The young developers are having the time of their lives. They pop open bottles of sparkling wine, eat steak dinners, play soccer together, and lounge around in a luxurious private swimming pool, all of their activity captured in photos that were later exposed online. In one picture, a man poses in front of a life-sized Minions cardboard cutout. But despite their exuberance, these are not successful Silicon Valley entrepreneurs; they’re IT workers from the Hermit Kingdom of North Korea, who infiltrate Western companies and send their wages back home.

Two members of a cluster of North Korean developers, who allegedly operated out of Southeast Asian country Laos before being relocated to Russia by the beginning of 2024, are today being identified by researchers at cybersecurity company DTEX. The men, who DTEX believes have used the personas ‘Naoki Murano’ and ‘Jenson Collins,’ are alleged to have been involved in raising money for the brutalist North Korean regime as part of the widespread IT worker epidemic, with Murano alleged to have previously been linked to a $6 million heist at crypto firm DeltaPrime last year.

For years, Kim Jong-un’s North Korea has posed one of the most sophisticated and dangerous cyber threats to Western countries and businesses, with its hackers stealing the intellectual property needed to develop its own technology, plus looting billions in crypto to evade sanctions and create nuclear weapons. In February, the FBI announced that North Korea pulled off the biggest ever crypto heist, stealing $1.5 billion from crypto exchange Bybit. Alongside its skilled hackers, Pyongyang’s IT workers, who often are based in China or Russia, trick companies into employing them as remote workers and have become an increasing menace.

“What we’re doing isn’t working, and if it is working, it’s not working fast enough,” says Michael ‘Barni’ Barnhart, a leading North Korean cyber researcher and principal investigator at DTEX. As well as identifying Murano and Collins, DTEX, in a detailed report about North Korean cyber activity, is also publishing more than 1,000 email addresses that it alleges to have been identified as linked to North Korean IT worker activity. The move is one of the largest disclosures of North Korean IT worker activity to date.

North Korea’s broad cyber operations can’t be compared with those of other hostile nations, such as Russia and China, Barnhart explains in the DTEX report, as Pyongyang operates like a “state-sanctioned crime syndicate” rather than more traditional military or intelligence operations. Everything is driven by funding the regime, developing weaponry, and gathering information, Barnhart says. “Everything is tied together in some way, shape, or form.”

The Misfits Move In

Around 2022 and 2023, DTEX claims both Naoki Murano and Jenson Collins—their real names are not known—were based in Laos and also travelled between Vladivostok, in Russia. The pair appeared among a wider group of possible North Koreans in Laos, and a cache of their photos were first exposed in an open Dropbox folder. The photos were discovered by a collective of North Korean researchers who often collaborate with Barnhart and call themselves a “Misfit” alliance. In recent weeks, they’ve posted numerous images of purported North Korean IT workers online.

North Korea’s IT workers are prolific in their activities, often trying to infiltrate multiple companies simultaneously by using stolen identities or creating false personas to try to appear legitimate. Some use freelance platforms; others try to recruit international facilitators to run laptop farms. While their online personas may be fake, the country—where millions do not have basic human rights or access to the internet—steers talented children into its education pipeline where they can become skilled developers and hackers. That means many of the IT workers and hackers are likely to know each other, potentially since they were children. Despite being technically adept, they often leave a trail of digital breadcrumbs in their wake.

Murano was first linked to North Korean operations publicly by cryptocurrency investigator ZachXBT, who published the names, cryptocurrency wallet details, and email addresses of more than 20 North Korean IT workers last year. Murano was then linked to the DeltaPrime heist in reporting by Coinbase in October.. Members of the Misfits collective have shared photos of Murano looking pleased with himself while eating steak and a picture of an alleged Japanese passport.

Meanwhile, Collins, who DTEX included in its report and who was featured in swimming pool photos included in the Dropbox folder, was most commonly involved in IT work that generated revenue for Pyongyang, says narcass3 a member of the Misfits who asked to be identified by their online handle. “He seems to have mainly just worked on crypto/blockchain projects, including one which seems to be completely DPRK backed or primarily made up of IT workers,” narcass3 says.

Evan Gordenker, a consulting senior manager at the Unit 42 threat intelligence team of cybersecurity company Palo Alto Networks, says he is familiar with the two personas identified by DTEX and other outlets and the cluster of North Korean workers that were based in Laos. The group were putting out a lot of job applications, creating fake personas, and searching for potential accomplices, the researcher says. “It seemed to me like they also enjoyed a level of autonomy that I don’t think you tend to see for some of the [IT worker] groups,” Gordenker says. “I don’t know if that’s because they generated more money and earned more privileges or just because they happened to have a group lead that operated in that way.”

An email address in Murano’s name bounced back when contacted by WIRED. Meanwhile an email address in Collins’ name did not respond to a request for comment.

