How Lazarus's IT Workers Scheme Was Caught Live on Camera

Dec. 21, 2025, 6:50 p.m.

Description

This report details an investigation into a North Korean infiltration operation by the Lazarus Group's Famous Chollima division. The operation aims to deploy remote IT workers in American financial and crypto/Web3 companies for corporate espionage and funding. Researchers posed as potential recruits and used sandboxed environments to monitor the operators' activities in real-time. The investigation revealed the group's tactics, including identity theft, social engineering, and the use of AI tools. The operators displayed poor operational security, sharing infrastructure and making repeated mistakes. The report provides insights into the group's recruitment methods, toolset, and communication patterns, offering a rare inside view of their operations.

External References

https://otx.alienvault.com/pulse/69381832f6030155b532bf71
https://any.run/cybersecurity-blog/lazarus-group-it-workers-investigation/
Tags
social engineering
north korea
cryptocurrency
identity theft
2025-12-09
corporate espionage
it worker infiltration
sandbox analysis

Date

  • Created: Dec. 9, 2025, 12:38 p.m.
  • Published: Dec. 9, 2025, 12:38 p.m.
  • Modified: Dec. 21, 2025, 6:50 p.m.

Indicators

  • 194.33.45.162
  • https://www.linkedin.com/in/jackson-kidd-1680b2339/
  • https://us.bold.pro/my/jaron-gaston-241007104612
  • https://jackson-portfolio.vercel.app
  • https://t.me/peregrine423f
  • https://github.com/neymafullstack
  • https://calendly.com/7codewizard/30min
  • https://github.com/swiftcode1121
  • https://github.com/ghost
  • https://github.com/7codewizard
  • kamaunjoroge296@gmail.com
  • jacksonkidd216@gmail.com
Download all indicators here!

Attack Patterns

  • Lazarus Group (Famous Chollima division)

Additional Informations

  • Finance
  • Technologies
  • United States of America