North Korean hacker caught within days by geography slip

Hackread reports that a suspected North Korean operative managed to slip through hiring checks for a Western company last year, only to be caught within 10 days when a routine login from St. Louis, Missouri, broke with the worker's established pattern of connecting from China. According to research from LevelBlue's SpiderLabs shared with Hackread.com, the individual was hired on Aug. 15, 2025, and given access to sensitive Salesforce data before behavioral analytics and crowdsourced threat data flagged inconsistencies. The operative used Astrill VPN to hide their actual location, a tool researchers noted is a "high-fidelity indicator" of North Korean activity, previously tied to groups like Lazarus. The company revoked the worker's EntraID account by Aug. 25, shutting down the threat before any damage occurred. Joint research from Flare and IBM X-Force describes such workers as part of an organized, state-sponsored ecosystem, often graduates of elite Pyongyang universities, managed through internal platforms, and earning upwards of $300,000 annually to fund the regime's weapons programs. Researchers warn that remote hiring expands the risk, urging companies to verify login locations against reported addresses and watch for unauthorized VPN use during onboarding.