Microsoft Suspends 3,000 Accounts Linked to North Korean Cyber Threats

Microsoft has taken a significant step in combating global cyber threats by suspending 3,000 Outlook and Hotmail accounts linked to North Korean IT operatives. These operatives were posing as freelance workers, infiltrating hundreds of Fortune 500 firms using stolen or fabricated identities. The move is part of a broader campaign by Microsoft's Threat Intelligence division to disrupt what it describes as a global fraud scheme.

The U.S. Department of Justice (DOJ) supported this crackdown with a coordinated enforcement action. Authorities seized laptops, closed 29 financial accounts, and took down nearly two dozen websites. Additionally, law enforcement raided 29 "laptop farms" in the U.S., where accomplices maintained devices used by North Korean IT workers operating remotely. In one notable case, a Maryland resident working in a nail salon was found to be holding 13 remote jobs executed by North Korean nationals based in China, reportedly paying out nearly $1 million.

The North Korean scheme involves trained IT professionals from the Democratic People’s Republic of Korea who apply for global tech jobs under false identities. While these workers often perform legitimate tasks, some companies have reported them as "some of their most talented employees." The U.N. estimates that this operation generates up to $600 million annually, with the FBI and DOJ believing that the revenue supports North Korea’s weapons programs. These workers are also said to share information with hackers responsible for large-scale cryptocurrency thefts.

Microsoft has confirmed that the operatives are now using AI tools to enhance their deception. They rely on software to polish job applications, swap faces on profile images, and mask accents using voice changers. This raises concerns that combining these technologies could allow future threat actor campaigns to trick interviewers, making it easier for operatives to bypass traditional screening during job interviews. Microsoft has developed a machine-learning tool to flag suspicious activity, including what it calls “impossible time travel risk detections,” which monitor login attempts between regions like the U.S. and China or Russia. The company continues to track the activity under the internal name “Jasper Sleet.”

This crackdown by Microsoft and the DOJ is part of a broader trend of increased cybersecurity efforts by major tech companies and governments worldwide. The removal of these fake accounts and the seizure of related equipment send a clear message to cybercriminals that their activities will not be tolerated. It also highlights the importance of collaboration between private companies and law enforcement agencies in combating cyber threats. As cyber threats continue to evolve, it is crucial for companies and governments to remain vigilant and take proactive measures to safeguard against these dangers.