify[.]app. In many North Korean cases we’ve investigated, the same candidate pops up across multiple sites—identical resumes, but completely different photos. And they can’t resist slipping in subtle nods to their homeland, like including “red” and “star” in their profiles.

Once hired, these users avoid announcing their new position and keep their LinkedIn profiles in “#OpenToWork” mode. Why? To keep applying to other companies while running their scam in plain sight. This highlights the critical importance of thorough candidate screening—both before and after hiring. Even a quick reverse image search could expose the candidates as frauds.

Suspiciously Impressive Full-Stack Developers

We’ve seen a surge in North Korean IT workers going after full-stack development roles, especially in contractor and freelancer positions. Their profiles are littered with red flags—boasting up to 12 years of sketchy, copy-paste experience that doesn’t pass the smell test. These accounts are ghost-like, with barely any posts, reactions, or comments, yet they pack a laundry list of flashy skills, including Blockchain, AI, Cryptocurrency, Smart Contracts, MERN/MEAN stack, Next.js, Tailwind CSS, AWS, Microservices, GraphQL, E-commerce, React, Angular, TypeScript, SQL, MongoDB, and Rust.

Their GitHub accounts linked to these job site profiles are even shadier. In one case, a user had multiple repositories but not a single commit. Instead, another GitHub user was doing all the work and performing every commit. The second account was eventually exposed as fake and removed from GitHub—even before we identified the insider threat tied to the original profile.

IP Addresses Reveal Telltale Clues

North Korean IT workers love to use Astrill VPN to mask their location, likely because it’s effective at getting around the “Great Firewall of China,” where they’re sometimes based. Or perhaps it’s because Astrill’s star-and-circle logo resembles the one on the North Korean flag. Regardless of the reason, threat actors sometimes slip up while using Astrill, accidently revealing their true locations either when the VPN connection drops or they forget to activate it.

For example, one day, they might log into Microsoft Teams through Astrill VPN, and the next, they’d appear on the network of Russian internet service provider (ISP) TransTelekom (TTK), exposing their real location.

Russian TTK ISP

Russia and North Korea maintain a mutually beneficial alliance: Moscow provides Pyongyang with diplomatic backing and a counterbalance to US-led pressure (for now at least), while North Korea adds complexity to East Asia’s power dynamics. Since 2017, Russian ISP TTK has provided internet access to North Korea. While some North Korean IT workers simply use TTK’s services to connect with the outside world, others likely operate directly from Russia itself.

We saw this play out in our investigations when the TTK IP address 188.43.136[.]115 appeared in logs tied to remote management and monitoring (RMM) sessions, which North Korean workers rely on to access devices located in faraway laptop farms.

Although a login from a Russian IP doesn’t inherently indicate North Korean activity—given there are plenty of Russian threat actors—the certificate tied to the IP address contained a subject name displaying North Korea’s top-level domain (TLD) hangro[.]net[.]kp. Notably, .kp domains can only be registered by North Korean authorities, as there is no public registry for them. This certificate has also been observed on other confirmed North Korean IP addresses, further solidifying the connection.

TTK IP addresses associated with this campaign; many are geo-located in Khabarovsk, Russia:

• 80.237.84[.]12

• 80.237.87[.]21

• 83.234.227[.]33-8

• 188.43.33[.]252

• 188.43.136[.]41,115

• 188.43.253[.]77

China Unicom ISP

China remains North Korea’s most critical ally, providing political support, economic aid, and diplomatic backing. Historically, North Korea’s IP address ranges were connected to the rest of the internet through a single upstream network: China Unicom. However, in 2014, North Korea’s internet connection went dark just days after the US vowed to respond to a cyber attack on Sony Pictures. In this attack, North Korean hackers leaked sensitive emails, data, and unreleased films in retaliation for The Interview, a satirical film mocking Kim Jong-un. Following the blackout, it’s no surprise that North Korea turned to Russia for a backup internet route to sustain its cyber operations.

Our investigations revealed North Korean IT workers authenticating from both TTK and China Unicom within a short timeframe. This could suggest a single worker using both ISPs to access the internet from North Korea. Alternatively, and more worryingly, it could signal multiple threat actors in Russia and China, all posing as the same user to pull off the deception. This would explain their ability to execute the advanced skills boasted about in their LinkedIn profiles.

What’s more, with many of these insiders likely based in China, we found a recurring trend in their multifactor authentication (MFA) devices. In several incidents, Chinese-made brands like Oppo and Vivo were frequently identified—unsurprising given their popularity in China compared to iPhones, which dominate the US market.

China Unicom IP addresses found when investigating North Korean incidents:

• 42.84.228[.]232

• 60.20.1[.]234

• 139.215.45[.]250

• 113.227.237[.]46

• 123.190.56[.]214

VPS IP Address Activity

We also saw virtual private server (VPS) IP addresses during authentications that weren’t associated with known VPN providers. Some traced back to Russia, others to the US, often with open ports containing AnyDesk certificates—a favorite RMM tool for insider scams. This suggests that these threat actors aren’t just relying on Astrill VPN; instead, they’re branching out and using any provider that gets the job done.

For organizations trying to track this activity, the infrastructure is often messy and difficult to untangle. However, it shows the importance of taking a holistic approach to identifying North Korean IT work threats. While one login from Russia could be dismissed as a rogue VPN connection, multiple slip-ups—combined with the recruitment red flags—are far from coincidental. This also highlights the need to treat unusual geo-based logins as a critical indicator of malicious activity.

Multiple User Authentications from Same IP Address

Our investigations uncovered multiple North Korean insiders authenticating from the same fixed-line IP address. When two supposedly unrelated users in different environments connect from the exact same IP, it strongly suggests a laptop farm operating at that location.