Hiding in Plain Sight

Pyongyang’s IT workers have been operating for the best part of a decade, but attention on their activities has intensified in the last 12 months as Fortune 500 companies realized they have inadvertently hired North Koreans. Teams of hackers and IT workers are set “earnings quotas” by Kim Jong-un’s regime, Barnhart says, with IT workers operating from multiple different North Korean military and intelligence organizations. One IT worker that made $5,000 per month could keep $200 of it, the investigator says.

Malicious IT workers, who may be likely to steal as well as earning money, are a part of the country’s recently revealed AI organization called 227 Research Center, which is part of the the primary intelligence agency the Reconnaissance General Bureau, while others are part of teams at the Ministry of National Defense, according to a cyber organization chart published by Barnhart in the DTEX report. IT workers that solely try to generate revenue from their jobs may be part of the Munitions Industry Department, the research says.

The relatively recent uptick in scrutiny around IT workers has come amid a growing US government crackdown: In May 2023, it sanctioned North Korean company Chinyong Information Technology Cooperation Company for employing IT workers in Laos and Russia, while at the start of this year, two North Korean front companies and their China- and Laos-based bosses were sanctioned by the US Treasury Department. The Treasury said IT worker groups earn “hundreds of millions of dollars” for the regime, and thousands of IT workers are dispatched around the world.

“IT workers play the numbers game and are applying for remote roles in volume,” says Rafe Pilling, director of threat intelligence, at Sophos’ Counter Threat Unit. That means they often make errors. “They seem to operate at such a pace that they can make mistakes like leaving Github repositories of CVs and tools publicly accessible, leaving comments in code and scripts, making mistakes across CV’s that make them easier to spot as fakes, and slip-ups on camera during interviews that can reveal subterfuge.”

Alongside identifying Murano and Collins, DTEX also published more than 1,000 email addresses allegedly linked to North Korean IT worker operations that have been gathered through investigations and collaboration with researchers. Each email address has been provided by multiple sources, Barnhard says. A WIRED analysis of almost two dozen of the emails, using open-source intelligence tools and a database of material leaked online, shows few of them appear to have any signs of authentic online behavior; some email addresses are linked to online developer tools or freelancing websites, with others having very little online presence.

“There’s quite a bit of reuse of personas and some of them last years and years,” Unit 42’s Gordenker says. Others might be used just once, Gordenker says, but the scammers can quickly create new personas if needed. “You’ll see a persona that works, for instance, can sometimes have four or five, six different jobs across the lifespan.”

As more IT workers are identified, they are increasingly adopting their tactics to try to make themselves harder to spot. Multiple cybersecurity researchers have found North Koreans using face-changing software during video interviews or using AI assistants to help answer questions in real-time.

Changing Faces

The IT worker stands in the middle of the cramped room and poses for his photo. A clock on the wall reads 11:30. In the background, three other men wearing military uniforms hunch over computers. A rack of laundry appears at the back of the room in the photo, which was first published by DTEX. “There’s a lot to unpack in that one image,” Barnhart says.

Barnhart explains that while much is unknown about the photo, it reveals some details about how the group of IT workers operate. One of the men, in the far right corner of the photograph, appears to have WhatsApp messages open on his computer screen, with multiple chats ongoing. Attached to the wall above him is a surveillance camera.

“The MSS watches them so they don’t become defectors,” Barnhart says, referring to North Korea’s counterintelligence agency and secret police, the Ministry of State Security. As the men are based out of a small work space, they are likely to lower down the pecking order of IT workers and will, like their compatriots, also face digital surveillance when they use their computers, he says. Barnhart says software he has seen monitors what the IT workers type and send on their devices. “They hate it,” he says. “It sends flags out to external servers whenever sexual imagery or sexual content is talked about or if Kim Jong-un is [mentioned].” Other researchers have spotted suspected IT workers ending job interviews when asked a variation on the question: “How fat is Kim Jong-un?”

While it’s unclear where the men in the room may be physically located, there are signs that the portrait photograph of the central subject has been used to create a false persona. Subsequent images obtained by Barnhart show the man edited into different clothes and turned into a cartoon-style illustration of his face.

“It shows him messing with the hairline. It shows him altering features, it shows him basically getting his profiles ready,” Barnhart says. One of these photos—of him edited into a leather jacket—appears on the website of “Benjamin Martin,” a self-styled web3 and full-stack developer.

Aside from appearing to be the North Korean from the IT worker photo, two of the companies listed on Martin’s online CV tell WIRED they have not heard of the persona, let alone employed him. One of the firms said it was not fully incorporated during most of the time the Martin persona listed he was working there. Martin did not respond to messages sent to the email listed on the developer webpage while a Telegram account linked to a phone number on Martin’s website responded “yes” in a limited Chinese-language exchange when asked if they were a North Korean IT worker.

Ultimately, Barnhart says, people need to understand how North Korean hackers and IT workers are operating, with fluidity between groups and approaches, before significant disruption of their efforts can take place. “We need to refocus, we need to reshape,” Barnhart says. “North Korea has already moved on to their next point and now they’re subcontracting and creating another layer of obfuscation there, too.”