Unmasking DPRK Cyber Threat Actors: Fake IT Worker Infrastructure

Description

Investigation of DPRK-linked fake IT worker infrastructure began after cryptocurrency researcher ZachXBT identified domain luckyguys[.]site connected to illicit payments. Analysis of 30 days of network activity associated with IP 163.245.219[.]19 revealed concentrated VPN usage patterns, with Astrill VPN (37.5%), Mullvad (32.25%), and Proton VPN (6.25%) being prominent. American and Latvian residential IPs communicated with the infrastructure, showing frequent Astrill VPN usage and connectivity to Gmail, ChatGPT, and Workana freelance platform. A second IP, 216.158.225[.]144, was discovered through X509 certificate analysis. Traffic dropped sharply following public exposure, consistent with adversary behavior of abandoning attributed infrastructure. The activity suggests a distributed network of remote IT workers participating in sanctions evasion workflows, leveraging AI tools and freelance platforms to obtain employment under false identities.