North Korean threat actors are once again leveraging deceptive remote work schemes to infiltrate global organizations, using fake IT worker personas to generate revenue and bypass international sanctions.

A recent investigation, triggered by cryptocurrency security researcher ZachXBT, sheds light on the infrastructure and tactics behind this evolving campaign.

ZachXBT identified the domain luckyguys[.]site as being tied to suspicious payment activity linked to DPRK-affiliated fake IT workers.

During analysis, the domain resolved to the IP address 163.245.219[.]19. Researchers examined 30 days of network traffic associated with this infrastructure, uncovering patterns consistent with previously documented North Korean operations.

Analysis of VPN connections to the identified IP showed a highly concentrated usage pattern. Astrill VPN accounted for 37.5% of connections, followed by Mullvad at 32.25% and Proton VPN at 6.25%.

The heavy reliance on Astrill VPN is particularly notable, as prior investigations by GitLab and Flare.io have linked it to DPRK IT worker activity.

Traffic patterns also revealed a sharp decline in connections immediately after public disclosure on April 8. This behavior aligns with known threat actor tactics, where infrastructure is quickly abandoned once exposed.

The investigation identified residential IP addresses from the United States and Latvia communicating with the infrastructure. Despite appearing legitimate, these IPs exhibited suspicious behavior.

The use of ChatGPT is consistent with findings from Group-IB, which reported that DPRK-linked operators increasingly rely on AI tools for coding , task automation, and communication.

Workana, a global freelance marketplace, appeared prominently in the network activity. Its focus on remote IT talent makes it an attractive platform for threat actors posing as developers or engineers.

Previous research from Nisos has documented similar tactics, where DPRK operatives create fake profiles on freelance platforms to secure employment under false identities.

Once hired, they can access internal systems, exfiltrate data, or funnel earnings back to sanctioned entities.

Further analysis of X509 certificates linked to luckyguys[.]site revealed another IP address: 216.158.225[.]144.

Like the primary IP, this infrastructure showed a significant drop in activity following ZachXBT’s public report, reinforcing the pattern of rapid abandonment after attribution.

The combined evidence suggests a coordinated and distributed operation involving remote IT workers or facilitators. Indicators point to the use of home-based systems or “laptop farms,” enabling scalable and low-cost operations.

Organizations should consider the following risks:

Security teams are advised to audit network logs for connections to 163.245.219[.]19 and 216.158.225[.]144, including traffic originating from corporate devices.

განსაკუთრ caution should also be applied to residential IPs exhibiting proxy-hosting behavior, as these may support shared malicious infrastructure.

This campaign underscores the increasing sophistication of North Korean cyber operations, blending social engineering, remote work exploitation, and anonymization technologies to sustain illicit revenue streams while evading detection.

Follow us on Google News , LinkedIn , and X to Get Instant Updates and Set GBH as a Preferred Source in Google .

Mayura Kathir is a cybersecurity reporter at GBHackers News, covering daily incidents including data breaches, malware attacks, cybercrime, vulnerabilities, zero-day exploits, and more.

Vercel has confirmed a security breach involving unauthorised access to certain internal systems, and the…

GitLab has released emergency security patches addressing 11 vulnerabilities across its Community Edition (CE) and Enterprise…

The Harvester APT group has quietly expanded its espionage arsenal with a new Linux variant…

Malicious npm package js-logger-pack is now abusing Hugging Face not just as a malware CDN, but also…

A newly discovered Linux variant of the GoGra backdoor is being used by the Harvester…

A critical Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language module was exploited in active…