North Korean fake IT worker tradecraft exposed

GitLab exposes abuse of its platform to trick software developers into downloading malicious payloads and finance companies into hiring North Koreans. Credit: Shutterstock Research from GitLab has exposed the latest tradecraft behind North Korean fake IT worker scams. GitLab banned 131 North Korean-attributed accounts last year, most of which involved JavaScript repositories that acted as resources in the so-called Contagious Interview campaign. In most cases, GitLab projects acted as obfuscated loaders for malware payloads — such as BeaverTail and Ottercookie — hosted outside the code repository platform. Contagious Interview The Contagious Interview campaign revolves around North Korean threat actors posing as recruiters or hiring managers in order to trick software developers into executing malicious code projects under the pretence of technical interviews. Operators typically used consumer VPNs when interacting with GitLab, however some occasionally routed their access via dedicated virtual private server (VPS) infrastructures or laptop farms. GitLab disrupted these operations by banning suspect repositories. Opportunistic and broadly targeted These suspect code silos were abused in a variety of illicit projects split between targeting job-seeking programmers and fake IT worker operations. “Based on our visibility, malware operations targeting individual developers seeking employment are most common,” Oliver Smith, senior threat intelligence engineer at GitLab, told CSO. “Threat actors appear to have a preference for US-based developers and the fintech sector, but are opportunistic and target broadly.” Smith continued: “For fake IT worker operations, threat actors commonly find employment at smaller organizations seeking contract software developers, particularly through freelancing platforms.” Larger organizations are also being targeted by the ongoing scams, which began in earnest in 2022 and started as early as 2019. Evolving tradecraft Scammers’ tradecraft evolved last year through use of malicious NPM package manager dependencies, sandbox detection, and increasing reliance on invite-only private projects. North Korean actors also made greater reliance of AI technologies to develop custom obfuscators and through automating the creation of synthetic identities, spun up to generate professional connections and contact leads at scale, GitLab explains in a technical blog post. One IT worker controlled 21 unique personas, put together by adding their own image to stolen scans of US identity documents. Some of the banned repositories contained personnel dossiers, passport scans, banking records at multiple Chinese banks and structured quarterly performance spreadsheets. Inside a fake IT worker boiler room GitLab explains how one repository reveals detailed financial and personnel records for one likely Beijing-based North Korean IT worker cell that made more than $1.64 million between Q1 2022 and Q3 2025. The eight-person cell of North Korean nationals pulled in revenue through freelance web and mobile software development while posing under false identities. Earnings slipped last year but still exceeded $11K per member in Q3 2025, according to the group’s own records. The private project also contained performance reviews for cell members, dated 2020. These performance reviews include comments about members’ earning and skills development alongside remarks about contributions to household chores among the physically co-located team — including doing laundry, providing haircuts, and purchasing shared food and drink — as well as an assessment of “interpersonal values and adherence to party values.” Another private code repository was abused by a North Korean fake IT worker likely operating from central Moscow. “The threat actor was focused on cultivation of a smaller group of more detailed personas and progressed from freelance work to full-time employment,” according to GitLab. GitLab concludes that multiple DPRK teams are operating in parallel with limited coordination but similar tradecraft. Weaponizing trust Dray Agha, senior security operations manager at Huntress, said the managed detection and response services firm has observed similar tradecraft across 2025 and early 2026. “North Korean threat actors are weaponizing the trust inherent in the tech recruitment process, tricking developers into executing malicious payloads under the guise of technical assessments,” Agha said. “By targeting highly privileged developers in lucrative sectors like cryptocurrency and finance, these actors are effectively bypassing traditional perimeter defences to establish immediate footholds.” DPRK threat actors are adopting generative AI to scale their operations. “From using AI tools to refine malware obfuscation and bypass security safeguards, to automating the creation of synthetic personas, North Korean groups are rapidly modernizing their tradecraft,” Agha noted. “This demonstrates that AI is actively lowering the barrier for threat actors to execute convincing, large-scale deception.” Hannah Baumgaertner, head of research at Silobreaker, said that the overall methods deployed by North Korean fake IT worker groups have remained broadly similar though an “increase in the use of AI and other infection methods like ClickFix have been observed in the past year.” “The types of platforms being abused as part of the scheme also appear to be expanding, with Visual Studio Code now also frequently used for initial access,” Baumgaertner added. North Korean fake IT worker fraud is a cross-industry issue. GitLab hopes its detailed research, which includes more than 600 indicators of compromise associated with the case studies detailed during its research, will help empower defenders across the industry. “We hope our report helps the entire industry strengthen defenses and contributes to more transparency around these threat actors’ tactics and operations,” GitLab’s Smith concluded. An overview of the myriad tactics in play during North Korean fake IT worker scams — alongside advice on thwarting such scams — can be found in an earlier feature on the problem by CSO. CybercrimeSecurity SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe

