DPRK operatives are now applying to remote roles using real LinkedIn accounts of people they impersonate, a tactic described by Security Alliance (SEAL) as part of a long-running campaign to infiltrate Western and other companies. These profiles reportedly come with verified workplace emails and identity badges, with the actors aiming to make their fraudulent applications look legitimate.
The operation, also tracked as Jasper Sleet, PurpleDelta and Wagemole by the cybersecurity community, funds the regime’s weapons programmes and may involve espionage or ransom demands to avoid disclosure. Separate but related activity includes Contagious Interview, a social‑engineering campaign that uses fake hiring flows and LinkedIn recruitment lures, and has seen attackers request candidates to clone a GitHub repository to trigger malware.
Additional variants involve Koalemos, a modular JavaScript RAT deployed via npm packages; and the use of tools like EtherHiding to complicate tracing of stolen cryptocurrency proceeds. The Norwegian Police Security Service (PST) noted several cases of North Korean IT workers masquerading as staff in Norwegian firms, while researchers describe shared infrastructure and cross-pollination across Labyrinth Chollima clusters, Golden Chollima and Pressure Chollima, underscoring coordinated DPRK activity.
According to Security Alliance, victims are advised to verify that candidate accounts are controlled by the stated company email and to request direct connections on LinkedIn to confirm ownership.