North Korean IT Workers Employed at Western Firms Now Extorting Ransom for Stolen Data

North Korean IT workers, who secure employment at Western companies using false identities, are now not only stealing intellectual property but also demanding ransoms to avoid leaking it—a new escalation in their financially driven attacks.

According to an analysis by Secureworks Counter Threat Unit (CTU), “In some cases, these fraudulent workers have extorted former employers after gaining insider access, a tactic not previously observed.” In one instance, a contractor stole proprietary data shortly after starting employment in mid-2024.

The cybersecurity firm noted that this activity is reminiscent of tactics used by the threat group Nickel Tapestry, also known as Famous Chollima and UNC5267.

The fraudulent IT worker scheme, designed to advance North Korea’s strategic and financial interests, is an insider threat operation aimed at infiltrating Western companies to generate illicit revenue for the sanctions-hit nation.

These North Korean operatives are often sent to countries like China and Russia, where they pose as freelancers seeking job opportunities. In some cases, they have stolen the identities of legitimate U.S. residents to achieve their objectives.

A common tactic involves requesting changes to delivery addresses for company-issued laptops, and rerouting them to intermediaries at ‘laptop farms.’ These intermediaries, paid by foreign-based facilitators, install the remote desktop software, enabling North Korean actors to access the devices.

In some instances, multiple contractors are hired by the same company, or a single individual assumes multiple fake identities. Secureworks also reported instances where fraudulent contractors asked to use their own personal laptops, or manipulated delivery addresses mid-shipment, causing companies to cancel laptop deliveries entirely.