North Korean IT Workers Leveraging Insider Access for Extortion

The FBI has issued an advisory warning about malicious activities conducted by North Korean IT workers, who infiltrate U.S.-based companies and exfiltrate sensitive data, including source code, to extort their employers. These workers, often hired through remote positions, impersonate legitimate IT professionals while leveraging their access to company networks for espionage and criminal activities. “After being discovered on company networks, North Korean IT workers have extorted victims by holding stolen proprietary data and code hostage until the companies meet ransom demands. In some instances, North Korean IT workers have publicly released victim companies' proprietary code,” the FBI reported. North Korean IT workers have been found copying source code repositories, such as those on GitHub, to personal cloud accounts and user profiles. Additionally, “North Korean IT workers could attempt to harvest sensitive company credentials and session cookies to initiate work sessions from non-company devices and for further compromise opportunities,” noted the FBI. The campaign appears to be part of a broader effort by North Korea to generate revenue and support its regime through illegal activities, including cryptocurrency thefts amounting to $659 million in 2024 alone.

These workers use their insider knowledge to hold sensitive data ransom or release it publicly, forcing employers to meet their demands. Once embedded within a company, they can exploit virtual desktop infrastructure (VDI) environments, which some companies have adopted as cost-saving measures. By abusing such setups, the actors are able to hide malicious activity and maintain access. BleepingComputer highlighted that these campaigns have targeted over 64 U.S.-based companies between 2018 and 2024, exposing the vulnerabilities in remote hiring practices. The tactics of North Korean IT workers extend beyond data theft. They employ artificial intelligence (AI) and face-swapping technology to conceal their identities during interviews, making it harder for hiring managers to detect fraudulent applicants as documented by KnowBe4. Their resumes often contain reused email addresses, phone numbers, and unusual nomenclature. Once hired, these individuals exploit remote access privileges, logging in from multiple IP addresses across different countries within short timeframes, a sign of their operational methods.

To mitigate these threats, the FBI advises organizations to apply the principle of least privilege by disabling local administrator accounts and limiting permissions for installing remote desktop applications. Companies should closely monitor network traffic, particularly for unusual patterns such as multiple logins to a single account from diverse geographic locations. Reviewing network logs for potential data exfiltration through shared drives and private repositories is also essential. Strengthening remote hiring processes is critical to countering these risks. Organizations are encouraged to verify candidate identities during interviews and onboarding, cross-check HR records for repeated contact information, and audit third-party staffing firms to ensure robust hiring practices. Conducting “soft” interview questions to verify location and educational backgrounds, especially for candidates claiming non-U.S. qualifications, can also help identify fraudulent applicants. Completing as much of the hiring process as possible in person further reduces the risk of infiltration.