Two U.S. nationals were sentenced to 18 months in prison for running laptop farms that facilitated North Korea’s expansive remote IT workers scheme, the Justice Department said Wednesday.

Matthew Issac Knoot and Erick Ntekereze Prince both received and hosted laptops at their residences to dupe U.S. companies into thinking remote IT workers they hired were located in the country. The pair’s separate schemes impacted almost 70 U.S. companies and generated a combined $1.2 million in revenue for the North Korean regime.

“The FBI and our partners will continue to disrupt North Korea’s ability to circumvent sanctions and fund its totalitarian regime,” Brett Leatherman, lead of the FBI’s Cyber Division, said in a statement. “These cases should leave no doubt that Americans who choose to facilitate these schemes will be identified and held accountable. Hosting laptops for DPRK IT workers is a federal crime which directly impacts our national security, and these sentences should serve as a warning to anyone considering it.”

Knoot, of Nashville, Tennessee, and Prince, of New York, received the laptops from unsuspecting U.S. companies and installed remote desktop applications on the machines to enable co-conspirators to work from anywhere while appearing to be based at their respective residences.

Prince’s company Taggcar was contracted to supply IT workers to victim U.S. companies from June 2020 through August 2024. He pleaded guilty in November 2025 to wire fraud conspiracy for his yearslong involvement in the North Korean IT worker scheme. 

Prince was indicted and charged in January 2025 along with his alleged co-conspirators, who collectively obtained work for North Korean IT workers at 64 U.S. companies, earning nearly $950,000 in salary payments. 

A federal judge sentenced Prince Wednesday and ordered him to forfeit $89,000, which is the amount he netted personally. 

Knoot was arrested in August 2024, a year after the FBI searched his home. Officials said he made multiple false and misleading statements and destroyed evidence to obstruct the investigation at that time. 

Victim companies paid North Korean workers linked to Knoot’s laptop farm more than $250,000 from July 2022 to August 2023. The remote IT workers transferred those funds to Knoot and accounts associated with North Korean and Chinese nationals, officials said. 

Knoot was sentenced May 1 and ordered to pay $15,100 in restitution to the victim companies and forfeit an additional $15,100, which is equivalent to the amount of his direct take from the scheme.

The pair of North Korean operatives join a growing list of people who have been charged and jailed for supporting the regime’s scheme that generates hundreds of millions of dollars annually for the country’s military and organizations involved in its weapons programs.

Authorities have been cracking down on the malicious insider activity by seizing cryptocurrency linked to the theft, and targeting U.S.-based facilitators who provided forged or stolen identities and hosted laptop farms for North Korean operatives. 

The countermeasures are stacking up, but the scheme is widespread and has infiltrated an undetermined number of businesses, including hundreds of Fortune 500 companies.

Federal judges previously sentenced other people to prison for their involvement in the scheme, including Keija Wang and Zhenxing Wang; Audricus Phagnasay, Jason Salazar and Alexander Paul Travis; Oleksandr Didenko and Christina Chapman. 

“These sentences hold accountable U.S nationals who enabled North Korea’s illicit efforts to infiltrate U.S. networks and profit on the back of U.S. companies,” John A. Eisenberg, assistant attorney general for national security, said in a statement. 

“These defendants helped North Korean ‘IT workers’ masquerade as legitimate employees, compromising U.S. corporate networks and helping generate revenue for a heavily sanctioned and rogue regime,” he added. “The National Security Division will continue to pursue those who, through deception and cyber-enabled fraud, threaten our national security.”

The post American duo sentenced for hosting laptop farms for North Korean IT workers appeared first on CyberScoop.

The campaigns focus on financial organizations, including cryptocurrency, venture capital, and blockchain entities.

The post North Korean Hackers Use AppleScript, ClickFix in Fresh macOS Attacks appeared first on SecurityWeek.

The hackers targeted LayerZero’s DVN, compromising certain RPCs and DDoSing others to trigger failover to the poisoned infrastructure.  

The post $290 Million Kelp DAO Crypto Heist Blamed on North Korea appeared first on SecurityWeek.

Kejia Wang and Zhenxing Wang compromised the identities of dozens of US persons to help land jobs at over 100 companies.

The post Two North Korean IT Worker Scheme Facilitators Jailed in the US appeared first on SecurityWeek.

Two New Jersey men were sentenced Wednesday for facilitating North Korea’s long-running scheme to plant operatives inside U.S. businesses as employees, generating more than $5 million in illicit revenue for the regime, the Justice Department said. 

The U.S. nationals — Kejia Wang, also known as Tony Wang, and Zhenxing Wang, also known as Danny Wang — were part of a years-long conspiracy that placed operatives in jobs at more than 100 U.S. companies, including many Fortune 500 companies, based in 27 states and the District of Columbia.

The elaborate scheme involved shell companies posing as software development firms, money laundering, and espionage with national security implications. Operatives involved in the conspiracy stole sensitive files from a California-based defense contractor related to U.S. military technology controlled under International Traffic in Arms Regulations (ITAR), officials said.

