North Korea's most profitable cyber operation isn't a hack. It's a job application.
The DPRK has placed thousands of IT workers inside Western companies using stolen identities, AI-generated photographs, and facilitator-run laptop farms on American soil. They earn up to $300,000 per year per worker. The government keeps 90%. The total take from just one indicted cell: $88 million. When they're caught — or sometimes before — they pivot to extortion, threatening to leak proprietary source code unless paid. We've been mapping this infrastructure. Here's what it looks like from the inside.
The Front Company Network
Five domains seized by the DOJ in October 2024 reveal the operational pattern. Each front company cloned a legitimate software firm's website, replacing logos and contact details while keeping the portfolio, testimonials, and service descriptions intact:
| Front Company | Seized Domain | Cloned From | Infrastructure |
|---|---|---|---|
| Independent Lab LLC | inditechlab[.]com | Kitrum (US software firm) | InterServer 174.138.181[.]198 |
| Shenyang Tonywang Technology | tonywangtech[.]com | Urolime (US DevOps firm) | InterServer 174.138.181[.]198 |
| Tony WKJ LLC | wkjllc[.]com | ArohaTech IT Services (India) | InterServer 174.138.181[.]198 |
| HopanaTech | hopanatech[.]com | ITechArt (legitimate firm) | Asia Web Services 180.235.135[.]177 |
| Shenyang Huguo Technology | huguotechltd[.]com | TatvaSoft (India) | Asia Web Services 103.15.29[.]44 |
Three of the five domains sat on the same InterServer IP. All were registered through NameCheap. The corporate filings trace back to suites 1006-23 and 1006-25 at Building A1, No. 11, Tawan Street, Huanggu District, Shenyang City, Liaoning, China — a single office floor running multiple shell companies.
A central figure, operating as "Tony Wang" (Wang Kejia), links HopanaTech, Tony WKJ LLC, and Shenyang Tonywang Technology through shared email addresses and registration data. A second registrant, Tong Yuze, registered the Beijing entity behind HopanaTech and controls at least 25 additional Chinese companies including a restaurant franchise — possible cover businesses for laundering IT worker revenue.
The Laptop Farm Model
The workers can't be physically present in the United States, so they use facilitators. Matthew Isaac Knapp of Nashville, Tennessee was the first American prosecuted for running a laptop farm — a physical location where company-issued laptops are racked and connected to the internet. DPRK workers VPN in from China or North Korea, appearing on the corporate network as if they're sitting in a U.S. home office. Knapp was sentenced to federal prison in 2024.
The December 2024 indictment of 14 DPRK nationals described the full pipeline: stolen American identities pass background checks, AI-modified photographs pass video interviews, and laptop farms bridge the physical gap. The workers operate on night shifts in their timezone to align with U.S. business hours. Network indicators include: multiple logins from different country IPs in short timeframes, accounts logged in continuously for 24+ hours, and port 3389 (RDP) traffic in router configurations.
KnowBe4: When a Security Company Gets Burned
On July 15, 2024, KnowBe4 — a security awareness training company — discovered they had hired a DPRK operative as a Principal Software Engineer. The worker:
- Submitted an AI-enhanced stock photo as their headshot
- Passed four video conference interviews using real-time identity spoofing
- Passed a standard background check using a stolen U.S. identity
- Received a company Mac workstation at a laptop farm address
- At 9:55 PM EST on day one, began loading malware using a Raspberry Pi
- Was detected by EDR at 10:20 PM EST, claimed it was "router troubleshooting," then went dark
No data was exfiltrated — the worker was sandboxed in a new-hire environment with no production access. But the breach of the hiring pipeline at a company whose entire business is security awareness training demonstrates how refined the operation has become.
Contagious Interview: The Developer Trap
The same DPRK apparatus runs a parallel campaign tracked as CL-STA-0240 (Contagious Interview). Fake recruiters — including a persistent LinkedIn persona called "Onder Kayabasi" active through August 2024 — contact software developers with interview opportunities. The "coding challenge" requires running a project that deploys a two-stage infection chain:
Stage 1 — BeaverTail: A downloader/infostealer originally written in JavaScript, rewritten in Qt framework since July 2024 for cross-platform Windows/macOS deployment. It masquerades as legitimate video-calling applications (MiroTalk.dmg, FreeConference installer) and immediately targets 13 cryptocurrency wallet browser extensions:
| Extension | Wallet |
|---|---|
nkbihfbeogaeaoehlefnkodbefgpgknn | MetaMask (Chrome) |
ejbalbakoplchlghecdalmeeeajnimhm | MetaMask (Edge) |
fhbohimaelbohpjbbldcngcnapndodjp | BNB Chain / Binance |
hnfanknocfeofbddgcijnmhnfnkdnaad | Coinbase |
ibnejdfjmmkpcnlpebklmnkoeoihofec | TronLink |
bfnaelmomeimhlpmgjnjophhpkkoljpa | Phantom |
aeachknmefphepccionboohckonoeemg | Coin98 |
hifafgmccdpekplomjjkcfgodnhcellj | Crypto.com |
acmacodkjbdgmoleebolmdjonilkdbch | Rabby |
dlcobpjiigpikoobohmabehhmhfoodbb | Argent X (Starknet) |
aholpfdialjgjfhomihkjbmgjidlcdno | Exodus Web3 |
Stage 2 — InvisibleFerret: A Python backdoor that provides keylogging, file exfiltration, remote control, and on-demand AnyDesk installation. It fetches its payload from C2 servers on port 1224 — a consistent fingerprint across campaigns. Known C2 infrastructure includes 185.235.241[.]208 and 95.164.17[.]24. The malware searches every mounted drive for .env files — targeting developer credentials, API keys, and cloud service tokens.
The Money
DPRK-linked actors stole $1.34 billion in cryptocurrency across 47 incidents in 2024 alone — 61% of all crypto stolen globally that year. The Bybit exchange hack in February 2025, attributed by the FBI to the Lazarus Group, netted $1.5 billion in a single operation — the largest cryptocurrency theft in history.
IT worker revenue feeds the same pipeline. Individual workers earn up to $300,000/year; teams collectively generate $3+ million annually. Funds are laundered through Bitcoin CoinJoin mixers, cross-chain bridge services, and Huione Guarantee — a Cambodian marketplace identified as a significant DPRK laundering facilitator. Terminal destinations include PRC-based bank accounts and Chinese shadow banking systems.
The organizational sponsors include the 313 General Bureau of the Munitions Industry Department (which deploys the majority of the IT workforce), the Ministry of Atomic Energy Industry, and subordinate entities of the Korean People's Army.
What We're Tracking
We built the [DPRK IT Worker Database](https://dprk.ciphercortex.com) to systematically track this operation. The platform maps:
- Individuals — real names, aliases, nationality, operational status
- Groups — organizational affiliations and hierarchies (313 Bureau, Lazarus, APT38, Contagious Interview cells)
- Personas — fake identities across LinkedIn, GitHub, Upwork, Freelancer, npm, and other platforms
- Selectors — emails, phone numbers, crypto wallets, AnyDesk IDs, SSH keys, domains, IP addresses, and credentials linked to each individual
- Memberships — which individuals belong to which groups, with roles and timelines
Every front company domain, every seized wallet address, every BeaverTail C2, and every fake LinkedIn profile we identify gets cataloged with source attribution and confidence scoring. The database is live and continuously updated.
If a security company that trains people to spot social engineering can get burned, so can anyone. The DPRK IT worker operation is the most sophisticated identity fraud campaign ever run by a nation-state. The only defense is intelligence — knowing the personas, the selectors, and the infrastructure before they show up in your hiring pipeline.