Is your best IT worker an undercover hacker?

Nick Palmer at Group-IB offers some advice on how to effectively spot and screen out would-be hackers attempting to infiltrate your business 

 

Your new hire is extremely talented. They’re punctual, passionate and productive. They may work remotely, but you’ve never had an issue with them failing to show up for the day, or leaving important work unfinished.

 

They’re also a North Korean hacker. And the money they make is going straight back to the regime. More than that, they’re using their company access to dig through your files, twist your code and even steal: money, data, and more.

 

It sounds like a scary story you’d hear from an IT chief during training, but it’s not a tall tale. There are hundreds of examples of this scenario currently playing out around the world.

 

These new infiltration campaigns are the brainchild of the state-sponsored hacking group we know as Lazarus. But in North Korea, where they’re trained and deployed, they’re just the cyber-crime unit of the regime’s military.

 

And they’re applying to your newest remote IT role.

 

 

Who’s the new guy?

This might be the latest campaign we’ve seen attributed to Lazarus Group, but it’s likely you’ve heard of them before.

 

Lazarus Group has previously been responsible for attacks on the National Bank of Bangladesh, where they stole physical cash via hacked ATMs. But after struggling to ‘wash’ the stolen funds, they switched to focus on cryptocurrency, and in February of 2025, Lazarus undertook what expert and leading journalist Geoff White describes as ‘the biggest single theft in history’, getting away with 1.5 billion dollars in a single attack on Bybit, a cryptocurrency platform.

 

Now, with Covid having raised instances of remote working jobs globally, they’re trying something new. Using intermediaries and proxies to collect the laptops needed to start working, North Korean hackers are dialling in remotely to become the newest members of your IT teams.

 

Why?

 

The short answer is a financial one. North Korea is under extremely heavy sanctions. Separated from the global flow of funds, they’ve had to get creative; and Lazarus Group is their response.

 

Speaking on the latest episode of the Masked Actors podcast, Geoff White explains the logic, “If you can’t get in the back door, why not try the front?”

 

By seeking out these legitimate positions, individuals aren’t only contributing their wages to these initiatives, they’re also accessing your company data, using their trusted position to infiltrate further business links, stripping your company funds, and getting access to your code - where they can reap all kinds of havoc behind the scenes.

 

 

Employee of the month

But how are they getting by undetected? One victim reportedly lamented that the hire the FBI told them they had to terminate was ‘one of our best programmers’. Unlike phishing email scams riddled with typos and therefore easy to spot as fake, the hackers’ skill is unquestionable. 

 

In North Korea, the state’s control is absolute. If you show promise in mathematics or computing, chances are you’ll get streamlined into a unit like Lazarus. If you show early signs of computing prowess, you’re trained, sponsored and moulded into an effective and efficient cyber-criminal.

 

The result is a group of hackers who have been raised and nurtured in IT skills. Making them, at least on the surface, great hires.

 

But behind the scenes, they’re not really working for you at all.

 

 

How to spot a hacker

For a company caught out by this campaign, the consequences are severe. You are sanction dodging, however unwittingly, and now you have North Korean influence in your network

 

Two relatively large companies have spoken out about falling victim to this scam, We know there are many more and we’ve even heard reports that it’s impacted three of the world’s biggest.

 

Security firm KnowBe4 made headlines in 2024 after sharing their experiences, and released a step-by-step process for spotting the hackers during the interview and hiring process. And last month, Kraken, a US-based cryptocurrency company, announced that it had intercepted a similar attempt at infiltration.

 

Discussing how they noticed their masked applicant, Kraken suggested that “A culture of productive paranoia is key,” Kraken writes. “In the modern era, [Security is] an organisational mindset.”

 

It’s a mindset that Lazarus expert Geoff White shared in a recent conversation on the Masked Actors podcast, saying, “You need to double down on your diligence.” Now, more than ever, cyber-security is no longer just a concern for your IT teams.  It needs to be on the minds of HR managers, finance directors and everyone involved in the hiring process.

 

Ensure your screening processes are robust, and keep your staff alert to the signs: 

• Is the address for the device different to the one on file?
• Do their references link to personal email addresses (i.e. Gmail or Hotmail), and not official domains?
• Do ID documents appear to be altered?
• In a live interview, do the answers given seem to be coached? Can the candidate answer off the cuff about local sights and events?
• Do they request to be paid in a different format than the one you agreed, e.g. with a cheque? 

 

Hire with paranoia

A lot of hackers’ success can be attributed to simply understanding the way a business’s processes work.

 

If you have your guard up and think like a hacker, you can begin to circumvent some of the more common missteps and mistakes. It can be as simple as asking yourself: what do you do, where is the money, and how would you get it if you were a masked actor? 

 

The good news is that you don’t need tech prowess for this.

 

But the bad news? However fast you notice and terminate your North Korean hire, there’s still a level of uncertainty that follows. “Have they left logic bombs in the code?” Geoff White asks. “Are there timebombs waiting to happen?”

 

As ever, the best defence is being risk-aware and proactive. The old adage comes to mind: if someone seems too good to be true, chances are they are. 

 

---

 

Nick Palmer is VP Global Sales at Group-IB

 

Main image courtesy of iStockPhoto.com and mikkelwilliam