“Democratic People’s Republic of Korea (DPRK) IT workers are not limited to revenue generation. When tasked, they can operationalize their placement and access to support strategic intelligence requirements, including intellectual property theft, network disruption or extortion,” Michael Barnhart, nation state investigator at DTEX, told CyberScoop.

While most of North Korea’s scheme is focused on revenue, it sometimes applies a dual-use approach, tasking certain privileged IT workers with malicious activity aiding other state-backed hacking groups, Barnhart added.

“Not all IT workers can be hackers but every North Korean hacker can or has been an IT worker,” he said. “This distinction matters for insider‑threat analysis because unlike typical fraudulent hires motivated by personal financial gain, IT workers can inflict national‑security‑level damage.”

Kejia Wang, 42, Zhenzing Wang, 39, and their co-conspirators stole the identities of at least 80 U.S. residents to facilitate the hiring of North Korean operatives and collected at least $696,000 in fees combined, officials said. U.S. victim companies also incurred legal fees, remediation costs and other damages and losses exceeding $3 million. 

Both men previously pleaded guilty to an assortment of crimes. Kejia Wang was sentenced to nine years in prison for conspiracy to commit wire and mail fraud, money laundering and identity theft. Zhenxing Wang was sentenced to 92 months in prison for conspiracy to commit wire and mail fraud and money laundering. 

The pair were also ordered to forfeit a combined $600,000, of which two-thirds has already been paid, officials said.

The conspiracy, which ran from at least 2021 through October 2024, relied in part on shell companies — Hopana Tech, Tony WKJ and Independent Lab — the men set up to create the appearance of legitimate businesses. 

“Pairing a U.S. person, a U.S. address, and a front company such as Independent Lab, the facilitators created the illusion of a legitimate domestic effort allowing the IT workers to present themselves as U.S.-based without triggering suspicion during onboarding or daily workflows,” Barnhart said. 

“Front companies can act as that middle financial flow from victim companies back to DPRK units, which then pushes funds upward through the Workers’ Party of Korea to support whichever program the unit was aligned with, whether weapons development or domestic priorities,” he added. 

These front companies reflect a higher level of tradecraft that exploits a weak spot in insider risk assessments because threats aren’t always a malicious person trying to break into a network, Barnhart said. “Sometimes it looks like an entire company appearing clean on paper.”

Authorities have responded to North Korea’s scheme by targeting U.S.-based facilitators who provide forged or stolen identities and laptop farms for North Korean operatives, and seizing cryptocurrency linked to theft. 

Law enforcement wins are stacking up, but researchers warn that North Korea’s operation is massive and consistently evolving. 

The sentencing of Kejia Wang and Zhenxing Wang comes less than a month after a trio of American men were sentenced for similar crimes, including the operation of laptop farms, wire fraud and identity theft. 

The Justice and Treasury Departments have also issued indictments and sanctioned people and entities allegedly involved in North Korea’s effort to send thousands of specialized technical professionals outside of the country to secure jobs under false pretenses and funnel their wages back to Pyongyang.

You can read the full indictments against Kejia Wang and Zhenxing Wang below.

The post US nationals sentenced for aiding North Korea’s tech worker scheme appeared first on CyberScoop.

The AI giant is taking action after determining that a macOS code signing certificate may have been compromised.

The post OpenAI Impacted by North Korea-Linked Axios Supply Chain Hack appeared first on SecurityWeek.

The threat actor behind the Axios supply chain attack has been aiming at other maintainers in its social engineering campaign.

The post North Korean Hackers Target High-Profile Node.js Maintainers appeared first on SecurityWeek.

The attackers prepared infrastructure and multiple nonce-based transactions, took over an admin key, and drained five vaults.

The post North Korean Hackers Drain $285 Million From Drift in 10 Seconds appeared first on SecurityWeek.

A long-lived NPM access token was used to bypass the GitHub Actions OIDC-based CI/CD publishing workflow and push backdoored package versions.

The post Axios NPM Package Breached in North Korean Supply Chain Attack appeared first on SecurityWeek.

Three American men were sentenced Friday for crimes they committed in furtherance of North Korea’s vast scheme to get operatives hired at U.S. companies, the Justice Department said.

The trio — Audricus Phagnasay, 25, Jason Salazar, 30, and Alexander Paul Travis, 35 — pleaded guilty in November to wire fraud conspiracy for providing U.S. identities to remote North Korean IT workers.

They hosted U.S. company-provided laptops at their homes and installed remote-access software so North Korean operatives could appear to be working in the country. The group also helped remote IT workers pass employer vetting and, in the case of Travis and Salazar, took drug tests on behalf of the North Koreans, prosecutors said.

Travis, an active-duty member of the U.S. Army at the time, received about $51,000 from the scheme. He was sentenced to one year in prison and ordered to forfeit about $193,000.

Phagnasay and Salazar each pocketed about $3,500 and $4,500, respectively, and were both sentenced to three years of probation and a $2,000 fine.  A federal court ordered Salazar to forfeit about $410,000 and ordered Phagnasay to forfeit nearly $682,000.

