The North Korean hacker group Nickel Tapestry has found new ways to adapt its IT worker scams, including impersonating female applicants, and expanding its operations to target companies in Europe and Asia, new research finds.
As US employers become more adept at recognizing when fake applicants apply for remote IT jobs – mainly to steal trade secrets and make money for the North Korean government – the nation-state threat actors are simply stepping up their game in response.
That’s according to a new blog by the Sophos Counter Threat Unit Research Team, released on Thursday.
The threat researchers say they have not only observed “an increase in worker schemes targeting European and Japanese companies,” but also new evidence implying the group has been adapting their personas to evade detection.
“Remote hiring is making it harder to detect the growing threat of North Korean IT workers,” Sophos said, adding that the schemes have also “expanded into industries beyond tech.”
Remote hiring is making it harder to detect the growing threat of North Korean IT workers. The scheme has expanded to organizations in Europe and Asia, and into industries beyond tech – likely due to increased U.S. awareness. Learn more: https://t.co/fMeWypQNlZ pic.twitter.com/wtBz80fxxu
undefined Sophos (@Sophos) May 8, 2025
This has been specifically noted in relation to the ongoing North Korean IT worker fraud campaign known as “Wagemole,” which was discovered by security researchers at Unit 42 in 2023, but has been operating since 2018.
The expansion of Nickel Tapestry’s tactics and targeted countries is being attributed to the “increased awareness” among US businesses about the threat, as well as actions being taken by law enforcement to dismantle the group’s operations.
Evolving tactics and techniques
The threat actors associated with Nickel Tapestry – a group known for operating multiple ”laptop farms” of North Korean IT workers and for using “stolen or falsified” US identities to carry out its schemes – have now started impersonating "Vietnamese, Japanese, and Singaporean professionals," to infiltrate both the US and Japanese job market, the Sophos research found.
Sophos said, historically, Nickel Tapestry was known to seek out positions requiring “web and blockchain software development skills, applying for roles in a wide range of industries.” But in 2025, the group appears to have expanded its job search to include cybersecurity roles, and more and more have been seen using female personas to bid for jobs.
To create a stable of fake applicants, “the threat actors often digitally manipulate photos, adding them to falsified resumes and LinkedIn profiles,” often by overlaying stock photos with real images of themselves.
Futhermore, Sophos said Nickel Tapestry has added generative AI to its hacker toolbox, using the technology to write, image-edit, and build the resumes.
Other shady practices include the use of “mouse jigglers, VPN software, workarounds to circumvent default system font and language settings, and KVM over IP (remote keyboard, video, and mouse control) for remote access,” with several impacted organizations reporting the use of long Zoom calls for screensharing, some more than eight hours long, researchers said.
Last fall, Nickel Tapestry workers were further observed not only stealing the victim company's trade secrets, but also attempting to extort the companies for profit, a new tactic not seen before.
“Extortion resulting from theft of source code and intellectual property is an ongoing threat from Nickel Tapestry, especially after a fraudulent worker has been terminated, Sophos said. “The theft of data may occur within days of being hired and only used for coercion after employment has ended,’ it said.
Sophos researchers stressed that organizations should remain and rely on human vigilance to protect themselves.
They suggest HR departments and recruiters “establish enhanced identity verification procedures as part of their interview process, and be regularly updated on the latest tactics used in these campaigns.”
Additionally, Sophos said cybersecurity teams should always be on the lookout for traditional insider threat activity, suspicious usage of legitimate tools, and impossible travel alerts to detect activity often associated with fraudulent workers.
In November, the FBI was able to seize multiple IT Worker front company domains, all reportedly traced back to Democratic People's Republic of Korea's (DPRK).
The front companies were found impersonating legitimate US tech outsourcing firms in hopes of enticing US companies to hire its so-called workers.
Microsoft, warning of the proliferation of the North Korean worker scams at last year’s CYBERWARCON conference, said the DPRK’s decade-long “computer network exploitation capability” has enabled the communist government to “steal billions of dollars in cryptocurrency, as well as target organizations associated with satellites and weapons systems,” via multiple zero-day vulnerabilities.
The illicit funds collected by the DPRK is believed to be used by the governemnt to support the North Korean military, weapons and nuclear programs.
Your email address will not be published. Required fields are markedmarked