Unmasking DPRK Cyber Threat Actors: Fake IT Worker Infrastructure
Investigation of DPRK-linked fake IT worker infrastructure began after cryptocurrency researcher ZachXBT identified domain luckyguys[.]site connected to illicit payments. Analysis of 30 days of network activity associated with IP 163.245.219[.]19 revealed concentrated VPN usage patterns, with Astrill VPN (37.5%), Mullvad (32.25%), and Proton VPN (6.25%) being prominent. American and Latvian residential IPs communicated with the infrastructure, showing frequent Astrill VPN usage and connectivity to Gmail, ChatGPT, and Workana freelance platform. A second IP, 216.158.225[.]144, was discovered through X509 certificate analysis. Traffic dropped sharply following public exposure, consistent with adversary behavior of abandoning attributed infrastructure. The activity suggests a distributed network of remote IT workers participating in sanctions evasion workflows, leveraging AI tools and freelance platforms to obtain employment under false identities.
AI Analysis
Technical Summary
The campaign centers on DPRK-linked fake IT worker infrastructure used to facilitate sanctions evasion and illicit cryptocurrency payments. Initial discovery was triggered by cryptocurrency researcher ZachXBT identifying the domain luckyguys.site. Analysis of network traffic associated with IP 163.245.219.19 revealed concentrated VPN usage (Astrill VPN, Mullvad, Proton VPN) and communication with American and Latvian residential IPs. The infrastructure also communicated with Gmail, ChatGPT, and the Workana freelance platform, indicating use of AI tools and freelance employment platforms under false identities. A second IP, 216.158.225.144, was identified via X509 certificate analysis. Traffic dropped sharply after public exposure, indicating the adversaries abandoned the infrastructure. No direct exploitation of software vulnerabilities was observed; the threat is operational and infrastructure-based.
Potential Impact
The campaign enables DPRK threat actors to evade international sanctions and conduct illicit cryptocurrency transactions by using fake IT worker identities and remote freelance platforms. Although no software vulnerabilities are exploited, the infrastructure facilitates fraudulent financial activities and sanctions circumvention. The abandonment of the infrastructure following exposure reduces immediate risk but highlights ongoing adversary tactics involving VPNs, residential proxies, and freelance platforms.
Mitigation Recommendations
No patch or direct remediation is applicable as this is a threat actor infrastructure and campaign rather than a software vulnerability. Organizations should monitor for indicators of compromise including the domain luckyguys.site and IP addresses 163.245.219.19 and 216.158.225.144. Awareness of adversary use of VPN services and freelance platforms for sanctions evasion can inform threat detection and response efforts. Since the infrastructure was abandoned after exposure, immediate risk is reduced. Continued threat intelligence monitoring and updating detection rules based on these indicators is recommended.
Affected Countries
United States, Latvia
Indicators of Compromise
- ip: 216.158.225.144
- url: https://flare.io/learn/resources/north-korean-infiltrator-threat
- domain: luckyguys.site
Unmasking DPRK Cyber Threat Actors: Fake IT Worker Infrastructure
Description
Investigation of DPRK-linked fake IT worker infrastructure began after cryptocurrency researcher ZachXBT identified domain luckyguys[.]site connected to illicit payments. Analysis of 30 days of network activity associated with IP 163.245.219[.]19 revealed concentrated VPN usage patterns, with Astrill VPN (37.5%), Mullvad (32.25%), and Proton VPN (6.25%) being prominent. American and Latvian residential IPs communicated with the infrastructure, showing frequent Astrill VPN usage and connectivity to Gmail, ChatGPT, and Workana freelance platform. A second IP, 216.158.225[.]144, was discovered through X509 certificate analysis. Traffic dropped sharply following public exposure, consistent with adversary behavior of abandoning attributed infrastructure. The activity suggests a distributed network of remote IT workers participating in sanctions evasion workflows, leveraging AI tools and freelance platforms to obtain employment under false identities.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The campaign centers on DPRK-linked fake IT worker infrastructure used to facilitate sanctions evasion and illicit cryptocurrency payments. Initial discovery was triggered by cryptocurrency researcher ZachXBT identifying the domain luckyguys.site. Analysis of network traffic associated with IP 163.245.219.19 revealed concentrated VPN usage (Astrill VPN, Mullvad, Proton VPN) and communication with American and Latvian residential IPs. The infrastructure also communicated with Gmail, ChatGPT, and the Workana freelance platform, indicating use of AI tools and freelance employment platforms under false identities. A second IP, 216.158.225.144, was identified via X509 certificate analysis. Traffic dropped sharply after public exposure, indicating the adversaries abandoned the infrastructure. No direct exploitation of software vulnerabilities was observed; the threat is operational and infrastructure-based.
Potential Impact
The campaign enables DPRK threat actors to evade international sanctions and conduct illicit cryptocurrency transactions by using fake IT worker identities and remote freelance platforms. Although no software vulnerabilities are exploited, the infrastructure facilitates fraudulent financial activities and sanctions circumvention. The abandonment of the infrastructure following exposure reduces immediate risk but highlights ongoing adversary tactics involving VPNs, residential proxies, and freelance platforms.
Mitigation Recommendations
No patch or direct remediation is applicable as this is a threat actor infrastructure and campaign rather than a software vulnerability. Organizations should monitor for indicators of compromise including the domain luckyguys.site and IP addresses 163.245.219.19 and 216.158.225.144. Awareness of adversary use of VPN services and freelance platforms for sanctions evasion can inform threat detection and response efforts. Since the infrastructure was abandoned after exposure, immediate risk is reduced. Continued threat intelligence monitoring and updating detection rules based on these indicators is recommended.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.team-cymru.com/post/dprk-fake-it-worker-cyber-threat-actors-infrastructure"]
- Adversary
- DPRK
- Pulse Id
- 69e991a518634e661de0c8eb
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip216.158.225.144 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://flare.io/learn/resources/north-korean-infiltrator-threat | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainluckyguys.site | — |
Threat ID: 69e9e0fb87115cfb68ecdc8c
Added to database: 4/23/2026, 9:06:03 AM
Last enriched: 5/26/2026, 7:53:54 PM
Last updated: 6/7/2026, 3:03:14 AM
Views: 133
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.