“These men practically gave the keys to the online kingdom to likely North Korean overseas technology workers seeking to raise illicit revenue for the North Korean government — all in return for what to them seemed like easy money,” Margaret Heap, U.S. attorney for the Southern District of Georgia, said in a statement. 

“These schemes present a significant challenge to our national security, and we applaud our investigative partners working to secure our digital borders,” Heap added.

The trio facilitated about $1.28 million in salary from victim U.S. companies from September 2019 through November 2022. Yet, the financial cuts for their assistance was relatively low.

Officials’ countermeasures to these schemes, which ultimately launder ill-gotten money to North Korea’s government, involve the targeting of U.S.-based facilitators who provide forged or stolen identities and laptop farms for North Korean operatives, and the seizure of cryptocurrency linked to theft. 

Law enforcement wins on both fronts are stacking up, but researchers warn that North Korea’s operation is massive in scale and consistently evolving.

Microsoft Threat Intelligence earlier this month warned that North Korean threat groups are using artificial intelligence tools to accelerate and expand the country’s scheme – automating and improving efforts across the attack lifecycle.

The post Trio sentenced for facilitating North Korean IT worker scheme from their homes appeared first on CyberScoop.

North Korean threat groups are using artificial intelligence tools to accelerate and expand the country’s long-running scheme to get remote technical workers hired at global companies for longer durations, Microsoft Threat Intelligence said in a report Friday. 

AI services are empowering North Korean operatives across the attack lifecycle. Attackers have turned AI into a “force multiplier” that bolsters and automates their efforts to conduct research on targets, develop malicious resources, achieve and maintain access, evade detection, and weaponize tools for attacks and post-compromise activities, researchers said.

Microsoft said a trio of groups it tracks as Coral Sleet, Sapphire Sleet and Jasper Sleet are using AI to shorten the time it takes to create digital personas for specific job markets and roles. These groups frequently leverage financial opportunities or interview-themed lures to gain initial access.

Jasper Sleet is using generative AI tools to research job postings on platforms such as Upwork, and identify in-demand skills or experience requirements to align fake personas with targeted roles, Microsoft said in the report.

Researchers warned that threat groups are also “significantly improving the scale and sophistication of their social engineering and initial access operations” with AI-driven media creation for impersonations and real-time voice modulation. 

North Korean threat groups have used AI services to generate lures that mimic internal communications in multiple languages with native fluency. 

“These technologies enable threat actors to craft highly tailored, convincing lures and personas at unprecedented speed and volume, which lowers the barrier for complex attacks to take place and increases the likelihood of successful compromise,” researchers wrote in the report. 

Microsoft has observed Jasper Sleet using the AI application Faceswap to insert North Korean IT workers’ faces into stolen identity documents, in some cases reusing the same AI-generated photo across multiple personas.

Jasper Sleet is also leaning on AI-enabled communications after an operative is successfully hired by a victim organization to evade detection and sustain long-term employment. Microsoft has observed North Korean remote IT workers prompting AI tools to craft professional responses, answer technical questions or generate snippets of code to meet performance expectations in unfamiliar environments.

North Korean threat groups are using AI to refine previously observed post-compromise activities, reducing the time and expertise required for decision-making, Microsoft said. These AI-powered tasks accelerate analysis of unfamiliar compromised environments, identify viable paths for lateral movement and enable operatives to blend in with legitimate activity. 

North Korean threat groups are also using AI to escalate privileges, locate and steal sensitive records or credentials, and minimize risk of detection by analyzing security controls.

Generative AI composes most threat activity involving AI, but Microsoft said a transition to agentic AI is underway. 

“For threat actors, this shift could represent a meaningful change in tradecraft by enabling semi‑autonomous workflows that continuously refine phishing campaigns, test and adapt infrastructure, maintain persistence, or monitor open‑source intelligence for new opportunities,” researchers wrote in the report. 

“Microsoft has not yet observed large-scale use of agentic AI by threat actors, largely due to ongoing reliability and operational constraints,” researchers added. Yet, Microsoft warned, experiments illustrate the potential agentic AI systems pose for more advanced and damaging activity.

The post Microsoft warns North Korean threat groups are scaling up fake worker schemes with generative AI appeared first on CyberScoop.

Cyberattacks reached victims faster and came from a wider range of threat groups than ever last year, CrowdStrike said in its annual global threat report released Tuesday, adding that cybercriminals and nation-states increasingly relied on predictable tactics to evade detection by exploiting trusted systems.

The average breakout time — how long it took financially-motivated attackers to move from initial intrusion to other network systems — dropped to 29 minutes in 2025, a 65% increase in speed from the year prior. “The fastest breakout time a year ago was 51 seconds. This year it’s 27 seconds,” Adam Meyers, head of counter adversary operations at CrowdStrike, told CyberScoop.

Defenders are falling behind because attackers are refining their techniques, using social engineering to access high-privilege systems faster and move through victims’ cloud infrastructure undetected.

“Threat actors are exploiting those cross-domain gaps to gain access to environments, so they’re wriggling in between the seams in cloud, identity, enterprise and unmanaged network devices,” Meyers said. 

