Security researchers have exposed new tactics used by North Korean IT recruiters to lure software developers into renting out their identities in exchange for a cut of illicit earnings. The operation linked to the infamous Chollima (also known as WageMole) subgroup of North Korea’s Lazarus organization relies on social-engineering, deepfake-assisted interviews, and compromised developer accounts to infiltrate Western companies.
Chollima operators have previously secured roles at Fortune 500 firms using stolen identities, AI-generated videos, and by avoiding live camera interviews. In some cases, they recruit real engineers willing to act as a figurehead for remote work, offering 20–35% of the salary while DPRK agents secretly perform the job.
Mauro Eldritch, a hacker and threat intelligence specialist at BCA LTD and former lead of Bitso’s Quetzal Team, has documented numerous approaches by DPRK recruiters seeking “quick-cash” developers. Recently, he spotted GitHub accounts spamming repos with offers to attend technical interviews under fake identities for about $3,000 a month, with the recruiter promising to “assist” during interviews.
Working with Heiner García of NorthScan, Eldritch set up a controlled honeypot environment using ANY.RUN’s sandbox services to observe the operation. García posed as a US-based developer complete with a fabricated GitHub profile. After several exchanges, the recruiter demanded 24/7 AnyDesk access, full personal details, including SSN, and permission to use the fake persona for job applications, according to journalists at BleepingComputer, citing the report scheduled for publication later this month.
Once connected to the sandboxed machine, the threat actor began checking hardware details, configuring the browser, and verifying the system’s location. The researchers noted the connection passing through Astrill VPN, a common tool among North Korean IT impostors. By stalling the attacker (crashing the machine, creating CAPTCHA loops, and delaying responses) they were able to gather more intelligence about the operation.
The threat actor used AI-driven job-hunting extensions such as AIApply, Simplify Copilot, Final Round AI, and Saved Prompts, along with OTP bypass tools, Google Remote Desktop, and routine system reconnaissance. At one point, the recruiter accidentally synced his Google account, revealing inbox contents, job-seeking subscriptions, installed extensions, and Slack workspaces.
According to Eldritch and García, the operation appeared to involve a six-person Chollima team using the names Mateo, Julián, Aaron, Jesús, Sebastián, and Alfredo, though other teams with up to ten members may run parallel efforts and even compete for recruits.