Cybersecurity firm Sophos has revealed new developments in a long-running scheme involving fraudulent IT workers linked to North Korea. Known as Nickel Tapestry, the group has reportedly widened its operations to include more organizations in Europe and Asia.
Tracked under the campaign name Wagemole, the operation began as early as 2018, with infrastructure evidence tracing some activities back to 2016. Sophos said the group’s methods and targets have evolved in response to growing awareness in the United States.
“We’re now seeing more activity in Europe and Japan as US-based companies become better at detecting these fraudulent applications,” said Sophos in its report. “The attackers are quick to adapt to stay under the radar.”
These fake workers apply for remote roles while pretending to be professionals from countries such as Vietnam, Japan, Singapore, or the United States. Though many claim to have experience in software or blockchain development, they now target roles in various sectors, including cybersecurity. In 2025, there was also an uptick in applicants using female identities.
Shift toward data theft and extortion
Sophos noted that while earning a salary remains the main goal, to support North Korean state interests, data theft and extortion have become secondary methods. In 2024, there were several reported attempts at extorting companies after stealing source code and other valuable information.
“Some of the extortion cases happen after the fraudulent worker has been let go,” Sophos. “Stolen data may be kept in reserve and used to pressure companies later.”
The FBI released an advisory in January 2025 warning about this growing threat.
To get hired, the fake workers often manipulate images and documents using AI tools. They build convincing resumes and social media profiles with digitally edited photos, some of which blend stock images with real ones.
“Generative AI has made it easier for these individuals to create realistic online profiles,” said Sophos. “That’s why human review is more important than ever during hiring.”
On-the-job activity and risks
Once hired, the fraudulent employees use various tools to stay active and hide their location. They have installed multiple remote management programs and used long Zoom calls to maintain access. Some push to use personal computers instead of company-issued devices, avoiding security controls.
According to Sophos, “They try to avoid using equipment that can be tracked or monitored. This increases the risk of data leaks and unauthorized access.”
Sophos recommends that companies strengthen their hiring checks and train HR teams to spot warning signs.
“Organizations should not rely on software alone,” Sophos said. “People play a key role in spotting and stopping these threats early.”
Get the latest before it trends. Follow Back End News on LinkedIn, Facebook, X, YouTube, and TikTok for updates and in-depth coverage across the tech and security landscape.