{"id":57432,"date":"2024-10-18T04:28:12","date_gmt":"2024-10-18T04:28:12","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\/"},"modified":"2024-10-18T04:28:12","modified_gmt":"2024-10-18T04:28:12","slug":"biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\/","title":{"rendered":"Biz hired, and fired, a fake North Korean IT worker \u2013 then the ransom demands began"},"content":{"rendered":"<p>It&#8217;s a pattern cropping up more and more frequently: a company fills an IT contractor post, not realizing it&#8217;s mistakenly hired a North Korean operative. The phony worker almost immediately begins exfiltrating sensitive data, before being fired for poor performance. Then the six-figure ransom demands \u2013 accompanied by proof of the stolen files \u2013 start appearing.<\/p>\n<p>Secureworks&#8217; incident responders have come across this pattern during &#8220;numerous investigations,&#8221; we&#8217;re told. And &#8220;multiple&#8221; tactics used in these scams align with North Korea&#8217;s Nickel Tapestry crew, which relies on the fake IT worker schemes to line Kim Jong Un&#8217;s coffers. According to the US government, these <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2024\/10\/08\/us_lazarus_group_crypto_seizure\/\" rel=\"noopener\">illicit funds<\/a> contribute to the DPRK&#8217;s <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/home.treasury.gov\/news\/press-releases\/jy2215\">illegal weapons programs<\/a>.<\/p>\n<p>&#8220;The emergence of ransom demands marks a notable departure from prior Nickel Tapestry schemes,&#8221; Secureworks Counter Threat Unit research team <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.secureworks.com\/blog\/fraudulent-north-korean-it-worker-schemes\">remarked<\/a> in a report.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_specialfeatures\/cybersecuritymonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZxHuQ-CDTKSR59YS1OTmjgAAAFc&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_specialfeatures\/cybersecuritymonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZxHuQ-CDTKSR59YS1OTmjgAAAFc&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>&#8220;The extortion incident reveals that Nickel Tapestry has expanded its operations to include theft of intellectual property with the potential for additional monetary gain through extortion,&#8221; and this &#8220;significantly changes the risk profile&#8221; for businesses that accidentally hire a North Korean techie,&#8221; Secureworks warned.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_specialfeatures\/cybersecuritymonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZxHuQ-CDTKSR59YS1OTmjgAAAFc&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_specialfeatures\/cybersecuritymonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZxHuQ-CDTKSR59YS1OTmjgAAAFc&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_specialfeatures\/cybersecuritymonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZxHuQ-CDTKSR59YS1OTmjgAAAFc&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_specialfeatures\/cybersecuritymonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZxHuQ-CDTKSR59YS1OTmjgAAAFc&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<\/p><\/div>\n<p>Data theft followed by extortion does, however, follow the pattern of <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2024\/09\/05\/fbi_north_korean_scammers_prepping\/\" rel=\"noopener\">escalating tactics<\/a> documented by an earlier <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.ic3.gov\/PSA\/2023\/PSA231018\">FBI alert<\/a> and falls in line with North Korean government-backed hackers&#8217; ongoing money-making schemes.<\/p>\n<p>Other fake worker tactics have been documented by the <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.justice.gov\/opa\/pr\/justice-department-disrupts-north-korean-remote-it-worker-fraud-schemes-through-charges-and\">feds<\/a> and friends in the <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/assets.publishing.service.gov.uk\/media\/66e2ec410d913026165c3d91\/OFSI_Advisory_on_North_Korean_IT_Workers.pdf\">UK<\/a> [PDF] and Australia. Secureworks\u2019 incident response team has observed these fake contractors requesting changes to delivery addresses for employer-issued laptops, which are then rerouted to laptop farms \u2013 both to hide the new hire&#8217;s location and also to establish persistent access to corporate systems.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_specialfeatures\/cybersecuritymonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZxHuQ-CDTKSR59YS1OTmjgAAAFc&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_specialfeatures\/cybersecuritymonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZxHuQ-CDTKSR59YS1OTmjgAAAFc&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>Or, in some cases, the North Korean scammers will ask to use a personal laptop instead of a company-issued device and indicate their preference for using a virtual desktop.<\/p>\n<h3 class=\"crosshead\">You&#8217;ve been pwned<\/h3>\n<p>In one case documented by Secureworks, the phony worker exfiltrated proprietary information to a personal Google Drive location using the corporate virtual PC.