North Korean IT Workers at Western Companies Now Extorting Ransom for Stolen Data
North Korean IT workers, who fraudulently secure jobs at Western companies, have escalated their tactics from stealing intellectual property to demanding ransoms in exchange for not leaking sensitive information. This new development signals a shift in their financially motivated attacks.
"In some cases, these workers have demanded ransom payments from former employers after gaining insider access, a behavior not previously seen," stated Secureworks Counter Threat Unit (CTU) in a recent analysis. "One instance involved a contractor who immediately exfiltrated proprietary data after starting work in mid-2024."
This activity bears similarities to the tactics of the threat group tracked as Nickel Tapestry, also known as Famous Chollima and UNC5267.
Cybersecurity The scheme involves North Korean operatives infiltrating Western companies under false pretenses to support North Korea’s financial and strategic objectives. Many of these workers are sent to countries like China and Russia, posing as freelancers, or they steal the identities of legitimate individuals in the U.S. to achieve the same goals.
They also manipulate delivery addresses for company-issued laptops, often rerouting them to intermediaries who install remote desktop software, enabling North Korean actors to remotely access corporate systems. In some cases, multiple operatives are hired by the same company, or one individual assumes multiple identities.
Secureworks noted that some contractors have requested to use their own personal laptops and even managed to stop corporate laptops from being shipped, further complicating detection.
Ransom for Stolen Data "This tactic aligns with Nickel Tapestry's approach of avoiding corporate laptops, reducing the need for in-country facilitators and limiting forensic evidence," the CTU noted, highlighting the growing sophistication of these schemes.
In a notable escalation, a contractor terminated for poor performance sent extortion emails to the company, threatening to release stolen data unless a ransom was paid.
Cybersecurity "This evolution raises the risk associated with inadvertently hiring North Korean IT workers," said Rafe Pilling, Director of Threat Intelligence at Secureworks CTU. "They’re no longer just after a paycheck — they’re seeking larger, faster payouts through data theft and extortion from within company defenses."
Organizations are advised to tighten their recruitment processes, conduct identity checks, and remain vigilant for suspicious behavior, including attempts to reroute corporate IT equipment or use unauthorized remote access tools.
"The emergence of ransom demands marks a significant shift in Nickel Tapestry’s schemes, but the underlying behaviors align with past tactics employed by North Korean operatives," Secureworks concluded.