Starting from an already disadvantaged position — made worse by faster attacks and living-off-the-land techniques — defenders face burnout, stress and other factors that can lead to mistakes, he added. 

The myriad sources of these problems are spreading, too. 

CrowdStrike tracked 281 threat groups at the end of 2025, including 24 new threats it named throughout the year. Researchers at the cybersecurity firm are also tracking 150 active malicious activity clusters and emerging threat groups.

Cybercriminals seeking a payout and nation states committing espionage or implanting footholds into critical infrastructure for prolonged access are increasingly seizing on security weaknesses in cloud-based environments to break into victim networks. 

These cloud-focused attacks have seen a reported 37% year-over-year increase, with a 266% surge in this activity from nation-state threat groups.

The vast majority of attacks detected last year, 82%, were free of malware — highlighting attackers’ enduring shift toward hands-on-keyboard operations and the abuse of legitimate tools and credentials, CrowdStrike said in the report. More than 1 in 3 incident response cases involving cloud intrusions last year were linked back to a valid or abused credential that granted attackers access, according to CrowdStrike. 

Attacks originating from or sponsored by North Korea increased 130% last year, while incidents linked to China jumped 38% during the same period.

Chinese threat groups achieved immediate system access with two-thirds of the vulnerabilities they exploited last year, and 40% of those exploits targeted edge devices.

Zero-day exploits — especially defects in edge devices such as firewalls, routers and virtual private networks — allowed nation-state and cybercrime threat groups to break into systems, execute code and escalate privileges undetected.

CrowdStrike said it observed a 42% year-over-year increase in the number of zero-day vulnerabilities exploited prior to public disclosure last year. 

Meyers said he expects that number to grow further, predicting an explosion of activity from attackers using artificial intelligence to find and exploit zero-day vulnerabilities in various products during the next three to nine months.

CrowdStrike’s annual global threat report is full of figures moving in the wrong direction, yet the most worrying finding for Meyers comes down to attacker speed.

“The speed at which we’re seeing these breakout times accelerate is one of the markers,” he said, adding that it’s only a matter of time before the fastest attacks drop down to seconds, if not milliseconds.

The post CrowdStrike says attackers are moving through networks in under 30 minutes appeared first on CyberScoop.

A Ukrainian national who ran multiple operations to aid the North Korean government’s expansive scheme to  hire remote IT workers at U.S. companies was sentenced to five years in prison, the Justice Department said Thursday.

Oleksandr Didenko stole U.S. citizens’ identities and created more than 2,500 fraudulent accounts on freelance IT job forums, money service transmitters, email services, and social media platforms to sell the proxy identities to North Korean workers. The 29-year-old pleaded guilty to multiple crimes related to the six-year scheme in November 2025.

Didenko ran a site, upworksell.com, to sell the stolen identities and paid co-conspirators to receive and host laptop farms in Virginia, Tennessee and California, according to court records. He managed up to 871 identities through the laptop farms and helped North Korean technical workers gain employment at 40 U.S. companies. 

Didenko funneled money from Americans and U.S. businesses into the coffers of North Korea’s hostile regime, Jeanine Pirro, U.S. attorney for the District of Columbia, said in a statement. 

“Today, North Korea is not only a threat to the homeland from afar, it is an enemy within. By using stolen and fraudulent identities, North Korean actors are infiltrating American companies, stealing information, licensing, and data that is harmful to any business,” she added. 

Officials said Didenko’s North Korean clients were paid hundreds of thousands of dollars for their work, much of which was falsely reported in the names of U.S. citizens whose identities were stolen.

“Money paid to these so-called employees goes directly to munitions programs in North Korea,” Pirro said. “This is not just a financial crime; it is a crime against national security.” 

In late 2023, following a request from one of his customers, Didenko sent a computer to a laptop farm run by Christina Chapman in Arizona, officials said. Chapman was arrested in May 2024 and sentenced to 102 months in prison for participating in the scheme.

Didenko’s site was seized following Chapman’s arrest. He was arrested by Polish police in late 2024, and later extradited to the United States. 

Didenko pleaded guilty to wire fraud conspiracy and aggravated identity theft, and agreed to forfeit more than $1.4 million as part of his sentencing. He was also ordered to pay almost $47,000 in restitution.

U.S. law enforcement has racked up some wins by seizing stolen cryptocurrency and targeting U.S.-based facilitators who provide forged or stolen identities for North Korean operatives. 

Yet, the regime’s scheme runs deep. North Korean nationals have infiltrated many top global companies, and researchers continue to uncover evidence of new tactics and techniques operatives have used to evade detection.

You can read the full indictment below.

The post Ukrainian sentenced to 5 years in prison for facilitating North Korean remote worker scheme appeared first on CyberScoop.

A new report from Google found evidence that state-sponsored hacking groups have leveraged AI tool Gemini at nearly every stage of the cyber attack cycle.

The research underscores how AI tools have matured in their cyber offensive capabilities, even as it doesn’t reveal novel or paradigm shifting uses of the technology.

John Hultquist, chief analyst at Google’s Threat Intelligence Group, told CyberScoop that many countries still appear to be experimenting with AI tools, determining where they best fit into the attack chain and provide more benefit than friction.

