A new report by cybersecurity firm DTEX has exposed how North Korea is operating a sophisticated international cybercrime network by embedding fake information technology workers within leading global corporations. These operatives, disguised as freelance developers, are channeling millions in stolen cryptocurrency to fund the reclusive nation’s military and weapons programs.

According to the report, North Korean agents are not driven by ideology but by a systemic need to survive. Trained from a young age, many are groomed to become covert cyber operatives or IT contractors. Two individuals, using the aliases “Naoki Murano” and “Jenson Collins,” were found residing in Russia and are believed to be involved in infiltrating Western companies. They’ve been linked to a $6 million cryptocurrency theft.

The regime operates through shadowy IT entities like Chinyong, which positions agents in countries like China, Laos, and Russia. These agents gain trust within blockchain and cryptocurrency projects, ultimately diverting digital assets back to Pyongyang. Since 2017, North Korea has reportedly funneled tens of millions of dollars through such schemes—prompting U.S. sanctions for financing weapons development (see: US Sanctions North Korean Entities for Sending Regime Funds).

The report states that North Korea’s cyber program has reached a pivotal stage, with its tactics becoming more aggressive and unpredictable. The regime now deploys techniques ranging from supply chain attacks to financial sector infiltration and even online propaganda. DTEX researchers noted that these operatives are so deeply integrated into major cryptocurrency and Web3 initiatives that, “it would seem that every other Web3 project has a North Korean on the payroll.”

“The threat of unintentionally hiring North Korean IT workers is larger than most people realize,” Kevin Mandia, founder and former CEO of Mandiant, said in a statement accompanying the report. “It's cover is global and active right now - which is why the industry and government need to work together to come up with solutions to counter the threat.”

The study also challenges the notion that North Korean cyber operatives follow rigid roles. Instead, many shift between missions, take on leadership responsibilities, and reuse false identities—suggesting a highly adaptive and fluid structure.

Past investigations have revealed that North Korean attacks on European tech firms were often facilitated by individuals operating from the U.S. and the U.K. An April report by Mandiant warned of increasing attempts by North Korean IT workers to secure positions in defense and government agencies, with U.S. businesses being their primary focus—even as operations grow across Europe (see: North Korean IT Scammers Targeting European Companies).

Michael Barnhart, the lead analyst behind the DTEX report, said his research is based on open-source intelligence, testimonies from defectors, blockchain forensics, and insights from Web3 infrastructure. He also leveraged proprietary datasets from unnamed partners to trace how North Korean agents shift money, access, and identities across borders.

“DPRK operatives are persistent,” Barnhart wrote, adding that North Korean cyber agents “do not take kindly to scrutiny” and “will try to uncover who is studying them and how.”