• Following statements by MSMT member States, private sector entities (Google Threat Intelligence Group, Palo Alto Networks, Sekoia.io, and Upwork) briefed on the DPRK’s cyber activities and overseas IT worker schemes that violate UN Security Council resolutions.

• They outlined key operational methods used by the DPRK, including cyber-enabled revenue generation, illicit employment arrangements, and identity obfuscation techniques.

• In response to questions from the floor, the speakers further addressed the role of public–private partnerships, hiring and recruitment mechanisms, and the use of artificial intelligence in detecting and disrupting DPRK deception tactics, including the identification of fraudulent identities and covert IT worker networks.

<Summaries>

Google Threat Intelligence Group: “North Korea’s Crypto Heist Machine: From Social Engineering to Laundering”

• North Korean threat actors have stolen at least $2 billion in cryptocurrency since January 2025, accounting for at least 60% of all cryptocurrency thefts worldwide last year.

• Operations rely on a combination of social engineering, including email phishing, social media engagement, and IT workers applying for fraudulent employment under false pretenses.

• Recent tactics involve compromising software providers and services used by cryptocurrency entities, such as wallet providers and IT services.

• In the 1.5-billion-dollar Bybit heist, hackers compromised reserve account management software while tricking employees into approving transactions.

• The regime uses blockchain-based laundering tactics, including swapping between different types of cryptocurrencies and using mixers to hide the origin of stolen funds.

• Laundered cryptocurrency is converted into cash through a network of regime operatives and facilitators to support any of the regime's objectives.

Palo Alto Networks: “Getting a Job Is the Job: North Korea’s Industrialized Fake Hiring and Revenue Pipeline”

• For the North Korean regime, getting a job is their job, with thousands of citizens specifically trained for various parts of job-hunting campaigns.

• The system is a mechanized system honed over years of training to exploit how companies hire.

• The regime utilizes "identity mules" in country who willingly sell out their own identity to facilitate these hires across all six inhabited continents.

• Money that would have been fed back into local economies or paid as payroll taxes is instead remitted over to Pyongyang.

• This system will not go away until there is better international cooperation and cooperation with private industry to make the system harder to take advantage of.

Sekoia.io: “Hunter–Killer Teams Inside the Enterprise: North Korea’s Insider-Enabled Cyber Model”

• IT workers and attack units function as "Hunter Killer teams" (Hunter Killer teams), where IT workers act as an insider threat and perform reconnaissance for attack units.

• Recommended the implementation of corporate intelligence systems similar to anti-money laundering mechanisms.

• Companies must know their employees, identify disgruntled individuals, and rely upon unit cohesion.

• Employers should use their imagination to move people away from remote only situations and look at them face to face.

• Constant adaptation is necessary because these actors are adapting their TTPs relentlessly.

Upwork: “From Wigs to Weaponized Identity: North Korea’s Professionalized IT Worker Threat”

• North Korean IT workers have evolved from a rudimentary group using masks and wigs to a highly sophisticated, well-funded, and well-organized nation-state.

• The fundamental issue is "identity" and whether it can be moved physically or virtually.

• Facilitators are now able to bypass rigorous background checks and controls established by government advisories.

• In some cases, individuals hired for office-based roles have allowed North Korean IT workers remote access to the network to perform their work overnight.

• Job applicants are no longer competing against people with similar skills, but against professional facilitators whose sole role is to gain the job.

2 Response to Questions (by Speaker)

1. Public-Private Partnerships

Google Threat Intelligence Collaboration with the public sector is a mechanism for raising awareness and combating malicious activities. Operating unique digital infrastructure provides insights that allow for the design of specific protections when certain types of companies are targeted. Sharing information between sectors changes the game in combating North Korean cyber operations.

Sekoia.io Private sector collaboration functions like iron sharpening iron, where identifying bad actors and mapping out command and control infrastructure benefits all peers. Success is defined by interrupting an attack before it is detonated by sharing live, fresh artifacts.

Palo Alto Networks Developing the muscle for investigating incidents and making HR systems resilient is a result of concentrated work on this threat. Support is available to help the private sector become resilient free of charge. Establishing trust with governments is essential so that information sharing does not jeopardize victims but imposes costs on attackers. This open-ended, high-trust sharing should be replicated internationally between countries.

Upwork Relationships with government partners serve as a great barometer of how everyone is upping their game. Regular information sharing helps level-set whether internal processes and controls are on par with industry standards. From a policy level, a safe harbor for industry sharing is critical to allow information to flow without fear of adverse impacts from sanctions.

2. Hiring Mechanisms

Palo Alto Networks Making systematic changes from a government perspective is difficult because it may disrupt business. Working with technically versed experts to lower the threshold for threats entering systems is a better approach. Referral-based hiring and establishing actual relationships with candidates will likely make a comeback. ID verification is the number one piece of protection; validating that the person interviewed is the same person starting work with a legitimate government ID goes a long way.

Upwork Establishing a safe harbor for industry information sharing at the policy level is critical. Since the hiring process often spans multiple companies and platforms, having the ability to share data across the industry is a necessary move forward.

Sekoia.io Embrace inconvenience by mixing up hiring practices. This strategy ensures the organization remains a difficult target to fix for threat actors.

3. Use of AI

Palo Alto Networks Deep fake technology is incredibly accessible, but it remains detectable through machine learning based algorithms that look at pixels and formulation. This detection technology is comparatively low-cost and can be implemented directly into the hiring process to flag suspicious signals. It is also logical to deploy this software for any employee authorized to transfer money to prevent financial crime involving impersonation.

Google Threat Intelligence Group From a security research perspective, suspicious artifacts can be pushed back through generative AI models to assess if an image, resume, or document was modified or created by AI. This provides a low barrier to entry for investigating a large volume of activity at scale. In many cases, models are capable of detecting if they or other models were used to generate a document.

(Edited by DPRK Monitor)