“Nobody’s got everything completely worked out,” Hultquist said. “They’re all trying to figure this out and that goes for attacks on AI, too.”

But the report also reveals that frontier AI models can build speed, scale and sophistication into a myriad of hacking tasks, and state-sponsored hacking groups are taking advantage.

Gemini was a useful, dynamic and convenient tool for many tasks, helping threat actors in a variety of different ways. In nearly all cases, Google’s reporting suggests that state-sponsored actors relied on Gemini as one tool among many, using it for specific purposes such as automating routine processes, conducting research or reconnaissance and experimenting with malware.

One North Korean group used it to synthesize open-source intelligence about job roles and salary information at cybersecurity and defense companies. Another North Korean group consulted it “multiple days a week” for technical support, using it to troubleshoot problems and generate new malware code when they got stuck during an operation. One Iranian APT used Gemini to “significantly augment reconnaissance” techniques against targeted victims. China, Russia, Iran and North Korea all also used Gemini to create fake articles, personas, and other assets for information operations.

“What’s so interesting about this capability is it’s going to have an effect across the entire intrusion cycle,” Hultquist said.

There are no instances of state groups using Gemini to automate large portions of a cyber attack, like a Chinese-government backed campaign identified by Anthropic last year. It suggests threat actors may still be struggling to implement fully or mostly-automated hacks using AI.

Hultquist said that some state groups, particularly those focused on espionage, may not find the speed and scale advantages of agentic AI useful if it results in louder, more detectable operations. In fact, while state actors continue to experiment with AI models, he believes on average these developments will help smaller cybercriminal outfits more than state-sponsored hackers.

But that could change in the future. Frontier AI companies like Anthropic and cybersecurity startups like XBOW have already developed models with powerful defensive cybersecurity capabilities in vulnerability scanning, reconnaissance and automation. Foreign governments with similar technology could use those same features for offensive hacking, as Chinese actors did with Claude before being discovered.

In December, the UK AI Security Institute’s inaugural report on frontier AI trends found that Al capabilities are improving rapidly across all tested domains, and particularly in cybersecurity.

And the gap between frontier and free, open-source models is shrinking. According to the institute, open-source AI models can now catch up and provide similar capabilities within 4-8 months of a frontier model release.

“The duration of cyber tasks that Al systems can complete without human direction is also rising steeply, from less than 10 minutes in early 2023 to over an hour by mid-2025,” the institute said in its Frontier AI Trends Report in December.

The post Google finds state-sponsored hackers use AI at ‘all stages’ of attack cycle  appeared first on CyberScoop.

Millions of devices used as proxies by cybercriminals, espionage groups and data thieves have been removed from circulation following Google’s disruption of IPIDEA, a China-based residential proxy network. The reduction in available proxy devices came after Google’s Threat Intelligence Group used legal action and intelligence sharing to target the company’s domain infrastructure, Google said in a blog post Wednesday. 

Google’s action, aided by Cloudflare, Lumen’s Black Lotus Labs and Spur, impaired some of IPIDEA’s proxy infrastructure, but not all of it. The coordinated strikes against malicious infrastructure underscore the back-and-forth struggle threat hunters confront when they take out pieces of cybercriminals’ vast and growing infrastructure. 

Initial data indicates IPIDEA’s proxy network was cut by about 40%.

“We have still seen around 5 million distinct bots communicating with the IPIDEA command and control servers, so as of now they are still able to operate with a large volume of proxies,” Chris Formosa, senior lead information security engineer at Lumen Technologies’ Black Lotus Labs, told CyberScoop Thursday.

Lumen was tracking a daily average of about 8.5 million proxies connecting to IPIDEA’s servers before some of its domains were taken offline this week. “The true population was likely closer to 10-11 million, but we could only see 8.5 million of them with our visibility,” Formosa said.

Google researchers discovered a cluster of seemingly independent proxy and virtual private network brands controlled by IPIDEA. Google found several domains also owned by IPIDEA supporting software development kits for residential proxies embedded into existing applications.

Developers who add these SDKs to their apps are paid by IPIDEA, typically on a per-download basis. “These SDKs are the key to any residential proxy network—the software they get embedded into provides the network operators with the millions of devices they need to maintain a healthy residential proxy network,” Google said in the report.

Residential proxy networks can serve a legitimate purpose, but researchers have been warning that unethical or outright criminal operators are abusing these networks to build and support botnets, cybercrime campaigns, espionage and other malicious activity.

“The residential proxy industry appears to be rapidly expanding, and GTIG’s research indicates that the vast majority of its growth is fueled by malicious use,” Charley Snyder, senior manager at GTIG, told CyberScoop. “GTIG found that these proxies are overwhelmingly misused by bad actors.”

Researchers said many service providers are packaging proxy malware in software that users are downloading, and unwittingly allowing proxy networks to hijack consumer bandwidth to obscure cybercrime.

Earlier this month, Google said it observed more than 550 distinct threat groups, including some from China, North Korea, Iran and Russia, using IP addresses tracked as IPIDEA exit notes during a seven-day period. These threat groups accessed victim cloud environments, on-premises infrastructure and initiated password-spray attacks, according to Google.

