A new report from Sophos’ Counter Threat Unit has pulled back the curtain on a highly coordinated cyber deception campaign tied to North Korea. Operating under the name NICKEL TAPESTRY, this threat group has been secretly embedding fake IT workers into companies across the globe — all with the goal of funneling money and stolen data back to the North Korean regime.
The campaign, dubbed “Wagemole,” dates back to at least 2018, though infrastructure links hint at operations starting as early as 2016. In recent months, there’s been a notable shift: while U.S. companies were the primary targets, heightened awareness and defensive action have pushed the group to increase focus on organizations in Europe and Japan.
Fraud in disguise: How they’re getting in
The operation hinges on fraudulent job seekers, who impersonate professionals from countries like Vietnam, Japan, Singapore — and frequently, the U.S. They create convincing personas, complete with doctored LinkedIn profiles, fake resumes, and even altered photos.
These fakes aren’t amateurs. They’re well-versed in the job market and often present themselves as experienced developers, blockchain experts, or — more recently — cybersecurity specialists.
In 2025, investigators noted a spike in the use of female identities as part of these personas. The actors are constantly evolving to stay ahead of detection, shifting identities and strategies as needed.
The real motive: Salary and secrets
While the primary goal is simple — collect a salary and send it back to fund North Korea — the scheme has a more dangerous layer: data theft and extortion.
The FBI issued an advisory in early 2025 following several incidents in 2024 where terminated workers demanded money in exchange for not leaking stolen source code or proprietary data. Alarmingly, in many cases, data exfiltration happened within days of hiring, lying dormant until triggered by a firing or refusal to renew a contract.
Beyond extortion, these operatives act as traditional insider threats. Their access can allow unauthorized entry into cloud systems, internal tools, or company secrets — sometimes even paving the way for other North Korean threat groups to exploit the same access.
Digital camouflage and remote evasion
Before they’re even hired, these operatives use AI tools to craft identities: photo manipulation, polished resumes, and even stock photos layered with their own images. Once inside, they employ a range of tactics to avoid detection, including:
- Mouse-jiggler apps to simulate activity
- VPNs and KVM-over-IP tools for hidden remote access
- Multiple RMM (remote monitoring and management) tools on a single device
- Long Zoom calls with continuous screen sharing
- Persistent requests to use personal computers instead of company-issued devices
That last tactic is especially risky — personal systems often lack corporate security protections, making them ideal for covert operations.
How to fight back
Countering this threat requires heightened human vigilance at every step — from recruitment to offboarding. Sophos CTU offers the following guidance:
During the Interview Process
- Demand verified ID, preferably in person at least once.
- Check LinkedIn and online footprints for consistency in name, appearance, and experience.
- Watch for resume clones or VoIP-linked contact info.
- Independently verify work history — don’t rely on references provided by the candidate.
- Ask casual, location-specific questions (e.g., “How’s the weather today?”).
- Note suspicious language skills in those claiming to be native English speakers.
- Conduct video interviews without virtual backgrounds or filters.
During Onboarding
- Confirm that the employee’s identity matches the applicant.
- Be cautious of last-minute shipping address changes for laptops.
- Deny requests to use personal devices for work.
- Check that banking info doesn’t route through money transfer services.
- Flag frequent or urgent payment info changes.
- Never allow prepayment of salaries or contracts.
After Hiring
- Restrict and monitor remote tools — only allow vetted access.
- Limit system access to what’s strictly necessary for the role.
- Be alert to refusals to turn on video, or background noise suggesting a call center environment.
- Track VPN usage, especially involving residential foreign IPs or Astrill VPN.
- Use endpoint detection and antivirus tools to monitor company laptops.
Sophos isn’t the only group investigating this evolving threat. Researchers at Spur and Google have also tracked NICKEL TAPESTRY’s use of tools like Astrill VPN, and continue to uncover infrastructure used in these operations.
The bottom line: This isn’t just a technical threat. It’s a human deception campaign — and it’s succeeding because it blends in. Organizations must stay alert, verify thoroughly, and monitor continuously to prevent becoming the next unwitting financier of a hostile regime.