216.73.217.80

How Lazarus's IT Workers Scheme Was Caught Live on Camera

· Published 09/12/2025 12:38 · Modified 21/12/2025 18:50

Export JSON

Essential information

Published
09/12/2025 12:38
Modified
21/12/2025 18:50
Tags
2025-12-09 corporate espionage cryptocurrency identity theft it worker infiltration north korea sandbox analysis social engineering
Related entities
12 observables, 1 intrusion sets (apt), 7 techniques (mitre), 3 others

Description

This report details an investigation into a North Korean infiltration operation by the Lazarus Group's Famous Chollima division. The operation aims to deploy remote IT workers in American financial and crypto/Web3 companies for and funding. Researchers posed as potential recruits and used sandboxed environments to monitor the operators' activities in real-time. The investigation revealed the group's tactics, including , , and the use of AI tools. The operators displayed poor operational security, sharing infrastructure and making repeated mistakes. The report provides insights into the group's recruitment methods, toolset, and communication patterns, offering a rare inside view of their operations.

External references