21 July 2025, Geneva
North Korea has quietly established a global network of remote IT workers and freelancers to generate revenue, bypass sanctions, and facilitate cyber operations. These operatives pose as legitimate contractors, infiltrating Western organizations while siphoning sensitive data and funds back to Pyongyang. This briefing dissects their evolving tactics, techniques, and procedures (TTPs), highlights active campaigns, and assesses implications for cybersecurity and geopolitical stability over the coming month.
DPRK-affiliated actors are exploiting freelance platforms and remote work ecosystems to gain access to target organizations. They use anonymizing tools (VPNs, proxies), falsified KYC documents, and crypto-based payments to operate under the radar.
Recent reports show:
Hundreds of North Korean IT workers are deployed globally, earning an estimated $3B annually for the regime.
Multiple U.S. and European firms are inadvertently hiring these operatives through subcontracting.
Discovery of supply chain compromises originating from rogue contractors embedded in software teams.
While the use of remote operatives to infiltrate organizations is not a new tactic, it underscores the persistent challenge of insider threats in the modern workforce. Mature organizations with robust identity verification, access management, and behavioral monitoring controls are already well-positioned to detect and mitigate such activity. However, gaps in contractor vetting, weak segmentation, and limited visibility into third-party access remain common across industries. Addressing these vulnerabilities is critical as North Korean and other actors increasingly exploit the distributed nature of remote work to advance their objectives.
According to Jacob Williams, ISRS Advisory Council Member and Vice President of Research & Development at Hunter Strategy, these revenue-driven attacks are even more difficult to detect:
“If these operations in your network are purely revenue-driven, stakeholders should understand they are highly unlikely to detect these threat actors through purely technical means. In my experience, deep forensic analysis of suspect machines often reveals signs suggesting the user is not physically present, perhaps the system is operating in a laptop farm, but these indicators rarely translate into reliable detection signatures.”
— Jake Williams (aka MalwareJake), ISRS Advisory Council
Freelance Platform Abuse & Identity Fraud
DPRK operatives utilize Upwork, Fiverr, and bespoke contracting agencies, often employing fake IDs and resumes.
Use of residential proxy services to mask geolocation during work sessions.
Supply Chain Infiltration
Remote workers insert malicious code into software repositories (e.g., NPM packages, GitHub projects).
Deployment of hidden backdoors enabling long-term access.
Financial Laundering
Payments are routed through crypto mixers, shell companies, and non-sanctioned third parties.
Credential Harvesting - 42%
Supply Chain Injections - 25%
Data Exfiltration - 18%
Financial Fraud - 10%
Wiper/Destructive Payload - 5%
While most incidents are revenue-driven, approximately 25% show the hallmarks of intelligence-gathering for future operations.
Near term
Increase in fake contractor onboarding across tech, fintech, and defense firms.
Potential discovery of embedded DPRK code in open-source libraries; targeted phishing of crypto startups.
Long term
Coordinated laundering attempts via emerging crypto mixers; risk of disruptive malware.
Sanctions Evasion: Freelance work can be an asymmetric method of bypassing financial restrictions.
Attribution Complexity: Masked identities hinder legal enforcement and diplomatic response.
Allied Spillover: Firms in EU and APAC already report compromise incidents linked to subcontractors.
Audit existing remote contractors for identity anomalies.
Deploy enhanced geoIP monitoring and behavioral analytics.
Harden supply chain security; enforce mandatory code reviews and signed commits.
Train HR and procurement teams to recognize freelance platform risks.
Develop frameworks for inter-agency intelligence sharing on DPRK proxy networks.
Engage in narrative inoculation to combat disinformation around attribution disputes.
North Korea’s use of remote workers is a hybrid threat, blurring lines between legitimate freelance labor and state-directed cybercrime. Over the next month, ISRS anticipates increased infiltration of global supply chains, rising financial fraud, and attempts to establish long-term access to critical infrastructure. Vigilant screening, technical defenses, and cross-sector collaboration are essential to blunt these operations.
Prepared by:
ISRS Strategic Advisory & Risk Analysis Unit
Geneva, Switzerland
About ISRS
The Institute for Strategic Risk and Security (ISRS) is an independent, non-profit NGO focusing on global risk and security.
Copyright (c) 2025, Institute for Strategic Risk and Security