Young developers have time for their lives. They open bottles of sparkling wine, eat steak dinners, play football together and bask in a luxurious private swimming pool, all their activities captured in photos that were then exhibited online. On an image, a man poses in front of a Minion Cardboard cut. But despite their exuberance, they are not successful Silicon Valley entrepreneurs; It is workers of the hermit kingdom of North Korea, infiltrate Western companies and refer their salary to them.
Two members of a group of North Korean developers, who would have operated from the country in southeast Laos, before being moved to Russia, at the beginning of 2024, are today identified by researchers from the Cybersecurity Society DTEX. The men, who, according to DTEX, used the personalities “Naoki Murano” and “Jenson Collins”, would have been involved in the collection of funds for the north-Korean brutalist regime as part of the epidemic of IT workers, the Murano, before, was previously linked.
For years, North Korea of Kim Jong-Un has posed one of the most sophisticated and dangerous cyber-menses for Western countries and companies, its hackers flying the intellectual property necessary to develop its own technology, as well as billions of billions of billions of crypto to escape sanctions and create nuclear weapons. In February, the FBI announced that North Korea had produced the largest crypto robbery, stealing $ 1.5 billion in Crypto Exchange Bybit. In addition to its qualified hackers, Pyongyang’s IT workers, who are often based in China or Russia, encourage companies to use them as distant workers and have become a growing threat.
“What we are doing does not work, and if it works, it does not work quickly enough,” explains Michael “Barni” Barnhart, a North Korean cyber-researcher and principal researcher at DTEX. In addition to identifying Murano and Collins, DTEX, in a detailed report on North Korean cyber activity, also publishes more than 1,000 email addresses which claim to have been identified as linked to the North Korean activity of IT workers. This decision is one of the greatest disclosure of the activity of North Korean IT workers to date.
The large cyber-operative operations of North Korea cannot be compared to those of other hostile nations, such as Russia and China, explains Barnhart in the DTEX report, because Pyongyang operates as a “union of crime sanctioned by the State” rather than more traditional military or intelligence operations. Everything is motivated by the financing of the regime, the development of weapons and the collection of information, says Barnhart. “Everything is linked together in a way, of form or form.”
The unsuitables move
Around 2022 and 2023, DTEX claims that Naoki Murano and Jenson Collins – their real names are not known – were based in Laos and also traveled between Vladivostok, Russia. The pair appeared among a wider group of possible North Koreans in Laos, and a cache of their photos was first exhibited in an open Dropbox file. The photos were discovered by a collective of North Korean researchers who often collaborate with Barnhart and say an “unsuitable” alliance. In recent weeks, they have published many images of so-called North Korean IT online.
IT workers in North Korea are prolific in their activities, often trying to infiltrate several companies simultaneously using stolen identities or by creating false personalities to try to appear legitimate. Some use independent platforms; Others try to recruit international facilitators to manage laptop farms. Although their online characters can be false, the country – where millions have no fundamental human rights or internet access – talented children in its education pipeline where they can become qualified developers and hackers. This means that many IT workers and IT pirates are likely to know each other, potentially because they were children. Although they are technically followers, they often leave a trace of digital breadcrumbs in their wake.
Murano was first linked to the North Korean operations publicly by the cryptocurrency interviewer Zachxbt, who published the names, the details of the cryptocurrency portfolio and the email addresses of more than 20 North Korean IT workers last year. Murano was then linked to Deltaprime robbery in Coinbase reports in October. The members of the Misfits collective shared photos of Murano who are content with himself while eating steak and a photo of an alleged Japanese passport.
