Unprecedented investigation capturing North Korean IT workers live on camera through sandboxed laptop farms, documenting their recruitment tactics, toolchain, and infiltration operations in real-time.
Browse our collection of investigations and intelligence reports
DPRK AnalysisUnprecedented investigation capturing North Korean IT workers live on camera through sandboxed laptop farms, documenting their recruitment tactics, toolchain, and infiltration operations in real-time.
DPRK IntelligenceDPRK IT workers evolve from job seekers to recruiters, orchestrating systematic identity harvesting campaigns on Upwork and Freelancer platforms through scripted collaboration requests and remote access tools.
Malware AnalysisAnalysis of PyLangGhost RAT, a Python-based malware from Lazarus subgroup Famous Chollima targeting finance and tech sectors through fake job interviews, stealing credentials and cryptocurrency wallets.
DPRK AnalysisComprehensive analysis of North Korean IT worker operations on GitHub, revealing coordinated campaigns, suspicious account patterns, and infiltration tactics targeting Web3 projects and developer communities.
Fraud AlertInvestigation into fraudulent recruiter accounts on GitHub and LinkedIn used by threat actors to target developers and infiltrate organizations through fake job opportunities.
DPRK AnalysisComprehensive recap of findings regarding suspicious Lazarus Group activity on GitHub, analyzing patterns in fake developer profiles, achievement badges, and coordinated campaigns targeting the developer community.
DPRK AnalysisIn-depth analysis of GitHub account activity associated with Lazarus Group, examining commit history manipulation, identity obfuscation techniques, and patterns used by DPRK IT workers to maintain cover identities.
DPRK AnalysisDetailed investigation into suspicious GitHub activity patterns associated with Lazarus Group and DPRK IT workers, revealing coordinated efforts to establish fake developer identities and infiltrate software development communities.
DPRK IntelligenceComprehensive analysis of DPRK IT workers' tactics, behaviors, and operational patterns through direct engagement. Revealing social engineering, remote desktop evasion, and platform manipulation techniques.
Coverage of NorthScan research and DPRK threat intelligence in major publications
Media MentionCointelegraph took part in an investigation centered around a suspected North Korean operative that uncovered a cluster of threat actors attempting to score freelancing gigs in the cryptocurrency industry. The investigation was led by Heiner Garcia, a cyber threat intelligence expert at Telefónica and a blockchain security researcher
Media MentionIn this feature on freelance platform abuse, Heiner García Perez is cited for his research on how North Korean IT workers exploit Upwork and LinkedIn to blend into legitimate ecosystems. His intelligence findings helped illustrate the scope of DPRK remote work infiltration.
Media MentionBleepingComputer reports on an unprecedented intelligence operation where security researchers Mauro Eldritch and Heiner García exposed how North Korean IT recruiters from Famous Chollima are luring American engineers into identity rental schemes, enabling DPRK operatives to infiltrate Western companies.
Media MentionThe Hacker News reports on a groundbreaking joint investigation led by Mauro Eldritch (BCA LTD), NorthScan, and ANY.RUN that captured Lazarus Group's Famous Chollima division operating live in controlled sandbox environments, exposing their remote IT worker infiltration tactics and identity takeover schemes in real-time.
Upcoming and past conference talks featuring NorthScan research
