A malicious dependency the attackers added to over 140 Mastra packages fetches a payload targeting cryptocurrency extensions.

The post North Korean Hackers Blamed for Mastra NPM Supply Chain Attack appeared first on SecurityWeek.

Two U.S. nationals were sentenced to 18 months in prison for running laptop farms that facilitated North Korea’s expansive remote IT workers scheme, the Justice Department said Wednesday.

Matthew Issac Knoot and Erick Ntekereze Prince both received and hosted laptops at their residences to dupe U.S. companies into thinking remote IT workers they hired were located in the country. The pair’s separate schemes impacted almost 70 U.S. companies and generated a combined $1.2 million in revenue for the North Korean regime.

“The FBI and our partners will continue to disrupt North Korea’s ability to circumvent sanctions and fund its totalitarian regime,” Brett Leatherman, lead of the FBI’s Cyber Division, said in a statement. “These cases should leave no doubt that Americans who choose to facilitate these schemes will be identified and held accountable. Hosting laptops for DPRK IT workers is a federal crime which directly impacts our national security, and these sentences should serve as a warning to anyone considering it.”

Knoot, of Nashville, Tennessee, and Prince, of New York, received the laptops from unsuspecting U.S. companies and installed remote desktop applications on the machines to enable co-conspirators to work from anywhere while appearing to be based at their respective residences.

Prince’s company Taggcar was contracted to supply IT workers to victim U.S. companies from June 2020 through August 2024. He pleaded guilty in November 2025 to wire fraud conspiracy for his yearslong involvement in the North Korean IT worker scheme. 

Prince was indicted and charged in January 2025 along with his alleged co-conspirators, who collectively obtained work for North Korean IT workers at 64 U.S. companies, earning nearly $950,000 in salary payments. 

A federal judge sentenced Prince Wednesday and ordered him to forfeit $89,000, which is the amount he netted personally. 

Knoot was arrested in August 2024, a year after the FBI searched his home. Officials said he made multiple false and misleading statements and destroyed evidence to obstruct the investigation at that time. 

Victim companies paid North Korean workers linked to Knoot’s laptop farm more than $250,000 from July 2022 to August 2023. The remote IT workers transferred those funds to Knoot and accounts associated with North Korean and Chinese nationals, officials said. 

Knoot was sentenced May 1 and ordered to pay $15,100 in restitution to the victim companies and forfeit an additional $15,100, which is equivalent to the amount of his direct take from the scheme.

The pair of North Korean operatives join a growing list of people who have been charged and jailed for supporting the regime’s scheme that generates hundreds of millions of dollars annually for the country’s military and organizations involved in its weapons programs.

Authorities have been cracking down on the malicious insider activity by seizing cryptocurrency linked to the theft, and targeting U.S.-based facilitators who provided forged or stolen identities and hosted laptop farms for North Korean operatives. 

The countermeasures are stacking up, but the scheme is widespread and has infiltrated an undetermined number of businesses, including hundreds of Fortune 500 companies.

Federal judges previously sentenced other people to prison for their involvement in the scheme, including Keija Wang and Zhenxing Wang; Audricus Phagnasay, Jason Salazar and Alexander Paul Travis; Oleksandr Didenko and Christina Chapman. 

“These sentences hold accountable U.S nationals who enabled North Korea’s illicit efforts to infiltrate U.S. networks and profit on the back of U.S. companies,” John A. Eisenberg, assistant attorney general for national security, said in a statement. 

“These defendants helped North Korean ‘IT workers’ masquerade as legitimate employees, compromising U.S. corporate networks and helping generate revenue for a heavily sanctioned and rogue regime,” he added. “The National Security Division will continue to pursue those who, through deception and cyber-enabled fraud, threaten our national security.”

The post American duo sentenced for hosting laptop farms for North Korean IT workers appeared first on CyberScoop.

The campaigns focus on financial organizations, including cryptocurrency, venture capital, and blockchain entities.

The post North Korean Hackers Use AppleScript, ClickFix in Fresh macOS Attacks appeared first on SecurityWeek.

The hackers targeted LayerZero’s DVN, compromising certain RPCs and DDoSing others to trigger failover to the poisoned infrastructure.  

The post $290 Million Kelp DAO Crypto Heist Blamed on North Korea appeared first on SecurityWeek.

Kejia Wang and Zhenxing Wang compromised the identities of dozens of US persons to help land jobs at over 100 companies.

The post Two North Korean IT Worker Scheme Facilitators Jailed in the US appeared first on SecurityWeek.

