
The FBI has issued a warning about emerging threats from North Korean IT specialists who exploit remote access to steal source code and extort money from companies in the United States and worldwide. The agency has urged both private and public sector organizations to remain vigilant, highlighting that the actions of North Korea’s so-called “IT army” facilitate cybercrimes and blackmail.
These specialists from North Korea have been copying corporate repositories, including those hosted on GitHub, to their personal cloud storage accounts. While such practices are common among developers, in this context, they pose a significant risk to the security of corporate data. The attackers may also attempt to access sensitive information, such as credentials and session cookies, to compromise corporate systems.
Self-styled “IT warriors” from North Korea connect to corporate networks via “laptop farms” registered in the United States. In some cases, after being terminated—or even during employment—they use stolen insider information to blackmail former employers, threatening to release sensitive data.
These North Korean IT specialists are expanding their operations, infiltrating major organizations and exporting their expertise to other markets, including Europe. Furthermore, the use of virtual desktops instead of physical hardware by remote employees allows them to better conceal their activities.
The FBI advises companies to limit employee privileges, disable local administrator accounts, and closely monitor network traffic and remote connections, particularly when access occurs from multiple IP addresses within a short timeframe. Organizations should also thoroughly inspect network logs and browser sessions for indications of data leaks through shared drives, cloud storage, and private code repositories.
To strengthen remote hiring practices, the FBI recommends verifying the identities of candidates during interviews and onboarding processes, as well as cross-checking resumes for recurring details or overlapping contact information. The agency also warns that North Korean IT workers have begun using deepfakes to conceal their identities during video interviews.
Organizations should pay particular attention to changes in payment details and contact information provided by employees during the hiring process, as attackers often reuse the same email addresses and phone numbers across multiple resumes. Additional recommendations include partnering with reputable recruitment agencies, conducting in-person interview stages, and performing detailed checks of candidates’ education and work history.