Unmasking DPRK Cyber Threat Actors: Fake IT Worker Infrastructure
Investigation of DPRK-linked fake IT worker infrastructure began after cryptocurrency researcher ZachXBT identified domain luckyguys[.]site connected to illicit payments. Analysis of 30 days of network activity associated with IP 163.245.219[.]19 revealed concentrated VPN usage patterns, with Astrill VPN (37.5%), Mullvad (32.25%), and Proton VPN (6.25%) being prominent. American and Latvian residential IPs communicated with the infrastructure, showing frequent Astrill VPN usage and connectivity to Gmail, ChatGPT, and Workana freelance platform. A second IP, 216.158.225[.]144, was discovered through X509 certificate analysis. Traffic dropped sharply following public exposure, consistent with adversary behavior of abandoning attributed infrastructure. The activity suggests a distributed network of remote IT workers participating in sanctions evasion workflows, leveraging AI tools and freelance platforms to obtain employment under false identities.
AI Analysis
Technical Summary
The threat campaign centers on a distributed network of fake IT workers linked to DPRK cyber actors. Initial discovery was triggered by cryptocurrency fraud investigations tied to the domain luckyguys.site. Analysis of network traffic over 30 days showed heavy VPN usage and communication with residential IPs in the US and Latvia, connecting to services like Gmail, ChatGPT, and the Workana freelance platform. A secondary IP was identified via X509 certificate analysis. The infrastructure was abandoned after public disclosure, indicating operational security measures by the adversaries. The activity supports sanctions evasion workflows by leveraging remote freelance employment under false identities, without exploiting specific software vulnerabilities.
Potential Impact
The campaign facilitates sanctions evasion and illicit cryptocurrency payments by leveraging fake IT worker identities and remote freelance platforms. While no direct exploitation of software vulnerabilities is reported, the infrastructure supports DPRK adversaries in circumventing international sanctions and conducting fraudulent financial activities. The exposure and subsequent abandonment of infrastructure reduce immediate risk but highlight ongoing adversary tactics.
Mitigation Recommendations
No patch or direct remediation is applicable as this is a threat actor infrastructure and campaign rather than a software vulnerability. Organizations should monitor for indicators of compromise such as the domain luckyguys.site and IP addresses 163.245.219.19 and 216.158.225.144. Awareness of adversary use of VPNs and freelance platforms for sanctions evasion can inform threat detection and response. Since the infrastructure was abandoned after exposure, immediate risk is reduced. Continued threat intelligence monitoring is recommended.
Indicators of Compromise
- ip: 216.158.225.144
- url: https://flare.io/learn/resources/north-korean-infiltrator-threat
- domain: luckyguys.site
Unmasking DPRK Cyber Threat Actors: Fake IT Worker Infrastructure
Description
Investigation of DPRK-linked fake IT worker infrastructure began after cryptocurrency researcher ZachXBT identified domain luckyguys[.]site connected to illicit payments. Analysis of 30 days of network activity associated with IP 163.245.219[.]19 revealed concentrated VPN usage patterns, with Astrill VPN (37.5%), Mullvad (32.25%), and Proton VPN (6.25%) being prominent. American and Latvian residential IPs communicated with the infrastructure, showing frequent Astrill VPN usage and connectivity to Gmail, ChatGPT, and Workana freelance platform. A second IP, 216.158.225[.]144, was discovered through X509 certificate analysis. Traffic dropped sharply following public exposure, consistent with adversary behavior of abandoning attributed infrastructure. The activity suggests a distributed network of remote IT workers participating in sanctions evasion workflows, leveraging AI tools and freelance platforms to obtain employment under false identities.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The threat campaign centers on a distributed network of fake IT workers linked to DPRK cyber actors. Initial discovery was triggered by cryptocurrency fraud investigations tied to the domain luckyguys.site. Analysis of network traffic over 30 days showed heavy VPN usage and communication with residential IPs in the US and Latvia, connecting to services like Gmail, ChatGPT, and the Workana freelance platform. A secondary IP was identified via X509 certificate analysis. The infrastructure was abandoned after public disclosure, indicating operational security measures by the adversaries. The activity supports sanctions evasion workflows by leveraging remote freelance employment under false identities, without exploiting specific software vulnerabilities.
Potential Impact
The campaign facilitates sanctions evasion and illicit cryptocurrency payments by leveraging fake IT worker identities and remote freelance platforms. While no direct exploitation of software vulnerabilities is reported, the infrastructure supports DPRK adversaries in circumventing international sanctions and conducting fraudulent financial activities. The exposure and subsequent abandonment of infrastructure reduce immediate risk but highlight ongoing adversary tactics.
Mitigation Recommendations
No patch or direct remediation is applicable as this is a threat actor infrastructure and campaign rather than a software vulnerability. Organizations should monitor for indicators of compromise such as the domain luckyguys.site and IP addresses 163.245.219.19 and 216.158.225.144. Awareness of adversary use of VPNs and freelance platforms for sanctions evasion can inform threat detection and response. Since the infrastructure was abandoned after exposure, immediate risk is reduced. Continued threat intelligence monitoring is recommended.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.team-cymru.com/post/dprk-fake-it-worker-cyber-threat-actors-infrastructure"]
- Adversary
- DPRK
- Pulse Id
- 69e991a518634e661de0c8eb
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip216.158.225.144 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://flare.io/learn/resources/north-korean-infiltrator-threat | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainluckyguys.site | — |
Threat ID: 69e9e0fb87115cfb68ecdc8c
Added to database: 4/23/2026, 9:06:03 AM
Last enriched: 4/23/2026, 9:21:19 AM
Last updated: 4/24/2026, 6:05:15 AM
Views: 51
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.