All Blog
Internet Weather
Threat Research
Threat Intelligence 101
Will Thomas
3
min read

Uncovering DPRK Remote Workers: Detecting Hidden Threats Through Internet Telemetry

Large and widely recognizable organizations around the world may be unknowingly funding North Korea’s cyber operations, and having their Intellectual Property, operational workflows, and general day to day inner workings exposed to the notorious hostile nation state.

In our June 2025 webinar, "The DPRK Remote Worker Challenge," we explored how Democratic People’s Republic of Korea (DPRK), also known as North Korea, operatives are infiltrating businesses by posing as freelance developers, leveraging remote work culture, outsourcing norms, and exploiting weak vetting practices to their advantage.

This blog unpacks key insights from the session and explains how internet telemetry can be used to detect these threats in the real world.

How North Korea Built a Remote Cyber Workforce

Since at least 2018, North Korean operatives have posed as IT contractors to gain access to corporate environments across the globe. According to the FBI, two DPRK nationals operated under false identities at 64 companies and generated up to $866,000 USD in illicit earnings.

A broader network of IT workers has been linked to over $6.8 million USD in revenue for North Korea between 2020 and 2023, much of which was laundered through cryptocurrency wallets and front companies source: U.S. DOJ.

These actors use tried and tested techniques to pass technical interviews, hide their infrastructure, and appear as legitimate employees.

They often:

  • Use AI-generated photos or manipulated stock images on resumes
  • Impersonate South Korean, Japanese, or Vietnamese developers
  • Use U.S. addresses and request laptops shipped abroad
  • Speak with English actors or rely on real-time translation tools
Real-World Impact: The LND.fi Case

On 9 May  2025, a blockchain-based project, LND.fi, was breached. The attacker had been hired unknowingly as a contractor and later used administrative access to steal $1.27 million USD. This incident exemplifies the high-stakes risk of failing to verify remote worker identities. The full post-mortem from LND can be found here.

The Role of Telemetry in Detection

While DPRK operatives are good at fooling HR and hiring managers, they leave traces in infrastructure. That’s where internet telemetry and Team Cymru comes in.

Telemetry can reveal:

  • Connections to known VPN exit nodes, such as Astrill VPN, often used by DPRK IT workers
  • Repeated activity from Russian (AS20485, TTK) or Chinese (AS134544, Cenbong) networks
  • Use of remote access tools like AnyDesk, RustDesk, and TeamViewer—often identifiable via X509 certificate fingerprints
  • Persistent outbound traffic during off-hours or from abnormal geolocations

These patterns become especially telling when viewed in combination.

For example:

These queries are not theoretical—they’re based on real indicators observed by our S2 NetFlow Research team at Team Cymru.

Third-Party and Supply Chain Risk

Many organizations may not hire DPRK workers directly. Instead, these threat actors often enter environments via outsourced software development firms or IT staffing vendors. Once inside, they often gain privileged access which could enable them to:

  • Exfiltrate proprietary code and customer data
  • Implant backdoors into the software supply chain
  • Steal cryptocurrency private keys and seed phrases
  • Deploy ransomware to production systems

The risk is not limited to the primary victim. Once disclosed, breaches involving DPRK actors often lead to contract terminations, client loss, and blacklisting in regulated industries like finance, healthcare, and defense.

Mandiant, Google, and CrowdStrike have each documented dozens of cases across North America, Europe, and Asia-Pacific, reinforcing the global scale of these threat sources: Mandiant / Google Threat Intelligence.

Questions You Should Be Asking:
  1. Are we monitoring outbound connections to known DPRK-linked ASNs?
  2. Do we cross-reference remote access activity with IP metadata and TLS certs?
  3. Can we identify cloned developer infrastructure (e.g., identical GitHub templates)?
  4. Are our third-party vendors communicating with flagged VPNs or infrastructure linked to the DPRK?
  5. Do we have thresholds in place to escalate behavioral anomalies to investigation?

If your telemetry or SOC tooling can’t answer these questions, your environment may be exposed.

Watch the Full Webinar Now

In the webinar, we go beyond headlines to provide:

  • Tactical indicators linked to real DPRK IT worker campaigns
  • Query examples you can implement today
  • Infrastructure patterns that persist even when identities are disguised
  • Insights into how organizations are adapting detection methods

Watch the webinar on-demand

Final Thought

North Korean remote IT workers don’t use malware to break in—they use resumes. But once inside, they can inflict just as much damage as a nation-state APT. Telemetry gives defenders the ability to detect what background checks can’t.

For technical teams tasked with protecting remote infrastructure and supply chains, this isn’t just a geopolitical issue—it’s an operational one.

To learn more or to speak with our intelligence advisory team contact at us here.

No items found.
Threat Intelligence 101