Two New Jersey men were sentenced Wednesday for facilitating North Korea’s long-running scheme to plant operatives inside U.S. businesses as employees, generating more than $5 million in illicit revenue for the regime, the Justice Department said. 

The U.S. nationals — Kejia Wang, also known as Tony Wang, and Zhenxing Wang, also known as Danny Wang — were part of a years-long conspiracy that placed operatives in jobs at more than 100 U.S. companies, including many Fortune 500 companies, based in 27 states and the District of Columbia.

The elaborate scheme involved shell companies posing as software development firms, money laundering, and espionage with national security implications. Operatives involved in the conspiracy stole sensitive files from a California-based defense contractor related to U.S. military technology controlled under International Traffic in Arms Regulations (ITAR), officials said.

“Democratic People’s Republic of Korea (DPRK) IT workers are not limited to revenue generation. When tasked, they can operationalize their placement and access to support strategic intelligence requirements, including intellectual property theft, network disruption or extortion,” Michael Barnhart, nation state investigator at DTEX, told CyberScoop.

While most of North Korea’s scheme is focused on revenue, it sometimes applies a dual-use approach, tasking certain privileged IT workers with malicious activity aiding other state-backed hacking groups, Barnhart added.

“Not all IT workers can be hackers but every North Korean hacker can or has been an IT worker,” he said. “This distinction matters for insider‑threat analysis because unlike typical fraudulent hires motivated by personal financial gain, IT workers can inflict national‑security‑level damage.”

Kejia Wang, 42, Zhenzing Wang, 39, and their co-conspirators stole the identities of at least 80 U.S. residents to facilitate the hiring of North Korean operatives and collected at least $696,000 in fees combined, officials said. U.S. victim companies also incurred legal fees, remediation costs and other damages and losses exceeding $3 million. 

Both men previously pleaded guilty to an assortment of crimes. Kejia Wang was sentenced to nine years in prison for conspiracy to commit wire and mail fraud, money laundering and identity theft. Zhenxing Wang was sentenced to 92 months in prison for conspiracy to commit wire and mail fraud and money laundering. 

The pair were also ordered to forfeit a combined $600,000, of which two-thirds has already been paid, officials said.

The conspiracy, which ran from at least 2021 through October 2024, relied in part on shell companies — Hopana Tech, Tony WKJ and Independent Lab — the men set up to create the appearance of legitimate businesses. 

“Pairing a U.S. person, a U.S. address, and a front company such as Independent Lab, the facilitators created the illusion of a legitimate domestic effort allowing the IT workers to present themselves as U.S.-based without triggering suspicion during onboarding or daily workflows,” Barnhart said. 

“Front companies can act as that middle financial flow from victim companies back to DPRK units, which then pushes funds upward through the Workers’ Party of Korea to support whichever program the unit was aligned with, whether weapons development or domestic priorities,” he added. 

These front companies reflect a higher level of tradecraft that exploits a weak spot in insider risk assessments because threats aren’t always a malicious person trying to break into a network, Barnhart said. “Sometimes it looks like an entire company appearing clean on paper.”

Authorities have responded to North Korea’s scheme by targeting U.S.-based facilitators who provide forged or stolen identities and laptop farms for North Korean operatives, and seizing cryptocurrency linked to theft. 

Law enforcement wins are stacking up, but researchers warn that North Korea’s operation is massive and consistently evolving. 

The sentencing of Kejia Wang and Zhenxing Wang comes less than a month after a trio of American men were sentenced for similar crimes, including the operation of laptop farms, wire fraud and identity theft. 

The Justice and Treasury Departments have also issued indictments and sanctioned people and entities allegedly involved in North Korea’s effort to send thousands of specialized technical professionals outside of the country to secure jobs under false pretenses and funnel their wages back to Pyongyang.

You can read the full indictments against Kejia Wang and Zhenxing Wang below.

The post US nationals sentenced for aiding North Korea’s tech worker scheme appeared first on CyberScoop.

Three American men were sentenced Friday for crimes they committed in furtherance of North Korea’s vast scheme to get operatives hired at U.S. companies, the Justice Department said.

The trio — Audricus Phagnasay, 25, Jason Salazar, 30, and Alexander Paul Travis, 35 — pleaded guilty in November to wire fraud conspiracy for providing U.S. identities to remote North Korean IT workers.

They hosted U.S. company-provided laptops at their homes and installed remote-access software so North Korean operatives could appear to be working in the country. The group also helped remote IT workers pass employer vetting and, in the case of Travis and Salazar, took drug tests on behalf of the North Koreans, prosecutors said.

