North Korean operatives were caught on camera, live, after security researchers lured them into a booby-trapped “developer laptop,” capturing how the Lazarus-linked crew tried to blend into a US crypto job pipeline using legitimate AI hiring tools and cloud services.
The evolution in state-sponsored cybercrime was reportedly captured in real time by researchers at BCA LTD, NorthScan, and the malware-analysis platform ANY.RUN.
Catching the North Korean attacker
Hacker News shared how, in a coordinated sting operation, the team deployed a “honeypot,” which is a surveillance environment disguised as a legitimate developer’s laptop, to bait the Lazarus Group.
The resulting footage offers the industry its clearest look yet at how North Korean units, specifically the Famous Chollima division, are bypassing traditional firewalls by simply getting hired by the target’s human resources department.
The operation began when researchers created a developer persona and accepted an interview request from a recruiter alias known as “Aaron.” Instead of deploying a standard malware payload, the recruiter steered the target toward a remote employment arrangement common in the Web3 sector.
When the researchers granted access to the “laptop,” which was actually a heavily monitored virtual machine designed to mimic a US-based workstation, the operatives did not attempt to exploit code vulnerabilities.
Instead, they focused on establishing their presence as seemingly model employees.
Building trust
Once inside the controlled environment, the operatives demonstrated a workflow optimized for blending in rather than breaking in.
They utilized legitimate job-automation software, including Simplify Copilot and AiApply, to generate polished interview responses and populate application forms at scale.
This use of Western productivity tools highlights a disturbing escalation, showing that state actors are leveraging the very AI technologies designed to streamline corporate hiring to defeat them.
The investigation revealed that the attackers routed their traffic through Astrill VPN to mask their location and used browser-based services to handle two-factor authentication codes associated with stolen identities.
The endgame was not immediate destruction but long-term access. The operatives configured Google Remote Desktop via PowerShell with a fixed PIN, ensuring they could maintain control of the machine even if the host attempted to revoke privileges.
So, their commands were administrative, running system diagnostics to validate the hardware.
Essentially, they were not attempting to breach a wallet immediately.
Instead, the North Koreans sought to establish themselves as trusted insiders, positioning themselves to access internal repositories and cloud dashboards.
A billion-dollar revenue stream
This incident is part of a larger industrial complex that has turned employment fraud into a primary revenue driver for the sanctioned regime.
The Multilateral Sanctions Monitoring Team recently estimated that Pyongyang-linked groups stole approximately $2.83 billion in digital assets between 2024 and September 2025.
This figure, which represents roughly one-third of North Korea’s foreign currency income, suggests that cyber-theft has become a sovereign economic strategy.
The efficacy of this “human layer” attack vector was devastatingly proven in February 2025 during the breach of the Bybit exchange.
In that incident, attackers attributed to the TraderTraitor group used compromised internal credentials to disguise external transfers as internal asset movements, ultimately gaining control of a cold-wallet smart contract.
The compliance crisis
The shift toward social engineering creates a severe liability crisis for the digital asset industry.
Earlier this year, security firms such as Huntress and Silent Push documented networks of front companies, including BlockNovas and SoftGlide, that possess valid US corporate registrations and credible LinkedIn profiles.
These entities successfully induce developers to install malicious scripts under the guise of technical assessments.
For compliance officers and Chief Information Security Officers, the challenge has mutated. Traditional Know Your Customer (KYC) protocols focus on the client, but the Lazarus workflow necessitates a rigorous “Know Your Employee” standard.
The Department of Justice has already begun cracking down, seizing $7.74 million linked to these IT schemes, but the detection lag remains high.
As the BCA LTD sting demonstrates, the only way to catch these actors may be to shift from passive defense to active deception, creating controlled environments that force threat actors to reveal their tradecraft before they are handed the keys to the treasury.