Facts Only

GitLab banned 131 North Korean-attributed accounts in 2025.
Most banned accounts involved JavaScript repositories used in the "Contagious Interview" campaign.
Malware payloads, including BeaverTail and Ottercookie, were hosted outside GitLab.
Threat actors posed as recruiters to trick developers into executing malicious code during fake technical interviews.
Actors used consumer VPNs, VPS infrastructures, and laptop farms to access GitLab.
Targets included US-based developers and the fintech sector, with opportunistic targeting.
Fake IT worker operations secured employment at smaller organizations, particularly through freelancing platforms.
Scams began in earnest in 2022 but started as early as 2019.
Actors used AI to develop custom obfuscators and automate synthetic identity creation.
One repository contained personnel dossiers, passport scans, and banking records linked to Chinese banks.
A Beijing-based North Korean IT worker cell earned over $1.64 million between Q1 2022 and Q3 2025.
Performance reviews for cell members included assessments of household chores and adherence to party values.
Another repository was linked to a North Korean actor operating from central Moscow.
GitLab's report includes over 600 indicators of compromise.

Executive Summary

GitLab has exposed a sophisticated campaign by North Korean threat actors targeting software developers and financial companies. In 2025, GitLab banned 131 accounts linked to North Korea, primarily involving JavaScript repositories used to distribute malware like BeaverTail and Ottercookie. These operations, part of the "Contagious Interview" campaign, involved threat actors posing as recruiters to trick developers into executing malicious code during fake technical interviews. The actors used consumer VPNs, VPS infrastructures, and laptop farms to evade detection. GitLab's investigation revealed that these scams targeted US-based developers and the fintech sector, though they were opportunistic and broadly targeted. Additionally, North Korean IT workers used fake identities to secure freelance and full-time positions, with one cell in Beijing generating over $1.64 million between 2022 and 2025. The actors employed AI to automate synthetic identity creation and malware obfuscation, evolving their tradecraft to include private repositories and sandbox detection. Security experts note that these tactics exploit trust in the tech recruitment process, bypassing traditional defenses. The campaign, active since at least 2019, continues to expand, with platforms like Visual Studio Code now being abused for initial access. GitLab's report provides over 600 indicators of compromise to help defenders across industries strengthen their defenses.

Full Take

The strongest version of this narrative highlights the adaptability and scale of North Korean cyber operations, which exploit trust in professional networks to infiltrate high-value sectors. GitLab's research provides concrete evidence of evolving tradecraft, including the use of AI to automate deception and malware obfuscation. The "Contagious Interview" campaign is particularly insidious, weaponizing the job-seeking process to deliver payloads directly to developers' machines. The financial records and performance reviews uncovered by GitLab reveal a structured, almost corporate approach to cybercrime, with cells operating like remote work teams—complete with household chores and ideological assessments. This suggests a blend of state-backed coordination and entrepreneurial fraud, where financial gain and ideological control intersect.
Patterns detected: ARC-0024 Ambiguity (the use of AI to create synthetic identities blurs the line between human and automated deception), ARC-0043 Motte-and-Bailey (the dual use of freelance platforms for both legitimate-seeming work and malware distribution).
The root cause paradigm here is the convergence of economic desperation, state-sponsored cybercrime, and the global gig economy's vulnerabilities. North Korea's isolated economy and sanctions drive these operations, but the tactics exploit universal trust mechanisms in tech recruitment and freelancing. The implications for human agency are stark: developers and companies must now treat every job interview or freelance contract as a potential attack vector. The second-order consequences include eroded trust in remote work, increased scrutiny of freelance platforms, and a potential chilling effect on global tech collaboration.
Bridge questions: How might legitimate freelancers and remote workers prove their authenticity in an environment where synthetic identities are increasingly convincing? What structural changes in hiring practices could mitigate these risks without excluding genuine talent? If AI lowers the barrier for threat actors, how can defenders use the same tools to detect and disrupt these campaigns?
Counterstrike scan: A coordinated influence campaign would amplify fear of North Korean cyber threats to justify broad surveillance of freelance platforms or restrictive hiring policies. The actual content, however, focuses on transparency and defensive measures, aligning with GitLab's stated mission of empowering defenders. No structural alignment with a malicious playbook is detected.

Sentinel — Human

Confidence

The article shows strong signs of human authorship, with natural stylistic variations, specific expert attributions, and detailed operational insights unlikely to be AI-generated.

Signals Detected

Moderate sentence length variance and natural transitions, with some idiosyncratic phrasing (e.g., 'weaponizing trust inherent in the tech recruitment process').

Strong narrative flow with occasional digressions (e.g., details about household chores in performance reviews), suggesting human authorship.

Specific attributions to named experts (Oliver Smith, Dray Agha, Hannah Baumgaertner) with direct quotes, reducing template risk.

Detailed financial records and operational specifics (e.g., $1.64M earnings, Q3 2025 dates) are unusually precise for AI confabulation.

Human Indicators

Idiosyncratic details (e.g., 'interpersonal values and adherence to party values' in performance reviews)

Direct quotes from multiple named sources with distinct voices

Complex, multi-layered narrative structure with tangential but relevant details