FBI Warns: North Korean Hackers Stealing Source Code to Extort Employers

The FBI has issued a critical warning to organizations in the United States and globally, cautioning against North Korean IT workers infiltrating companies to steal sensitive data, extort employers, and facilitate cybercriminal activities. These operatives, often referred to as “IT warriors,” disguise their identities to secure remote employment, leveraging their access to exfiltrate source code and other proprietary information.

The FBI revealed that North Korean operatives frequently upload company code repositories, such as GitHub data, to personal profiles and cloud accounts, posing significant risks of intellectual property theft. Additionally, they exploit credentials and session cookies to access company systems from unauthorized devices, increasing the potential for further network compromises.

Recommendations for Mitigation
To counteract these threats, the FBI has advised organizations to implement robust security measures, including:

• Applying the Principle of Least Privilege: Restricting permissions for remote desktop applications and disabling local administrator accounts.
• Monitoring Network Activity: Paying attention to unusual traffic patterns, especially remote logins from diverse IP addresses within short timeframes.
• Reviewing Logs: Examining network logs and browser sessions for signs of data exfiltration through shared drives, cloud accounts, and private repositories.
• Strengthening Hiring Processes: Verifying applicant identities during interviews, cross-checking HR systems for duplicate resumes, and ensuring third-party staffing firms follow stringent hiring practices.

Registrations Open for FutureCrime Summit 2025: India’s Largest Conference on Technology-Driven Crime

Challenges in Detection
North Korean IT operatives have been known to use advanced technologies, such as AI and face-swapping tools, to mask their identities during interviews. They also reuse email addresses and phone numbers across multiple resumes. Companies are encouraged to use soft interview questions to verify applicants’ backgrounds and conduct in-person onboarding whenever possible.

 Expanding Operations and Global Impact
The FBI’s announcement comes amid increasing evidence of North Korea’s IT workforce infiltrating larger organizations. These operatives have used insider knowledge to extort former employers, threatening to leak stolen data.

Recent investigations have revealed that North Korean operatives are exploiting virtual desktop infrastructure (VDI) used by companies for remote employees, allowing them to conceal malicious activities more effectively. Law enforcement dismantled laptop farms in Nashville and Arizona this year, which North Korean IT workers used to simulate U.S.-based operations.

Broader Implications
The United States, South Korea, and Japan have collectively identified North Korean state-sponsored hacking groups as responsible for stealing over $659 million in cryptocurrency during 2024 alone. In addition to IT infiltration, these groups have engaged in large-scale financial crimes to fund the North Korean regime.

The U.S. State Department is offering significant rewards for information leading to the disruption of North Korean front companies involved in these schemes. Similar alerts have been issued by South Korean and Japanese authorities, highlighting the global scope of this threat.

Legal Action
The Justice Department recently indicted two North Korean nationals and three collaborators for their roles in a multi-year fraudulent remote IT work scheme. This operation allowed them to secure employment at 64 U.S. companies between 2018 and 2024.

As North Korea expands its operations into new territories, organizations must remain vigilant against these sophisticated threats and prioritize cybersecurity measures to safeguard sensitive data and systems.