-
A suspected North Korean hacker bypassed hiring checks to land a remote IT job, gaining access to sensitive Salesforce data before being caught.
-
The operative’s undoing was a VPN slip-up, where a login from an unmanaged device in Missouri contradicted their established baseline in China.
-
This is allegedly part of a larger, state-sponsored scheme where they place elite graduates in remote roles to generate over $300,000 annually for North Korea’s weapons programs.
A routine job ad almost became an “insider threat from hell” for one Western company. A suspected North Korean operative got a remote job, only for the company to catch them within 10 days.
Notably, a simple geographic mistake blew the hacker’s cover. Security software flagged a login from an unmanaged device in Missouri, revealing the entire operation.
Details of the bust of a job offer that almost went wrong
It started last year on August 15, when a Western company had just filled a remote IT position. The new hire seemed perfect on paper and the company went on to onboard them and gave them access to sensitive Salesforce data.
But here is where things got tricky. The company’s security setup wasn’t just running in the background. The system actively learns.
LevelBlue’s SpiderLabs team had deployed a system that combined crowdsourced threat data with behavioral analytics. This meant the system could figure out how a real employee acted, so it could instantly spot a fake one.
The mistake that busted the hacker
For the first few days, everything looked consistent. The security platform, Cybereason XDR, had a baseline: this new worker was logging in from China.
Then came August 21, an alert went off indicating someone is trying to log in via an unmanaged device in St. Louis, Missouri. This is a significant geographic disparity.
Researchers later explained that the employee was using Astrill VPN to conceal their real location. Turns out, that specific VPN is a major red flag for spotting North Korean activity.
Groups like the infamous Lazarus Group rely on it because it can bypass strict firewalls. It also lets them route their traffic through U.S. servers, making them look like legitimate domestic employees.
By August 25, the company took action. They revoked the new employee’s EntraID account, and that singular action ended the threat before it caused any real damage.
Part of a bigger operation
Interestingly, this wasn’t just one lone wolf trying to score a paycheck. Joint research from Flare and IBM X-Force shows this is a whole organized ecosystem. We’re talking about elite graduates, often from schools like the University of Sciences in Pyongyang, who are linked to front organizations like the Willow Tree Economic Technology Exchange Centre.
These operatives work in teams. They use internal platforms such as RB Site and NetkeyRegister to manage job applications and download software updates. While some might receive the task of stealing company secrets, that’s not the main goal for most. It’s about the money.
Allegedly, these employees are responsible for generating money for funding the North Korean regime’s weapon programs. And each person can pull in more than $300,000 annually.
What can companies learn from this? As more people adopt remote working, telling who is genuine gets harder. The candidate you see on-screen might be part of a global fraud network. One practical way to protect yourself is by verifying that your new employee’s login locations are consistent with what they report as their home address.
The threat is global and multi-faceted, while North Korean operatives seek funding, Iranian hackers target Israeli firms for geopolitical gain, reminding businesses everywhere that state-sponsored cyber threats come from many directions and require constant vigilance.
You also need to monitor for unauthorized devices and VPN usage, especially during the onboarding process, because a single VPN misstep unleashed the larger scheme.
