Integrated security company Logpresso said on Tuesday it issued a report titled “OSINT analysis of North Korean IT personnel’s disguised employment” that analysed how North Korean IT workers get hired for overseas remote IT roles using fake identities.

The report contains findings from tracking the activities of North Korean IT workers who were hired by overseas companies under false identities. It used infection logs of InfoStealer malware circulated on the deep web and dark web as its analysis source. The company said the report’s key feature is that it moved away from malware reverse-engineering-focused analysis and instead cross-analysed email accounts, passwords, access IPs, hardware IDs (HWID) and language settings leaked from devices used by North Korean IT personnel to reveal the cluster structure of organisations running disguised employment operations.

Logpresso cross-validated 1,045,645 records extracted by comparing 1,879 email account patterns linked to North Korean disguised employment disclosed by the U.S. government and private research institutions with infostealer infection records it collected from 2024 to the present. It identified 80 email accounts, 66 IP addresses and 66 hardware IDs, and confirmed indications they accessed 490 domains across 28 countries.

The report said there were indications that North Korean IT workers created up to 5 fake identities on a single computer and sought employment at different companies. Different email accounts and activity histories were found on the same device, and each identity was disguised with a different name and nationality. Logpresso analysed this as being based not on individual actions but on an organisationally designed multi-identity system. Password analysis also showed signs of organised operations. Identical or similar passwords were repeatedly used across multiple accounts presenting different names and nationalities.

Logpresso CEO Yang Bong-yeol (양봉열) said, “Disguised employment by North Korean IT personnel can be abused as an initial infiltration vector to gain access to internal corporate systems, source code repositories and cloud assets, beyond being a simple means of obtaining foreign currency.” He added, “If they secure internal access rights by posing as legitimate developers, there is a high likelihood it could spread into larger security threats such as supply chain attacks or information theft.”