Security teams and cyber authorities are placing more attention on the systems and scaffolding that support cybercrime, effectively trying to squeeze resources and place additional pressure on their activities.

“By targeting the tools criminals use rather than just the criminals themselves, defenders can impose significant costs on the ecosystem in a way that can’t easily or quickly be regenerated,” Snyder said. 

Google’s actions severed the command-and-control links between operators and millions of devices, and took down storefronts, negating the investments IPIDEA made to gain brand awareness and traction, he added. 

While Google took a big bite out of IPIDEA’s infrastructure, the fight against the company and others continues. 

“This is a very complex ecosystem with dozens, if not hundreds, of brands and shell entities,” Snyder said. “While our disruption is significant, this ecosystem is built on anonymity and shared resources. They’ve survived takedowns before, so we are pleased by the progress we’ve made but know there is more to do.”

The post Google’s disruption rips millions out of devices out of malicious network appeared first on CyberScoop.

A North Korea-backed threat group operating since 2009 has splintered into three distinct groups with specialized malware and objectives, CrowdStrike said in a report released Thursday.

Labeled “Labyrinth Chollima” by the company, the group follows a divergence pattern CrowdStrike observed previously. Labyrinth Chollima has spawned two additional groups: Golden Chollima and Pressure Chollima. The spin-offs, which have been operating since 2020, allow Labyrinth Chollima to narrow its focus on espionage, targeting victims in the manufacturing, logistics, defense and aerospace industries. 

Golden Chollima and Pressure Chollima are squarely focused on stealing cryptocurrency, which funnels money back to the regime, with some of the proceeds funding North Korea’s cyber operations. Pressure Chollima, which was responsible for last year’s record-breaking $1.46 billion cryptocurrency theft, targets high-payout opportunities and has evolved into one of North Korea’s most technically advanced threat groups, according to CrowdStrike.

The groups, which share lineage with the more broadly defined Lazarus Group, share some tools and infrastructure, which indicates centralized coordination, but they’ve also developed more specialized capabilities for their specific objectives, researchers said.

As North Korea’s threat groups continue to branch out, the rogue nation is developing more capabilities and expanding its reach and impact, Adam Meyers, head of counter adversary operations at CrowdStrike, told CyberScoop.

“What we’re seeing down range is now aligned with what we’ve seen from a bureaucratic perspective up range,” Meyers said. 

“Over time, as their mission was successful, the bureaucracy grew and the scope of the mission grew, and obviously the organization grew,” he added. “They’ve been operating a resistance economy for many, many years and cyber gives them the ability to do this deniably and at a distance.” 

CrowdStrike currently tracks eight distinct North Korea-backed threat groups, with the addition of Golden Chollima and Pressure Chollima. The cybersecurity firm expects the groups focused on cryptocurrency theft to scale their operations as international sanctions impair North Korea’s economy.

Labyrinth Chollima has more recently targeted European aerospace companies, defense manufacturers, logistics and shipping companies, and U.S.-based critical infrastructure providers, including those involved in hydroelectric power. The threat group, which other firms track as Diamond Sleet and Operation Dream Job, has also developed a knack for employment-themed social engineering, researchers said.

“North Korea is probably one of the top-notch actors out there. A lot of people don’t give them credit for that,” Meyers said.

CrowdStrike’s research on Labyrinth Chollima’s spin-offs aims to help organizations defend against these distinct threats by also providing indicators of compromise and malware samples observed in various attacks.

“You need to know who the threats are to your specific industry and geolocation, because you can’t defend against all the threats all the time,” Meyers said. “You can’t boil the ocean.”

The post Long-running North Korea threat group splits into 3 distinct operations appeared first on CyberScoop.

The Justice Department notched a few more wins in the fight against North Korean cryptocurrency heists and the regime’s expansive scheme to get remote IT workers hired at U.S. businesses. 

Officials’ countermeasures to these schemes, which ultimately launder ill-gotten money to North Korea’s government, involve the targeting of U.S.-based facilitators who provide forged or stolen identities and laptop farms for North Korean operatives, and the seizure of cryptocurrency linked to theft. Law enforcement wins on both fronts are stacking up.

Oleksandr Didenko, a 28-year-old Ukrainian national, pleaded guilty to wire fraud conspiracy and aggravated identity theft in the U.S. District Court for the District of Columbia Monday for stealing the identities of U.S. citizens and selling them to overseas IT workers. His years-long scheme helped North Korean IT workers gain employment at 40 U.S. companies, officials said. 

Didenko ran a site, upworksell.com, to sell stolen identities and paid co-conspirators to receive and host laptop farms in Virginia, Tennessee and California, according to court records. Didenko managed up to 871 identities through the laptop farms and collaborated with other co-conspirators in the United States.

In late 2023, following a request from one of his customers, Didenko sent a computer to a laptop farm run by Christina Chapman in Arizona, officials said. Chapman was arrested in May 2024 and sentenced to 102 months in prison for participating in the scheme.