<\/p>\n<p>After firing the cyber crook, the biz received &#8220;a series of emails&#8221; \u2013 one including .ZIP archive attachments containing samples of the stolen documents, and another demanding a six-figure ransom, paid in cryptocurrency, or else the criminals would leak the sensitive information.<\/p>\n<p>&#8220;Later that day, an email from a Gmail address shared a Google Drive folder containing additional evidence of stolen data,&#8221; the report notes.<\/p>\n<p>The threat hunters observe they&#8217;ve also spotted criminals using Chrome Remote Desktop to remotely manage and access corporate systems, and AnyDesk for remote access \u2013 despite this tool not being typically needed for their jobs.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" id=\"story_eagle_xsm_sm_md_xmd_lg_xlg\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",mpu,dmpu,\" data-sm=\",mpu,dmpu,\" data-md=\",mpu,dmpu,\" data-xmd=\",mpu,dmpu,\" data-lg=\",mpu,dmpu,\" data-xlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_specialfeatures\/cybersecuritymonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZxHuQ-CDTKSR59YS1OTmjgAAAFc&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_specialfeatures\/cybersecuritymonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZxHuQ-CDTKSR59YS1OTmjgAAAFc&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>&#8220;Analysis of AnyDesk logs in one engagement revealed connections to Astrill VPN IP addresses, indicating the application is part of Nickel Tapestry&#8217;s toolset,&#8221; we&#8217;re told.<\/p>\n<p>Another indication that you may have accidentally hired a North Korean criminal: these IT workers avoid video calls as much as possible, claiming the webcams on company-provided computers aren&#8217;t working.<\/p>\n<p>To be fair: this excuse also comes in handy on no-makeup and frizzy-hair days for legitimate <span class=\"strike\">reporters<\/span> employees.<\/p>\n<p>Secureworks reports that their forensic evidence found free SplitCam virtual video clone software \u2013 which can help disguise the fake workers&#8217; identity and location \u2013 in use on the scammers&#8217; laptops. &#8220;Based on these observations, it is highly likely that the threat group is experimenting with various methods for accommodating companies&#8217; requests to enable video on calls,&#8221; the security analysts note.<\/p>\n<p>They also advise companies to be on the lookout for &#8220;suspicious financial behavior&#8221; \u2013 such as updating bank accounts for paycheck deposits multiple times in a short period. Specifically, the researchers have seen the use of bank accounts operated by the Payoneer Inc. digital payment service in these scams.<\/p>\n<p>Plus, if you&#8217;ve inadvertently hired one phony North Korean IT worker, it&#8217;s likely that you&#8217;re employing more than one scam artist \u2013 or even the same individual who has adopted multiple personas.<\/p>\n<p>&#8220;In one engagement, several connections across multiple contractors employed by the company surfaced, with Candidate A providing a reference for a future hire (Candidate B), and another likely fraudulent contractor (Candidate C) replacing Candidate B after that contractor&#8217;s termination,&#8221; the team wrote, adding that in another incident they caught multiple individuals using the same email address.<\/p>\n<p>&#8220;This observation indicates that North Korean IT workers are often co-located and may share jobs,&#8221; according to the report.<\/p>\n<h3 class=\"crosshead\">How not to get scammed<\/h3>\n<p>To avoid falling victim to this remote IT worker scam, Secureworks suggests recommends checking job candidates&#8217; documentation and conducting in-person interviews if possible.<\/p>\n<p>Infosec awareness and training provider KnowBe4 would likely second this recommendation. The security shop conducted four video interviews with a candidate and checked their appearance matched photos on a job application, but still <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2024\/07\/24\/knowbe4_north_korean\/\" rel=\"noopener\">hired<\/a> a North Korean fake IT worker for a software engineering role on its AI team.<\/p>\n<p>It also pays to watch for new hires who ask to change their address during onboarding, or route paychecks to money transfer services. And, as always, restrict the use of unsanctioned remote access software and limit access to non-essential systems.<\/p>\n<p>Google-owned infosec outfit Mandiant offers <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2024\/09\/24\/mandiant_north_korea_workers\/\" rel=\"noopener\">similar advice<\/a> on how to hire \u2013 or not hire &#8211; North Korean operatives.