But these threat actors don’t stop at targeting one company; they go after multiple positions within the same organization. In one case, ReliaQuest observed a single company infiltrated by up to 10 North Korean insiders within just six months. This is no coincidence—it’s a coordinated campaign designed to maximize access and impact.

IP-KVM Devices: The Ultimate Stealth Tool

Typically used for legitimate IT management and troubleshooting, IP-KVM devices like TinyPilot and PiKVM have become the go-to stealth tools for North Korean IT workers. These low-cost, customizable solutions provide full remote access to a computer's console, enabling complete control—even during boot processes, Basic Input/Output System (BIOS) configuration, or when the operating system is unresponsive. Their capabilities surpass those of traditional RMM software, and features like mouse-jiggling to prevent screen locks, combined with their compact design, make them ideal for flying under the radar. Most popular RMM tools used by North Korea, sometimes in tandem with IP-KVMs:

• AnyDesk

• RustDesk

• VS Code Tunnelling

• Chrome Remote Desktop

Unlike RMM tools, which leave software footprints on the host, IP-KVMs operate externally, bypassing traditional detection methods while maintaining persistence. With many companies blocking RMM tools, these IP-KVM devices now serve as a reliable workaround for rogue employees. In some cases, threat actors take their tactics a step further by using RMM tools alongside IP-KVMs for even greater control.

Even stealthy IP-KVM devices leave behind artifacts (see Table 1), and organizations with USB logging are beginning to monitor this activity. That’s likely why North Korean IT workers are now targeting companies that allow BYOD, where endpoint visibility is limited, making detection far more difficult. For organizations with remote employees using personal devices, stricter background checks and in-person identity verification are essential to mitigate these risks.

Table 1: Indications of IP-KVM usage

IP-KVMs aren’t exclusive to North Korean insiders—ReliaQuest has seen them used by other users outsourcing work to low-wage countries to boost profits. These outsourcers often juggle jobs at multiple companies and share many of the same tactics as North Korean operatives, making it tough to tell them apart. Affordable IP-KVMs like Dominion KX, JetKVM, nanoKVM, and Latronix Spider are increasingly being abused, highlighting the need for businesses to actively monitor their endpoints for such devices to combat this growing trend.

Step Up Your Defenses Against North Korean Insiders

ReliaQuest’s Approach

ReliaQuest GreyMatter harnesses cutting-edge agentic AI to protect organizations from threats like North Korean IT worker scams. By automating security alerts and speeding up detection, investigation, and response, GreyMatter drastically reduces the mean time to contain (MTTC) threats. This allows businesses to shut down fraudulent activity more quickly and strengthen their defenses against North Korea’s evolving cyber tactics.

Threat Intelligence: ReliaQuest continuously monitors for new tactics and techniques adopted by North Korea IT workers to uncover new detection and threat hunting opportunities. Observed IOCs linked to these operations are also promptly added to GreyMatter threat feeds for proactive alerting.

Threat Hunting: ReliaQuest actively hunts for these threats across our customer base, focusing on critical indicators of insider scams. Key focus areas include identifying IP-KVM activity and Astrill VPN usage through logins and suspicious processes, flagging multiple remote authentications from the same fixed-line IP, and hunting for known Russian TTK, China Unicom, and VPS IPs linked to these campaigns.

Detection Rules: To ensure optimal protection, we recommend deploying detections rules built on the latest threat intelligence and ReliaQuest original research. These rules have been instrumental in exposing numerous scammers across our customer network. With agentic AI supercharging analysis and investigation, the likelihood of these threats succeeding is drastically reduced.

Your Action Plan

Protect your organization from North Korean insider threats and unauthorized access with these proactive measures. Designed to tackle emerging vulnerabilities head-on, this action plan will help keep your systems secure.

• Enforce a COBO Policy: North Korean insiders are increasingly targeting companies with BYOD policies. Mitigate this risk by enforcing a COBO policy. This approach provides the visibility needed to spot and stop unauthorized users before they become a problem.

• Introduce USB Device Control: Don’t let rogue IP-KVM devices like TinyPilot and PiKVM slip through the cracks. Set up a USB allowlist and configure alerts for connection attempts from unauthorized devices to keep your endpoints secure.

• Block Unauthorized RMM Tools: Threat actors love exploiting RMM tools for unauthorized remote access. Stop them cold by blocking all RMM tools except a single authorized solution—at both the application and network level.

• Strengthen Hiring Practices for Remote Employees: Malicious insiders like North Korean IT workers and outsourcers thrive on weak hiring protocols. Fight back with thorough practices: Conduct in-depth background checks, verify all references, check for identity or employment history gaps, and require in-person identity verification for remote roles.

Top Lessons and What’s Next

North Korean state-sponsored operatives are infiltrating Western companies by posing as skilled IT workers, particularly in full-stack web development roles. Using fake AI-generated profiles, stolen identities, and tools like Astrill VPN and IP-KVM devices, these operatives fund North Korea’s weapons programs while staying under the radar. Their tactics exploit vulnerabilities like BYOD policies, highlighting the growing sophistication of North Korean cyber operations and the urgent need for robust candidate vetting and geo-based login monitoring.

As their methods are exposed, these technically capable operatives are likely to step up their game. We assess with high confidence that North Korean IT workers will adapt their tactics as companies ramp up monitoring for indicators of IP-KVM used alongside RMM tools. Recent cases already reveal they’re already getting better at covering their tracks, such as renamed RMM tools and IP-KVM devices, which complicate detection and signal the need for more adaptive and dynamic defenses.

Although data extortion hasn’t been observed in our investigations yet, external reports suggest this tactic is on the rise, especially as threat actors are caught earlier in their schemes. To stay ahead of these evolving and persistent threats, businesses must prioritize proactive monitoring and threat hunting—because this battle is far from over.