Didenko’s site was seized following Chapman’s arrest. In late 2024, he was arrested by Polish police later extradited to the United States. Didenko agreed to forfeit more than $1.4 million, and his sentencing is scheduled for Feb. 19, 2026.

Justice Department officials applauded other recent court case wins, demonstrating the arduous work required to find and punish those who facilitate the North Korean remote IT worker scheme.

Three U.S. nationals — Audricus Phagnasay, 24, Jason Salazar, 30, and Alexander Paul Travis, 34 — each pleaded guilty to wire fraud conspiracy in the U.S. District Court for the Southern District of Georgia Thursday for providing U.S. identities to remote North Korean IT workers. 

The trio hosted U.S. company-provided laptops at their homes and installed remote-access software so the North Korean operatives could appear to be working in the country. The group also helped remote IT workers pass employer vetting and, in the case of Travis and Salazar, took drug tests on behalf of the North Koreans, officials said.

The scheme supported by the three men facilitated about $1.28 million in salary from victim U.S. companies from September 2019 through November 2022. Yet, the financial cuts for their assistance was relatively low. Travis, an active-duty member of the U.S. Army at the time, received about $51,000 while Phagasay and Salazar each pocketed about $3,500 and $4,500, respectively.

Last week, another U.S. national, 30-year-old Erick Ntekereze Prince, pleaded guilty to wire fraud conspiracy in the U.S. District Court for the Southern District of Florida for his yearslong involvement in the North Korean IT worker scheme. Prince’s company Taggcar was contracted to supply IT workers to victim U.S. companies from June 2020 through August 2024.

Officials said Prince earned more than $89,000 from the scheme, which also involved hosting company-provided laptops at Florida residences and installing remote-access software. Prince was indicted and charged in January along with his alleged co-conspirators, who collectively obtained work for North Korean IT workers at 64 U.S. companies, earning nearly $950,000 in salary payments.

The five people who pleaded guilty during the past week impacted more than 136 U.S. victim companies, officials said. Their crimes generated more than $2.2 million for North Korea’s regime and compromised the identities of at least 18 U.S. residents. 

“These actions demonstrate the department’s comprehensive approach to disrupting North Korean efforts to finance their weapons program on the backs of Americans,” John A. Eisenberg, assistant attorney general for national security, said in a statement. “The department will use every available tool to protect our nation from this regime’s depredations.”

Finally, the Justice Department said it seized more than $15 million in cryptocurrency from APT38, a nation-state hacking group with ties to North Korea. Officials said the seized funds were traced to four separate virtual currency heists in 2023.

The post DOJ lauds series of gains against North Korean IT worker scheme, crypto thefts appeared first on CyberScoop.

The Treasury Department on Tuesday sanctioned eight people and two companies it accused of laundering money obtained from cybercrime and IT worker schemes to fund North Korean government objectives.

According to the department, over the last three years North Korea-linked cybercriminals have stolen over $3 billion, mostly in cryptocurrency. In addition, it said, North Korean IT workers are netting hundreds of millions from schemes by faking their identities. It’s all in service of goals that endanger the security of the world, Treasury said.

The bank, IT company and financial institution personnel that the Office of Foreign Assets Control placed on the sanctions list Tuesday add to an ever-growing list this calendar year of parties the United States associates with North Korean cyber activity.

“North Korean state-sponsored hackers steal and launder money to fund the regime’s nuclear weapons program,” said John Hurley, Treasury undersecretary for terrorism and financial intelligence. “By generating revenue for Pyongyang’s weapons development, these actors directly threaten U.S. and global security.”

The department designated Jang Kuk Chol and Ho Jong Son, two North Korean bankers; Korea Mangyongdae Computer Technology Company, an IT company; U Yong Su, president of that firm; and Ryujong Credit Bank, a North Korea-based financial institution. It also designated five people who work for North Korean financial institutions: Ho Yong Chol, Han Hong Gil, Jong Sung Hyok, Choe Chun Pom and Ri Jin Hyok.

The two bankers stand accused of managing cryptocurrency funds on behalf of a previously designated entity, First Credit Bank. The IT firm allegedly operates IT worker delegations from at least two cities in China. Treasury said Ryujong Credit Bank aids in avoiding sanctions between China and North Korea. The five employees are China or Russia-based North Korean representatives of the financial institutions who have allegedly facilitated illicit transactions.

Last month, a group of countries including the United States and allies in Europe and Asia published its latest report on North Korea’s evasions and violations of United Nations Security Council resolutions, this time focused on Pyongyang’s cyber and IT operations.

“The Democratic People’s Republic of Korea (DPRK or North Korea) is systematically engaged in violations of United Nations Security Council resolutions (UNSCRs) and related evasion activities through its Information Technology (IT) worker deployments and cyber operations, particularly as related to cryptocurrency theft and cryptocurrency laundering activities,” the report states. ”The DPRK’s cyber force is a full-spectrum, national program operating at a sophistication approaching the cyber programs of China and Russia.”

The post North Korean companies, people sanctioned for money laundering from cybercrime, IT worker schemes appeared first on CyberScoop.