Travis, an active-duty member of the U.S. Army at the time, received about $51,000 from the scheme. He was sentenced to one year in prison and ordered to forfeit about $193,000.

Phagnasay and Salazar each pocketed about $3,500 and $4,500, respectively, and were both sentenced to three years of probation and a $2,000 fine.  A federal court ordered Salazar to forfeit about $410,000 and ordered Phagnasay to forfeit nearly $682,000.

“These men practically gave the keys to the online kingdom to likely North Korean overseas technology workers seeking to raise illicit revenue for the North Korean government — all in return for what to them seemed like easy money,” Margaret Heap, U.S. attorney for the Southern District of Georgia, said in a statement. 

“These schemes present a significant challenge to our national security, and we applaud our investigative partners working to secure our digital borders,” Heap added.

The trio facilitated about $1.28 million in salary from victim U.S. companies from September 2019 through November 2022. Yet, the financial cuts for their assistance was relatively low.

Officials’ countermeasures to these schemes, which ultimately launder ill-gotten money to North Korea’s government, involve the targeting of U.S.-based facilitators who provide forged or stolen identities and laptop farms for North Korean operatives, and the seizure of cryptocurrency linked to theft. 

Law enforcement wins on both fronts are stacking up, but researchers warn that North Korea’s operation is massive in scale and consistently evolving.

Microsoft Threat Intelligence earlier this month warned that North Korean threat groups are using artificial intelligence tools to accelerate and expand the country’s scheme – automating and improving efforts across the attack lifecycle.

The post Trio sentenced for facilitating North Korean IT worker scheme from their homes appeared first on CyberScoop.

North Korean threat groups are using artificial intelligence tools to accelerate and expand the country’s long-running scheme to get remote technical workers hired at global companies for longer durations, Microsoft Threat Intelligence said in a report Friday. 

AI services are empowering North Korean operatives across the attack lifecycle. Attackers have turned AI into a “force multiplier” that bolsters and automates their efforts to conduct research on targets, develop malicious resources, achieve and maintain access, evade detection, and weaponize tools for attacks and post-compromise activities, researchers said.

Microsoft said a trio of groups it tracks as Coral Sleet, Sapphire Sleet and Jasper Sleet are using AI to shorten the time it takes to create digital personas for specific job markets and roles. These groups frequently leverage financial opportunities or interview-themed lures to gain initial access.

Jasper Sleet is using generative AI tools to research job postings on platforms such as Upwork, and identify in-demand skills or experience requirements to align fake personas with targeted roles, Microsoft said in the report.

Researchers warned that threat groups are also “significantly improving the scale and sophistication of their social engineering and initial access operations” with AI-driven media creation for impersonations and real-time voice modulation. 

North Korean threat groups have used AI services to generate lures that mimic internal communications in multiple languages with native fluency. 

“These technologies enable threat actors to craft highly tailored, convincing lures and personas at unprecedented speed and volume, which lowers the barrier for complex attacks to take place and increases the likelihood of successful compromise,” researchers wrote in the report. 

Microsoft has observed Jasper Sleet using the AI application Faceswap to insert North Korean IT workers’ faces into stolen identity documents, in some cases reusing the same AI-generated photo across multiple personas.

Jasper Sleet is also leaning on AI-enabled communications after an operative is successfully hired by a victim organization to evade detection and sustain long-term employment. Microsoft has observed North Korean remote IT workers prompting AI tools to craft professional responses, answer technical questions or generate snippets of code to meet performance expectations in unfamiliar environments.

North Korean threat groups are using AI to refine previously observed post-compromise activities, reducing the time and expertise required for decision-making, Microsoft said. These AI-powered tasks accelerate analysis of unfamiliar compromised environments, identify viable paths for lateral movement and enable operatives to blend in with legitimate activity. 

North Korean threat groups are also using AI to escalate privileges, locate and steal sensitive records or credentials, and minimize risk of detection by analyzing security controls.

Generative AI composes most threat activity involving AI, but Microsoft said a transition to agentic AI is underway. 

“For threat actors, this shift could represent a meaningful change in tradecraft by enabling semi‑autonomous workflows that continuously refine phishing campaigns, test and adapt infrastructure, maintain persistence, or monitor open‑source intelligence for new opportunities,” researchers wrote in the report. 

“Microsoft has not yet observed large-scale use of agentic AI by threat actors, largely due to ongoing reliability and operational constraints,” researchers added. Yet, Microsoft warned, experiments illustrate the potential agentic AI systems pose for more advanced and damaging activity.

The post Microsoft warns North Korean threat groups are scaling up fake worker schemes with generative AI appeared first on CyberScoop.