North Korean Hacker Lands Remote IT Job, Caught After VPN Slip

Summary

LevelBlue security researchers discovered a suspected North Korean hacker who successfully bypassed hiring checks to land a remote IT position with access to sensitive Salesforce data. The operative was caught within 10 days after using Astrill VPN to mask their location; a login from Missouri contradicted their reported China-based position, triggering high-severity alerts. Research indicates this was part of an organized state-sponsored scheme where elite North Korean workers earn over $300,000 annually to fund weapons programs.

Full text

Cyber Crime Scams and FraudNorth Korean Hacker Lands Remote IT Job, Caught After VPN Slip New research from LevelBlue reveals how a suspected North Korean operative landed a remote IT role to fund national weapons programmes. byDeeba AhmedMarch 23, 20262 minute read A routine help-wanted ad almost led to an “insider threat from hell” for one Western company last year. Research from the security firm LevelBlue, shared with Hackread.com, reveals how a suspected North Korean hacker bypassed standard hiring checks to land a remote IT position, only to be caught and terminated within just 10 days. The individual was hired on 15 August 2025 and assigned to work with sensitive Salesforce data. While the onboarding seemed normal, the firm’s security stack was already flagging anomalies. According to LevelBlue’s SpiderLabs threat intel team, the detection was made possible by combining crowdsourced threat data with behavioural analytics, a system that learns how a genuine employee acts so it can spot a fake one. The Missouri Mistake The operative’s undoing began with a simple geographic slip-up. Initially, Cybereason XDR, a security monitoring platform, established a baseline showing the worker was consistently logging in from China. However, on 21 August, a high-severity alert was triggered when a login attempt suddenly originated from an unmanaged device in St. Louis, Missouri. Researchers explained in their blog post that the worker was using Astrill VPN to hide their actual location. They further noted that this specific VPN is a “high-fidelity indicator” of North Korean activity, as previously seen, groups like the Lazarus Group and their subgroups, such as Contagious Interview, rely on Astrill because it can bypass China’s Great Firewall. Astill VPN also allows hackers to tunnel traffic through US exit nodes and disguises as legitimate domestic employees while managing their command-and-control infrastructure. By 25 August, the company revoked the employee’s EntraID account, ending the threat before any damage could be done. An Industrial-Scale Scheme It is worth noting that this wasn’t a solo effort. Joint research from Flare and IBM X-Force indicates these workers are part of an organized state-sponsored ecosystem. These operatives are usually elite graduates from schools like the University of Sciences in Pyongyang and are linked to front organisations such as the Willow Tree Economic Technology Exchange Centre. Research further reveals that these teams use internal management platforms like RB Site and NetkeyRegister to track job applications and download software updates. While some workers engage in Data Exfiltration (stealing company secrets), their primary goal is generally revenue. These workers can earn over $300,000 (£230,000) annually, providing a vital stream of cash for the North Korean regime’s weapons programmes. Video from a separate incident where a North Korean hacker used a deepfake to trick a hiring manager into hiring him. Nevertheless, as remote hiring continues to expand, this case shows that the person behind the screen might be part of a global fraud network. To stay safe, companies should always verify that a new hire’s login locations match their reported home address and keep a close eye on any use of unauthorised personal devices or VPNs during the onboarding phase. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Astill VPNContagious InterviewCyber CrimeCybersecurityFraudLazarusNorth KoreaSalesforceScam Leave a Reply Cancel reply View Comments (0) Related Posts Cyber Crime Malware Microsoft Security Malicious Office documents make up 43% of all malware downloads In the 3rd quarter of 2020, around 38% of all downloadable malware were found hidden in Office documents, a new report reveals. byWaqas Cyber Crime Online Jewish service ‘Zoom bombed’ with hate speech & Swastikas A hateful intrusion during a Jewish congregation service on Zoom has... byZara Khan Cyber Crime 14 members indicted for defrauding Apple of millions Yesterday, federal authorities in the United States charged 14 people for conning Apple of $6 million. bySudais Asif Read More Cyber Crime Doctor Paid $60k in Bitcoin to Hire Dark Web Hitmen Ronald Craig Ilg, 56 of Spokane, Washington wanted dark web hitmen to assault his wife and a former colleague. byHabiba Rashid

Indicators of Compromise

• malware — Lazarus Group
• malware — Contagious Interview