<\/p>\n<p>And, as several other job seekers and techies pointed out on Reddit: <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.reddit.com\/r\/technology\/comments\/1g4yy4l\/firm_hacked_after_accidentally_hiring_north\/?mid=1&amp;ref=metacurity.com#cid=2292335\">beware of cheap hires<\/a>. As with most things in life, if it sounds too good to be true, it probably is. \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/go.theregister.com\/feed\/www.theregister.com\/2024\/10\/18\/ransom_fake_it_worker_scam\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8216;My webcam isn&#8217;t working today&#8217; is the new &#8216;The dog ate my network&#8217; It&#8217;s a pattern cropping up more and more frequently: a company fills an IT contractor post, not realizing it&#8217;s mistakenly hired a North Korean operative. The phony worker almost immediately begins exfiltrating sensitive data, before being fired for poor performance. Then the six-figure ransom demands \u2013 accompanied by proof of the stolen files \u2013 start appearing.\u2026 READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-57432","post","type-post","status-publish","format-standard","hentry","category-the-register"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Biz hired, and fired, a fake North Korean IT worker \u2013 then the ransom demands began 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Biz hired, and fired, a fake North Korean IT worker \u2013 then the ransom demands began 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-10-18T04:28:12+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_specialfeatures\/cybersecuritymonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZxHuQ-CDTKSR59YS1OTmjgAAAFc&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Biz hired, and fired, a fake North Korean IT worker \u2013 then the ransom demands began\",\"datePublished\":\"2024-10-18T04:28:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\\\/\"},\"wordCount\":908,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_specialfeatures\\\/cybersecuritymonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZxHuQ-CDTKSR59YS1OTmjgAAAFc&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\\\/\",\"name\":\"Biz hired, and fired, a fake North Korean IT worker \u2013 then the ransom demands began 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_specialfeatures\\\/cybersecuritymonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZxHuQ-CDTKSR59YS1OTmjgAAAFc&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2024-10-18T04:28:12+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_specialfeatures\\\/cybersecuritymonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZxHuQ-CDTKSR59YS1OTmjgAAAFc&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_specialfeatures\\\/cybersecuritymonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZxHuQ-CDTKSR59YS1OTmjgAAAFc&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Biz hired, and fired, a fake North Korean IT worker \u2013 then the ransom demands began\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Biz hired, and fired, a fake North Korean IT worker \u2013 then the ransom demands began 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\/","og_locale":"en_US","og_type":"article","og_title":"Biz hired, and fired, a fake North Korean IT worker \u2013 then the ransom demands began 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-10-18T04:28:12+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_specialfeatures\/cybersecuritymonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZxHuQ-CDTKSR59YS1OTmjgAAAFc&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Biz hired, and fired, a fake North Korean IT worker \u2013 then the ransom demands began","datePublished":"2024-10-18T04:28:12+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\/"},"wordCount":908,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_specialfeatures\/cybersecuritymonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZxHuQ-CDTKSR59YS1OTmjgAAAFc&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\/","url":"https:\/\/www.threatshub.org\/blog\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\/","name":"Biz hired, and fired, a fake North Korean IT worker \u2013 then the ransom demands began 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_specialfeatures\/cybersecuritymonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZxHuQ-CDTKSR59YS1OTmjgAAAFc&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2024-10-18T04:28:12+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_specialfeatures\/cybersecuritymonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZxHuQ-CDTKSR59YS1OTmjgAAAFc&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_specialfeatures\/cybersecuritymonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZxHuQ-CDTKSR59YS1OTmjgAAAFc&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/biz-hired-and-fired-a-fake-north-korean-it-worker-then-the-ransom-demands-began\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Biz hired, and fired, a fake North Korean IT worker \u2013 then the ransom demands began"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57432","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=57432"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57432\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=57432"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=57432"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=57432"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}