Security researchers expose ongoing hacking campaign by North Korea-backed hackers

During the Cyberwarcon conference in Washington, D.C., security researchers detailed an ongoing and highly sophisticated campaign by North Korea-backed hackers to infiltrate multinational corporations under the guise of legitimate employees. The effort has enabled the regime to steal billions in cryptocurrency and corporate secrets, funding its nuclear weapons program despite heavy international sanctions.

A global web of deception

North Korean hackers have adopted elaborate tactics to pose as IT workers, venture capitalists, and recruiters to gain access to sensitive corporate systems. James Elliott, a Microsoft security researcher, revealed that North Korean operatives have infiltrated “hundreds” of organizations worldwide. These hackers rely on U.S.-based facilitators to bypass financial sanctions, setting up “laptop farms” where company-issued devices are remotely accessed by North Korean operatives.

“These are not one-off incidents. This is a sustained, evolving campaign,” said Elliott.

How the hackers operate

A typical operation begins with the creation of fake professional profiles on platforms like LinkedIn and GitHub. Using AI-generated photos, deepfake technology, and convincingly crafted resumes, these imposters secure remote positions. Once hired, the employee’s laptop is sent to a U.S. address controlled by the facilitator, who installs remote access software.

Once inside a company’s network, hackers steal sensitive intellectual property, financial data, and cryptocurrency. Microsoft attributed at least $10 million in stolen cryptocurrency over a six-month period to a North Korean group dubbed “Sapphire Sleet.” Another group, “Ruby Sleet,” targets aerospace and defense firms for industrial espionage.

Sloppy mistakes reveal operations

Despite their sophisticated techniques, researchers have identified telltale signs of fraud. Hoi Myong and researcher SttyK, speaking at Cyberwarcon, shared examples of North Korean operatives exposing their cover through linguistic errors or discrepancies in their fabricated identities.

For instance, one operative claimed to be Japanese but used phrases inconsistent with the Japanese language. Another cited a Chinese bank account but was traced to an IP address in Russia.

Elliott also described a breakthrough discovery: a repository of internal North Korean documents, inadvertently made public, detailing entire playbooks for the operation, including fake resumes and earnings records.

The call for vigilance

While some companies, like security firm KnowBe4, have publicly disclosed their encounters with North Korean hackers, most remain silent about being duped. Researchers urged businesses to adopt more stringent employee vetting processes to combat this ongoing threat.

“They’re not going away,” said Elliott. “They’re going to be here for a long time.”