North Korean Hacker Posed as Remote Worker to Launch Cyberattack on Western Company

A North Korean hacker pretending to be a remote IT worker at a Western company was behind a serious cyberattack uncovered earlier this year, according to Israeli cybersecurity firm Sygnia.

The attack, discovered in mid-2024, was highly sophisticated and involved the hacker gaining legitimate access to the company by posing as a regular employee. Sygnia revealed the details in a statement released on Wednesday.

The investigation started when the FBI seized a company laptop during a raid on a suspected "laptop farm" — a setup where foreign workers use stolen identities to get remote jobs in the West.

Instead of hacking in from the outside, the North Korean attacker was hired and worked from inside the company. Using everyday tools like Zoom and basic network connections, the hacker was able to stay under the radar while gaining full access to sensitive company data through a corporate VPN and a company-issued laptop.

Sygnia’s experts found that the attacker created a secret control system on the laptop. This allowed them to move through the company’s internal network, run harmful software, and steal data — all while appearing to do normal remote work.

“The attacker didn’t break in; they were let in,” Sygnia stated in their report.

Shoham Simon, Sygnia’s senior vice president of cyber services, said the case is a powerful reminder that cyber threats can come from trusted insiders. “The attacker didn’t exploit a code vulnerability, but a trust vulnerability,” he explained.

Simon also highlighted that traditional cybersecurity tools often miss these types of attacks, which rely on normal-looking behavior. He urged companies to look beyond code and start monitoring unusual use of regular tools and network activity.

The incident raises serious concerns about how companies hire and monitor remote employees and shows how cybercriminals are adapting to the remote work era.