North Korea’s cybercrime operations are increasingly relying on internet infrastructure based in Russia, according to a new report from cybersecurity firm Trend Micro. The report linked North Korean-aligned hacking activity to IP address ranges associated with the Russian city of Khabarovsk and the nearby border village of Khasan, suggesting Moscow’s networks are becoming a critical backbone in Pyongyang’s sprawling web of online scams and cyberattacks.
Trend Micro researchers revealed that IP addresses assigned to a Khabarovsk-based organization, in a region historically friendly to North Korea, have been used to disguise cyber operations attributed to the group known as Void Dokkaebi, also referred to as “Famous Chollima.” The group is linked to major cyber thefts and advanced online deception campaigns orchestrated on behalf of the North Korean regime.
Khasan, a remote hamlet just over the border from North Korea, is home to the “Korea–Russia Friendship Bridge.” A major Russian telecom firm laid a fiber-optic cable across the bridge in 2017. Researchers say that hackers are exploiting this connection, using Russian IP addresses often masked through VPNs, proxies, or remote desktop protocols (RDPs) to hide their activities.
The Void Dokkaebi group is part of a broader North Korean cyber strategy that has siphoned billions of dollars in stolen funds to sustain the regime’s nuclear weapons and missile programs. One notable heist included the $1.5 billion Ether theft from cryptocurrency platform Bybit earlier this year.
These hackers often pose as recruiters or IT firms to lure unsuspecting victims into malware-laced job interviews. One of their most effective fronts, a fake company called BlockNovas, maintained a professional-looking website and active presence on platforms like LinkedIn and Upwork. The company recently advertised fake roles, including a senior software engineering position aimed at Ukrainian professionals. Last week, cybersecurity firm Silent Push released a more detailed report regarding three US-based businesses, Blocknovas, Softglide, and Angeloper Agency, used by North Korean hackers for cyber operations.
During interviews, victims were encouraged to download technical tasks infected with “BeaverTail,” a JavaScript-based backdoor hidden in software development packages, or other malware like “FrostyFerret” for macOS and “GolangGhost” for Windows. These tools enabled attackers to compromise webcams, steal credentials, and seize control of systems.
Astrill VPN, another tool often associated with North Korean cyber operations, was also used to mask traffic and obfuscate the origin of the attacks. Researchers discovered that the hackers leveraged remote management portals and deployed tools such as Hashtopolis, a distributed password cracking system, across internal BlockNovas domains.
Although BlockNovas claimed to be based in South Carolina, it had no corporate registration, and its listed address turned out to be an empty lot. US authorities seized the company’s domain on April 23 as part of a coordinated international crackdown on North Korean cybercriminals.
