North Korea has been running one of the most quietly effective and financially productive cyber fraud operations in recent years. State-sponsored operatives working for the Pyongyang regime have been systematically posing as legitimate remote IT workers to gain employment at companies around the world, funneling their salaries directly back to fund the country’s weapons programs. A new investigation by Team Cymru, building on earlier work by cryptocurrency researcher ZachXBT, has revealed the technical infrastructure underpinning this operation and how it continues to evolve despite escalating law enforcement pressure.
An Operation Nine Years in the Making
Active since at least 2017, this scheme — tracked under the names Coral Sleet, PurpleDelta, and Wagemole by various threat intelligence teams — has grown into a multi-continent operation targeting companies across North America and Europe. The operatives rely on stolen identities, fabricated resumes, and fake professional credentials to land remote software development jobs. During interviews, they frequently redirect from video calls to phone or text formats, citing technical difficulties, while an accomplice appears on camera in their place.
Individual operatives can earn up to $300,000 per year in salary. The Pyongyang regime retains as much as 90 percent of these earnings, directing the funds toward missile development and weapons of mass destruction programs. In effect, any company that unknowingly hires one of these operatives is indirectly bankrolling North Korea’s weapons programs.
The Technical Infrastructure Exposed
Team Cymru’s investigation was triggered by ZachXBT’s identification of the domain luckyguys[.]site as linked to payments connected to DPRK-associated fake IT workers. At the time of analysis, that domain resolved to IP address 163.245.219[.]19. Thirty days of network traffic analysis tied to this infrastructure revealed the operational mechanics of the scheme in detail.
Operatives rely heavily on commercial VPN services to mask their true location in North Korea or China, making their internet traffic appear to originate from within the United States:
- Astrill VPN: Used by 37.5 percent of observed traffic.
- Mullvad: Accounted for 32.25 percent of traffic.
- Proton VPN: Seen in 6.25 percent of traffic.
Network analysis also revealed connections to Gmail, ChatGPT, and Workana — a freelance platform that has become a notable channel through which threat actors seek remote employment under false identities.
Laptop Farms and Residential IP Deception
One of the most operationally significant aspects of the scheme is how operatives deceive employers about their physical location. American and Latvian residential IP addresses were observed communicating with the identified infrastructure during the investigation period. This strongly suggests the use of laptop farms — physical laptops provided by employers that are placed at residences managed by U.S.-based facilitators who route the traffic on behalf of the overseas operatives.
When the luckyguys[.]site domain was publicly attributed by researchers, network traffic dropped sharply almost immediately — confirming that the operators actively monitor for exposure and rapidly cycle through infrastructure once it is identified. This rapid infrastructure abandonment is a well-documented DPRK operational pattern.
Escalating Extortion and Regulatory Response
Since late 2024, as law enforcement pressure has increased, North Korean IT workers have escalated their tactics significantly. Before departing compromised positions, some operatives have stolen sensitive data and source code from employers, then demanded ransom payments to prevent its public release. This adds an extortion dimension to what was previously a purely revenue-generating scheme.
In March 2026, the U.S. Department of the Treasury’s Office of Foreign Assets Control sanctioned six individuals and two entities for direct involvement in these operations. Despite this, the scheme continues to operate and expand into new industries.
How Organizations Can Protect Themselves
Based on Team Cymru’s findings, organizations — particularly those hiring remote developers — should take the following precautions:
- Treat residential IP addresses as potentially suspicious rather than automatically trustworthy, especially those exhibiting proxy-hosting behavior.
- Flag VPN usage from providers with known DPRK associations (Astrill, Mullvad) as an elevated risk signal during onboarding and access review.
- Scrutinize freelance hiring pipelines and global platform hires more rigorously, particularly for roles requiring access to sensitive code or infrastructure.
- Investigate any network traffic connecting to IP addresses 216.158.225[.]144 or 163.245.219[.]19.
- Implement video verification requirements for remote hiring that cannot be easily spoofed, and consider in-person verification for positions with elevated access.