In an unprecedented intelligence operation, security researchers exposed how North Korean IT recruiters target and lure developers into renting their identities for illicit fundraising.
Famous Chollima (also known as WageMole), part of North Korea’s state-sponsored Lazarus group, is known for social-engineering campaigns to infiltrate Western companies for espionage and revenue generation for the regime.
They managed to trick recruiters and secure jobs at Fortune 500 companies by leveraging stolen identities and a lot of AI, including deep fake videos, and avoiding appearing on camera during interviews.
Another method is to recruit legitimate engineers and convince them to act as a figurehead in DPRK agents’ operation to get a remote job at a targeted company.
The frontman would have to be the face of the agents in the interaction with the company during interviews and would receive a percentage of the salary, between 20% and 35% for the duration of the contract.
To get a larger sum, the compromised engineer would have to let DPRK agents use their computer.
This is to hide the North Korean’s location and their traces, since they would use the computer and the engineer as a proxy for malicious activities.
Mauro Eldritch, a hacker and threat intelligence specialist at BCA LTD, says that the compromised engineer takes all the risk as they rented their identity and will be the only one responsible for any damage done.
Spamming GitHub repositories
Eldritch is familiar with Famous Chollima’s recruiting tactics while leading the Quetzal Team, the Web3 Threats Research Team at digital financial services company Bitso.
... continue reading