North Korean Hackers Posing as IT Workers to Infiltrate Global Firms: A Growing Threat

In recent years, North Korean state-sponsored hackers have adopted increasingly sophisticated tactics to infiltrate companies worldwide. These actors, often linked to groups like Lazarus, are increasingly posing as IT professionals or recruiters, using fake identities and fraudulent job offers as part of their social engineering efforts. The goal? To steal sensitive data, generate revenue, and fund the North Korean regime’s illicit activities. This article delves into their evolving techniques, the industries targeted, and the significant risks they pose to global businesses.

Summary of the

North Korean hackers, tied to state-backed groups such as Lazarus, are leveraging social engineering and malware to bypass hiring checks and gain access to sensitive networks worldwide. They’ve been using fake identities and job scams to infiltrate firms, with a specific focus on the crypto, finance, AI, and real estate sectors. Their activities, which include generating millions of dollars through freelance gigs, involve planting backdoors in victim systems.

One of the most recent incidents occurred in 2025, when GitLab banned 131 accounts linked to these malicious actors. These hackers often mimicked developers from countries like the United States, Europe, and Asia by creating fake profiles on GitLab, using Gmail or custom domains to conceal their identity. Their primary tactics involve delivering JavaScript malware, such as BeaverTail and Ottercookie, through bogus job interviews and coding tests.

Hackers employ two main prongs: the “Contagious Interview” and direct IT worker infiltration. In the first, they use fake recruiters on platforms like LinkedIn and freelancing websites, sending coding tests that execute malicious payloads. For the second, they build synthetic identities using AI-generated headshots, deepfakes, and stolen personal information to create fake resumes and apply for remote IT positions.

The scale of these operations is vast, with reports revealing millions of dollars funneled into the North Korean regime. One such case involved a group led by Kil-Nam Kang in Beijing, earning $1.64 million from 2022-2025. Another group operated under 21 fake personas, manipulating US IDs to gain access to companies. GitLab’s report highlights the advanced automation in these operations, where entire teams are dedicated to scraping images, forging passports, and scripting mass outreach on platforms like LinkedIn.

Despite increased awareness and actions taken by companies like Amazon, which blocked 1,800 suspect apps, these actors continue to refine their methods, using VPNs and masking IP addresses to remain undetected. Malicious NPM packages and fake coding tests are commonly employed as part of the strategy to steal credentials, access systems, and ultimately fund the regime’s weapons programs by evading sanctions.

What Undercode Say:

The issue of North Korean hackers posing as IT professionals reflects a broader, more concerning trend of state-backed cyber threats in the digital age. This is not just an isolated case but part of a larger strategy of cyber warfare and economic disruption aimed at bypassing international sanctions. By infiltrating key sectors such as crypto, finance, and AI, these hackers are targeting industries that hold immense financial value, making their operations highly profitable.

The use of social engineering tactics like fake job offers and fraudulent coding tests is particularly effective because it exploits trust within professional networks. The digital workplace has blurred the lines of traditional security, making it easier for hackers to impersonate legitimate workers or contractors, gaining access to sensitive data through seemingly harmless interactions.

Furthermore, the ability of these attackers to create convincing synthetic identities using deepfakes and AI is a game-changer. This demonstrates a growing sophistication in cybercrime, where advanced tools are used not only to gain access but also to evade detection. Even the most established firms with strong security systems are at risk, as demonstrated by the GitLab and Amazon cases, showing that even industry giants are vulnerable to such well-executed cyberattacks.

Moreover, this trend is not limited to financial theft but is also part of a broader agenda to fund illicit activities, including weapons programs. As long as the North Korean regime faces international sanctions, these cyberattacks may continue to grow in frequency and scale, with businesses increasingly becoming unwitting players in a larger geopolitical conflict.

The evolving nature of these threats demands that businesses rethink their approach to cybersecurity. The traditional methods of hiring checks, such as basic background screenings and automated code audits, are no longer enough. Organizations must adopt more proactive, robust measures, including video interviews, IP geolocation checks, and a comprehensive audit trail for every hiring process. Additionally, employees must be educated to recognize the signs of social engineering, as these types of attacks often rely on human error.

Fact Checker Results:

North Korean state-sponsored hacking groups, like Lazarus, have indeed been implicated in cybercrimes involving social engineering and malware attacks on major global industries.

GitLab’s 2025 report exposed the depth of these operations, revealing fake accounts and sophisticated techniques to infiltrate the platform.

The actors behind these schemes are using AI and deepfake technologies to create convincing false identities, which significantly enhances the effectiveness of their infiltration efforts.

Prediction:

As cybersecurity defenses continue to improve, North Korean hackers will likely adapt by deploying even more advanced techniques, such as AI-driven phishing or real-time impersonation tools. We may also see an uptick in the targeting of smaller or mid-sized firms that lack the resources to implement robust security measures. Additionally, with global tensions continuing to rise, state-sponsored cyberattacks could become an even more integral part of international political strategies, further blurring the line between cybercrime and statecraft. Companies will need to stay ahead of this evolving threat by adopting cutting-edge technologies and continuously educating their teams on the latest cyber risks.