Recent research has uncovered the pivotal role of Russian internet infrastructure in facilitating North Korean cybercrime operations.
According to security analysts at Trend Research, multiple Russian IP address ranges primarily allocated to organizations in the towns of Khasan and Khabarovsk are being used as operational nodes for North Korea-aligned actors, notably the infamous Void Dokkaebi (Famous Chollima) intrusion set.
These operations are characterized by the use of commercial VPNs, proxy servers, and a vast ecosystem of Virtual Private Servers (VPS) accessed via Remote Desktop Protocol (RDP), which are leveraged to obscure the origin of malicious activities and to scale campaigns targeting Western IT professionals and cryptocurrency services.
Proximity to North Korea Facilitates Infrastructure Sharing
Khasan’s geographical proximity less than a mile from the North Korea-Russia border and Khabarovsk’s economic and cultural ties to North Korea provide strategic advantages for infrastructure deployment.
Since 2017, when a fiber optic connection via the Korea-Russia Friendship Bridge was established, Russian telecom provider TransTelecom has been a critical upstream provider for North Korea, markedly increasing internet bandwidth available for cross-border cyber operations.
According to the Report, Trend Micro telemetry indicates that North Korean IT professionals often operate remotely from Russia, China, Pakistan, and other locations, connecting periodically to North Korean infrastructure through a handful of Russian and DPRK IP addresses.
This hybridized, decentralized workforce underpins North Korea’s ability to conduct cyber operations at a scale that far exceeds the country’s paltry allocation of just 1,024 direct global IP addresses.
Sophisticated Anonymization Undermines Attribution and Detection
The technical sophistication of these operations is evident in their use of multi-layer anonymization.
Russian VPS nodes hidden by VPN and proxy layers are routinely accessed over RDP, forming a web of obfuscated connections.
These endpoints are then used for a variety of cybercriminal activities, including interacting on recruitment platforms, laundering cryptocurrency, and brute-forcing digital wallets.
Secure communications are maintained through encrypted messaging services such as Skype, Telegram, Discord, and Slack, while exfiltration and storage leverage services like Dropbox.
Social engineering remains a core tactic. Analysis reveals that fictitious technology companies most notably BlockNovas are used to lure IT professionals, especially those in the cryptocurrency, Web3, and blockchain sectors, into fake online job interviews.
Applicants are instructed to download code or utilities from reputable repositories, which covertly execute obfuscated scripts or malware, such as Beavertail and FrostyFerret.
In some cases, sophisticated AI-generated personas are deployed to further the deception, creating convincing CTO and developer profiles with robust social histories to solicit trust from victims.
Once a target’s system is compromised, credential harvesting, wallet emptying, and further lateral movement ensue.
In some cases, compromised endpoints are conscripted into the attackers’ anonymization infrastructure via legitimate proxy software like CCProxy.
Instructional videos discovered by analysts underscore the modular, scalable nature of these campaigns, providing step-by-step guides in non-native English for setting up malware C2 servers and password-cracking operations.
Law enforcement action is ongoing. In April 2025, the FBI seized BlockNovas’ fraudulent domain as part of an international crackdown on North Korean cyber actors.
Nonetheless, the persistent presence of North Korean-related campaigns using Russian IP ranges corroborated by deep-dive technical indicators and attack telemetry raises concerns of either tacit or active cooperation between Russian and North Korean entities.
Security experts caution that the continued evolution of Void Dokkaebi’s campaigns, supported by resilient Russian infrastructure, may soon extend beyond financial theft to espionage operations.
The use of isolated virtual environments and heightened vigilance during interview processes are strongly recommended to mitigate these sophisticated threats.
Failure to recognize and isolate these deceptive tactics could result in broader compromise of sensitive corporate and industry assets, as well as continued losses in the burgeoning cryptocurrency sector.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