At this very moment, nation-state actors and opportunistic criminals are looking for any way to target Americans and undermine our national security. 

Their battlefield of choice is cyberspace.

Cybersecurity is the preeminent challenge of our time, and threats to our networks impact far more than just our data––they impact the resilience of our communities, the continuity of our economy, and the security of our homeland. 

Widespread cyber intrusions by Salt Typhoon and Volt Typhoon continue to demonstrate the Chinese Communist Party’s unrelenting quest to steal intellectual property, surveil government officials, and pre-position themselves in our nation’s critical infrastructure to disrupt our way of life at a time of their choosing. Russia, Iran, and North Korea are also probing for vulnerabilities to exploit in our networks.

Any cyberattack can cascade across the essential services that Americans rely on every day—from our airports and hospitals to water treatment facilities, internet providers, and financial systems. Making America cyber strong is not a challenge for one agency or one sector. It is a whole-of-society mission.

As chairman of the House Committee on Homeland Security, I will work with the Trump administration to ensure our nation’s risk advisor, the Cybersecurity and Infrastructure Security Agency (CISA), succeeds in its core mission of protecting federal civilian networks and the critical infrastructure that supports our daily lives. 

The private sector owns or operates most of this infrastructure, and it is no surprise that cyberattacks against these services rose more than 30 percent from 2023 to 2024. Addressing these heightened threats requires more than reactive measures. It demands a proactive cybersecurity posture built on continuous collaboration between the government and industry. 

The Trump administration and Congress must ensure the private sector has a true seat at the table as we chart a course for long-term cyber resilience. Priorities should include preserving strong information sharing, reducing the duplicative and conflicting government compliance standards on businesses, bolstering the cyber workforce, supporting our state, local, tribal, and territorial government entities, and safely harnessing emerging technologies to enhance the capabilities of our cyber defenders. 

These solutions require urgency, but as Cybersecurity Awareness Month comes to a close, the government shutdown has also allowed for important cybersecurity tools to lapse. This lapse is undermining the important public-private sector relationship that underpins our collective defense. 

For the last decade, the Cybersecurity Information Sharing Act of 2015 provided an essential foundation for this partnership. The law enables industry to have honest and sensitive conversations with the federal government, and each other, about the threats facing our networks. This framework also protects the privacy and civil liberties of American citizens when cyber threat information is shared. There has been a tangible impact from these authorities: without this law, we would not know about threat actors, such as Salt Typhoon, compromising our privately-owned critical infrastructure systems. Senate Democrats must pass the House Republican clean continuing resolution to reopen the government and extend this critical authority. Then we must find a longer-term solution to preserve this cybersecurity tool while ensuring it remains relevant to the threat landscape.  

As America’s cyber professionals face heightened threats, they also face increased federal compliance standards. According to testimony before the House Committee on Homeland Security, which I now chair, “bank Chief Information Security Officers now spend 30-50 percent of their time on compliance and examiner management. The cyber teams they oversee spend as much as 70 percent of their time on those same functions.” 

Our cyber regulatory regime should incentivize meaningful security improvements and facilitate actionable information sharing. It cannot be designed in a way that drains resources or slows the ability of companies to respond to fast-moving threats. This year, the average cost of a data breach in the United States reached $10 million, roughly double that of the global average. The exorbitant cost is, in part, due to U.S. cyber regulatory costs.

Congress, in partnership with CISA and the National Cyber Director, must help harmonize duplicative and vague cybersecurity regulations across the federal government so cyber professionals spend less time on paperwork and more time doing what they do best: defending our networks.

Keeping our cyber defenders focused on our networks is vital, especially considering we already face a gap of 500,000 skilled professionals in our current workforce. Closing this gap and building a pipeline of highly skilled professionals across both public and private sectors is essential to meeting the nation’s security needs.

Where that gap persists, artificial intelligence (AI) can serve as a force multiplier for our cyber defenders. We have already seen how AI can significantly enhance threat hunting, response times, and pattern recognition in our networks. But adversaries, like China, are also investing heavily in AI to enhance their own offensive cyber operations, including attempts to compromise or weaponize AI models. That reality makes it crucial that security and safety considerations are built into every stage of AI’s development, deployment, and use.

At the same time, the federal government must avoid reactive and scattershot regulation as our nation’s AI innovators work to win the global AI race. It is important for Congress, the Department of Homeland Security, interagency partners, and the private sector to work together to ensure that we don’t fall behind our adversaries in AI innovation while safeguarding our national security and civil liberties.

Accomplishing any of these goals will depend on mutual trust and collective effort. With a new administration dedicated to restoring accountability in government, we must seize this opportunity to help rebuild Americans’ confidence in the federal cybersecurity and resilience mission.

Cybersecurity remains vital for the safety, security, and prosperity of the American people. We must decide the future of our national cyber defense before our adversaries decide it for us. 

Rep. Andrew Garbarino has represented New York’s Second Congressional District in Congress since 2021. He serves as chairman of the House Homeland Security Committee, and also serves on the House Ethics and House Financial Services Committees.

The post Government and industry must work together to secure America’s cyber future appeared first on CyberScoop.