A sophisticated cyberattack campaign from North Korea is quietly infiltrating remote tech job positions globally.
This group uses a series of fake identities along with documents and purchased accounts online to dominate blockchain project development positions, showcasing a tight organization and sophisticated tricks in high-tech criminal activities.
MAIN CONTENT
The North Korean IT group operates over 30 fake identities to take remote blockchain programming positions.
The cryptocurrency wallet of the group is related to the $680,000 Favrr exploitation and many other suspicious transactions.
North Korea's cryptocurrency theft campaign took away $1.6 billion in 2025, equivalent to 35% of the total amount of stolen cryptocurrency.
How does North Korea's remote job campaign operate?
A five-member North Korean group has created and managed over 30 fake identities, using fake government documents and accounts purchased on job platforms like Upwork and LinkedIn to receive blockchain project development jobs.
Leaked data from a North Korean IT employee's device shows they operate job listings, weekly reports, expenses, and meeting schedules in English. They use AI tools, rent computers, VPNs, and proxies to disguise their activities, while also using Google Translate in conjunction with Russian IPs to search for related data.
Telegram is used to coordinate job acceptance, handle payments, and transfer salaries through cryptocurrency wallets, demonstrating the group's systematic operations and high feasibility.
What is special about the cryptocurrency wallet related to the $680,000 Favrr exploitation?
A cryptocurrency wallet related to this group has conducted multiple transactions, including a profit of $680,000 from the Favrr exploitation in June 2025. The North Korean IT group participated as a CTO and programmer, using fake documents to conduct fraudulent activities.
Other members are also connected to various projects through this wallet, showing a strong link between cybercrime activities and detailed plans to exploit cryptocurrency.
Why is it difficult for companies to prevent the North Korean IT group from dominating remote jobs?
According to investigator ZachXBT, the biggest challenge is the poor coordination between businesses and security agencies, along with the negligence of warnings from recruitment teams. This group is not overly sophisticated technically but is very persistent in flooding the global remote programming job market.
They often use Payoneer to transfer payments into cryptocurrency, thereby deceiving the system and avoiding quick detection. The overlapping efforts from multiple sides make it challenging to dismantle the group.
This campaign reflects a sophisticated combination of personnel controlling multiple fake identities and techniques using technology to cover their tracks, deceiving both recruitment platforms and security agencies.
ZachXBT, Blockchain investigator, August 2025
What is the current state of North Korea's cryptocurrency crime network?
North Korea's cryptocurrency theft activities are expanding on a large scale. In 2025, they stole $1.6 billion, accounting for 35% of the total stolen money across the industry. Major incidents include attacks on the Axie Infinity platform ($620 million), DMM Bitcoin ($305 million), and Bybit ($1.5 billion).
A common tactic is to scam through fake IT recruitments to gain access to cloud systems to steal digital assets. International security agencies are facing significant challenges in preventing this sophisticated and continuously expanding activity.
North Korea is currently one of the largest actors causing malware attacks and stealing digital assets in the global cryptocurrency sector.
TRM Labs report, H1 2025
Frequently Asked Questions
How does North Korea's remote job attack campaign operate?
They operate dozens of fake identities with documents and purchased accounts to take remote blockchain project development positions, then transfer money through cryptocurrency wallets.
Why do companies struggle to detect this group?
Due to poor coordination between businesses and security agencies, coupled with resistance from recruitment teams, this group can operate continuously and diversely.
What is the scale of the damage caused by the North Korean group?
In 2025, this group appropriated about $1.6 billion in cryptocurrency, accounting for 35% of the total value stolen across the industry.
What characteristics do cryptocurrency wallets related to North Korean attacks have?
These wallets conduct multiple transactions related to exploitations and large-scale money transfers, often used to coordinate income from fraudulent activities.
What measures should be taken to counter this group?
Better coordination between companies and security agencies, along with raising recruitment awareness and closely monitoring suspicious accounts, is necessary.
Source: https://tintucbitcoin.com/ca-map-trieu-tien-lua-dao-tien-dien-tu/
Thank you for reading this article!
Please Like, Comment, and Follow TinTucBitcoin to stay updated with the latest news about the cryptocurrency market and not miss any important information!