North Korean Hackers Stole $88M by Posing as US Tech Workers

Flashpoint uncovers how North Korean hackers used fake identities to secure remote IT jobs in the US, siphoning $88 million. Find out how they used fake identities and technology to commit the fraud.

North Korean hackers used stolen identities to get remote IT jobs at US companies and non-profits, raking in at least $88 million over six years. The US Department of Justice indicted fourteen North Korean nationals on December 12, 2024, for their involvement. Security firm Flashpoint conducted a unique investigation, analysing data from the hackers’ own infected computers to uncover their tactics and exclusive details on this scheme.

Flashpoint’s investigation revealed the use of fake companies named in the indictment, including “Baby Box Info,” “Helix US,” and “Cubix Tech US,” to create believable resumes and provide fraudulent references. Researchers tracked infected computers, notably one in Lahore, Pakistan, which held login credentials for email addresses associated with these fake entities. The username “jsilver617,” potentially tied to a fake US identity “J.S.,” was found on one of these machines, which was used to apply for numerous tech jobs in 2023.

A critical piece of evidence was the extensive use of Google Translate between English and Korean, found in the browser history of an infected computer, which hinted at the hackers’ origins. Translated messages exposed their methods for creating fake job references, even including fabricated contact information for individuals at the sham companies. One translated message, posing as an HR manager from “Cubix,” provided false employment verification details.

Further communications hinted at a hierarchical structure within the operation and discussed “tradecraft,” such as strategies to avoid using webcams during online meetings. Frustration with a remote worker’s poor performance was also evident in a translated message stating, “It’s proof that you’re a failure.”

The investigation also uncovered discussions about shipping electronic devices, likely laptops and phones for their remote work setups. This aligns with Hackread.com’s recent reporting of Laptop Farms where US-based collaborators received devices for remote access by North Korean workers, with prominent North Korean group Nickel Tapestry identified as the key perpetrator.

In this case, one translated message inquired about the delivery of laptops to Nigeria. Browser history revealed tracking numbers for international courier services, including a shipment possibly originating from Dubai.

Translation provided by Flashpoint:

We need to make the Abdul's voices heard for a week. After that we can turn off the camera. They are very sensitive to voices. They might not ask Abdul to turn on the video if they don't think there is a difference in thg voices.&op=translate

---

and you know that was same some that we have already summitted your profile, at that time they told that your rate is high and gave offer to another person , but that offer is backout and now they have backfill of it. please let me know if we can submit your profile at $65/hr on C2C/1099. this time prime vendor is different, but client is same.&op=translate

---

I didn't complain when you didn't get the assignment for two months. But this is a different matter. It's proof that you're a failure and if you're like this, you won't be able to handle this job well.&op=translate

The investigation also revealed the use of AnyDesk remote desktop software on the infected machines, suggesting the North Korean operatives accessed the US company systems remotely. This detail highlights the direct access they gained to sensitive company networks.

“Ever since its discovery, Fortune 500 companies, technology and cryptocurrency industries have been reporting even more secret DPRK agents siphoning funds, intellectual property, and information,” Flashpoint’s investigation, shared with Hackread.com, revealed.

Flashpoint’s inside look at this operation, achieved by analyzing compromised credentials and infostealer logs, provides a detailed understanding of North Korea’s sophisticated and profitable cyber fraud targeting US organizations.