Security researchers say recruiters associated with the North Korean group Famous Chollima, also known as WageMole and linked to the Lazarus operation, have been targeting software developers to rent their identities to obtain remote jobs at Western companies. Mauro Eldritch, a hacker and threat intelligence specialist, and his employer BCA LTD have investigated the activity, and one of the researchers involved is Heiner García of the NorthScan initiative.
According to the researchers, the campaign uses stolen identities, deep fake videos and other social engineering to bypass in-person or live-camera screening. A separate tactic recruits legitimate engineers as figureheads: those individuals would appear in interviews under a provided fake identity and receive a cut of the salary, typically 20%–35%, with larger payments offered if they allow the recruiters to access their computers to proxy malicious activity.
Eldritch, who led the Quetzal Team at Bitso, documented several encounters with these recruiters and published a series of posts detailing the interactions (1, 2, 3, 4, 5 and 6). The group also posted recruitment messages on GitHub offering to arrange technical interviews under fake identities for about $3,000 per month while promising interview assistance.
To study the operation, the researchers deployed a sandboxed laptop farm using the ANY.RUN malware analysis platform and created a staged candidate persona. The recruiters requested continuous remote access over AnyDesk and asked for personal data such as full name, visa status, address and social security number to pass background checks and KYC verification.
When the researchers allowed a remote connection they observed the actor tunneling from a residential proxy and using Astrill VPN to mask location; a social-media post documenting the VPN usage was captured by the team (tweet by Costin Raiu). The threat actor used AI-powered browser extensions to auto-fill applications and generate interview responses, employed OTP authentication tools and remote-desktop software, and by enabling browser synchronization exposed a linked Gmail inbox with job-platform subscriptions and Slack workspaces.
The report identifies a core Famous Chollima cell of roughly six members using given names such as Mateo, Julián, Aaron, Jesús, Sebastián and Alfredo, and notes that multiple North Korean teams compete for recruits. The researchers say the information can help defenders anticipate behavior and improve detection of such social-engineering and identity-fraud workflows.