Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Matt Johansen Profile picture
@mattjay
May 28, 2024 12 tweets 4 min read Read on X
Scrolly
The DoJ just busted a massive scam involving North Korean IT workers infiltrating major US companies.

They had some help in the US and were posing as remote freelancers to siphon off money and sensitive info.

Holy crap, here's what we know:
How they operated:

North Korean operatives are stationed in countries like China, Russia, and parts of Eastern Europe and Southeast Asia.

They then use fake documents and buy accounts to get remote jobs in the States. Image
On May 16, the DOJ indicted five people connected to this scheme.

One is an Arizona woman who helped North Korean IT workers by validating stolen identities, making them look like US citizens. Image
This woman also hosted laptops from US companies to spoof locations

This bypassed any geofencing making it seem like the North Korean workers were based in the US. Image
The scheme has raked in millions of dollars in wages from over 300 companies.

This money likely supports North Korea's regime, including its nuclear weapons program, according to the FBI. Image
North Korea's government is highly motivated due to heavy international sanctions.

They've been behind major cyber heists like the $81 million stolen from Bangladesh Bank via the SWIFT system in 2016. Image
Facilitators, or "mules," are key players in this operation.

They manage multiple fake identities and handle risky tasks like job interviews and drug tests, then pass the credentials to the actual North Korean workers. Image
These facilitators make big money.

For example, a Ukrainian facilitator managed about 870 identities and hosted 80 computers, earning over $900,000 over six years. Image
The IT workers, often highly skilled, work under harsh conditions with strict oversight.

Their activities include cryptojacking, targeting security researchers(!!!), and other cyber attacks to fund the regime. Image
How does your company verify remote worker identities? Would your process stand up to this threat?
DoJ Source: justice.gov/opa/pr/charges…
I cover this and dozens more cybersecurity news stories ever week in my free newsletter.

Join over 12,000 other pros here: vulnu.xyz/tw

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Matt Johansen

Matt Johansen Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mattjay

Matt Johansen Profile picture
Oct 23
Woah. Trenchant, who develops zero-days and surveillance tools for Five Eyes intelligence agencies (US, UK, Canada, Australia, and New Zealand). Has had an insider accused of selling secrets to Russia. Image
Image
Former L3Harris/Trenchant GM Peter Williams charged with stealing trade secrets. DOJ claims he made $1.3M from the sale. Image
Timeline: Williams allegedly stole 7 trade secrets between Apr '22-Jun '25, and an 8th between Jun-Aug '25. He was Trenchant's GM from Oct '24 until Aug '25, operating out of DC. Image
Read 9 tweets
Matt Johansen Profile picture
Sep 29
This BBC reporter was offered 25% of a ransom payout if he gave hackers access to the corporate network.

He played along, so we got a look inside their tactics here: Image
Initial contact came to @JoeTidy via Signal from "Syndicate" offering 15% of potential ransom payment for access to BBC systems.

Offer later increased to 25% of what they claimed would be "1% of BBC's total revenue." Image
@joetidy Threat actor claimed to be a "reach out manager" for Medusa - a Ransomware-as-a-Service operation believed to operate from Russia/CIS region.

Group has hit 300+ victims in past 4 years per US cyber authorities.

(img: TheHackerNews) Image
Read 10 tweets
Matt Johansen Profile picture
Jun 17
Breaking: House Oversight's top Dem Rep. Lynch requests Microsoft provide info on DOGE staffer's GitHub repo.

It allegedly contains code to extract data from the NLRB's case management system. Image
Key context: This follows whistleblower Daniel Berulis's disclosure about ~10GB of data exfiltrated from NLRB's NxGen system.

DOGE engineer Jordan Wick's repo "NxGenBdoorExtract" was made private before investigation. Image
The alleged extraction code was hosted on Microsoft-owned GitHub.

Rep. Lynch specifically wants details about attempts to "conceal activities, obstruct oversight, and shield from accountability." Image
Read 8 tweets
Matt Johansen Profile picture
Jun 9
U.S. labs keep finding *undocumented* cellular radios hidden inside some Chinese-made solar inverters & battery packs

Those radios give the gear a second, undocumented path to the internet. Global governments are reacting already: 🧵 Image
Inverters already need remote access for firmware updates, so utilities put them behind firewalls.

A covert LTE module can hop right over that barrier, reach a cloud service in China, and issue commands the operator never sees.
Security teams have confirmed multiple makes and models with these extra radios in the last nine months.

The labs aren’t saying how many units they’ve torn down. Only that the problem spans *several* suppliers. Image
Read 15 tweets
Matt Johansen Profile picture
May 5
TeleMessage, the company behind the modified Signal client used by Trump admin officials, has been breached.

Attacker claims the hack took "15-20 minutes" with minimal effort. Image
TeleMessage creates modified versions of Signal/WhatsApp/Telegram that archive messages for gov agencies.

Recently made headlines when National Security Advisor Waltz was photographed using it. Image
A hacker accessed unencrypted message contents, contact info of gov officials, admin credentials, and customer data.

Notably includes CBP, Coinbase, and other financial institutions. Image
Read 10 tweets
Matt Johansen Profile picture
Apr 18
🧵 THREAD: A federal whistleblower just dropped one of the most disturbing cybersecurity disclosures I’ve ever read.

He's saying DOGE came in, data went out, and Russians started attempting logins with new valid DOGE passwords

Media's coverage wasn't detailed enough so I dug into his testimony:Image
Who’s the whistleblower?

Daniel Berulis — a senior DevSecOps architect at the National Labor Relations Board (NLRB), formerly with TS/SCI clearance.

He just told Congress the Department of Government Efficiency (DOGE) pulled off a covert cyber op inside a federal agency. Image
DOGE demanded root access.
Not auditor access. Not admin.

They were given “tenant owner” privileges in Azure — full control over the NLRB’s cloud, above the CIO himself.
This is never supposed to happen. Image
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(