The young developers are having the time of their lives. They pop open bottles of sparkling wine, eat steak dinners, play soccer together, and lounge around in a luxurious private swimming pool, all of their activity captured in photos that were later exposed online. In one picture, a man poses in front of a life-size Minions cardboard cutout. But despite their exuberance, these are not successful Silicon Valley entrepreneurs; they’re IT workers from the Hermit Kingdom of North Korea, who infiltrate Western companies and send their wages back home.
Two members of a cluster of North Korean developers, who allegedly operated out of Southeast Asian country Laos before being relocated to Russia by the beginning of 2024, are today being identified by researchers at cybersecurity company DTEX. The men, who DTEX believes have used the personas “Naoki Murano” and “Jenson Collins,” are alleged to have been involved in raising money for the brutal North Korean regime as part of the widespread IT worker epidemic, with Murano alleged to have previously been linked to a $6 million heist at crypto firm DeltaPrime last year.
For years, Kim Jong Un’s North Korea has posed one of the most sophisticated and dangerous cyber threats to Western countries and businesses, with its hackers stealing the intellectual property needed to develop its own technology, plus looting billions in crypto to evade sanctions and create nuclear weapons. In February, the FBI announced that North Korea had pulled off the biggest ever crypto heist, stealing $1.5 billion from crypto exchange Bybit. Alongside its skilled hackers, Pyongyang’s IT workers, who often are based in China or Russia, trick companies into employing them as remote workers and have become an increasing menace.
“What we’re doing isn’t working, and if it is working, it’s not working fast enough,” says Michael “Barni” Barnhart, a leading North Korean cyber researcher and principal investigator at DTEX. As well as identifying Murano and Collins, DTEX, in a detailed report about North Korean cyber activity, is also publishing more than 1,000 email addresses that it alleges to have been identified as linked to North Korean IT worker activity. The move is one of the largest disclosures of North Korean IT worker activity to date.
North Korea’s broad cyber operations can’t be compared with those of other hostile nations, such as Russia and China, Barnhart explains in the DTEX report, as Pyongyang operates like a “state-sanctioned crime syndicate” rather than more traditional military or intelligence operations. Everything is driven by funding the regime, developing weaponry, and gathering information, Barnhart says. “Everything is tied together in some way, shape, or form.”
The Misfits Move In
Around 2022 and 2023, DTEX claims both Naoki Murano and Jenson Collins—their real names are not known—were based in Laos and also travelled between Vladivostok, in Russia. The pair appeared among a wider group of possible North Koreans in Laos, and a cache of their photos were first exposed in an open Dropbox folder. The photos were discovered by a collective of North Korean researchers who often collaborate with Barnhart and call themselves a “Misfit” alliance. In recent weeks, they’ve posted numerous images of purported North Korean IT workers online.
North Korea’s IT workers are prolific in their activities, often trying to infiltrate multiple companies simultaneously by using stolen identities or creating false personas to try to appear legitimate. Some use freelance platforms; others try to recruit international facilitators to run laptop farms. While their online personas may be fake, the country—where millions do not have basic human rights or access to the internet—steers talented children into its education pipeline where they can become skilled developers and hackers. That means many of the IT workers and hackers are likely to know each other, potentially since they were children. Despite being technically adept, they often leave a trail of digital breadcrumbs in their wake.
Murano was first linked to North Korean operations publicly by cryptocurrency investigator ZachXBT, who published the names, cryptocurrency wallet details, and email addresses of more than 20 North Korean IT workers last year. Murano was then linked to the DeltaPrime heist in reporting by Coinbase in October. Members of the Misfits collective have shared photos of Murano looking pleased with himself while eating steak and a picture of an alleged Japanese passport.
