North Korea's recent Nickel Tapestry IT worker scam was linked to a 2016 crowdfunding scheme, pointing to the possibility that the Democratic People’s Republic of North Korea’s (DPRKs) has been conducting similar cyber-financial operations for nearly a decade.
While the 2016 IndieGoGo crowdfunding campaign only brought in $20,000, a Jan. 15 Secureworks blog post said the initial “low-level” effort demonstrates an earlier example of DPRK threat actors experimenting with various money-making schemes.
“The technical connections between the DPRK IT worker campaigns and the crowdfunding efforts identified by SecureWorks are credible,” said Tom Hegel, senior threat researcher at SentinelOne. “Both campaigns relied on a shared pool of fake personas, with overlaps in technical registration data across the infrastructure supporting these operations. This provides strong evidence that the same threat actors were behind both efforts.”
Hegel said even back in 2016, it's clear that the DPRK was experimenting with different methods to secure illicit funds. Over time, Hegel said the North Korean threat actors refined their tactics and the IT worker approach has since proven a more sustainable and reliable revenue stream.
“Given their historical patterns of innovation in cybercrime, it's likely we'll continue to uncover past experiments by DPRK actors, as well as observe future adaptations,” said Hegel. “They've demonstrated a willingness to evolve based on what works, and we anticipate that their tactics will continue to shift as they explore new ways to bypass international sanctions and fund their regime.”
Callie Guenther, senior manager of cyber threat research at Critical Start, said the 2016 crowdfunding scam’s infrastructure link is significant because it demonstrates North Korea’s broader intent to develop layered cyber capabilities that blend operational objectives — ranging from direct financial gain to broader geopolitical goals.
“These operations suggest the involvement of established government entities such as the 313th General Bureau, tying cyber-enabled fraud directly to the state,” said Guenther, an SC Media columnist.
Stephen Kowski, Field CTO, at SlashNext Email Security, added that this newly revealed link to earlier schemes from 2016 shows that these groups simply adapt their methods and shift the burden onto victim organizations, who must bolster their defenses. Kowski said DPRK has impersonated IT workers and run crowdfunding scams, all with one goal: securing stability and resources for their interests.
“This puts a burden back on private organizations and citizens to implement layered solutions that provide continuous analysis and automated threat prevention, making it much harder for them to slip through the cracks,” said Kowski. “In a very roundabout way, it’s a jobs program for both the DPRK and organizations defending against their attacks globally.”