North Korean IT Workers Hide Their IPs Using Astrill VPN

Security researchers have uncovered new evidence that North Korean threat actors, particularly the Lazarus Group, are actively using Astrill VPN to conceal their true IP addresses during cyberattacks and fraudulent IT worker schemes.

Silent Push, a cybersecurity firm, recently acquired infrastructure and logs from the Lazarus subgroup known as “Contagious Interview” or “Famous Chollima,” confirming the ongoing use of Astrill VPN in their operations.

The investigation revealed that the threat actors registered the domain “bybit-assessment[.]com” hours before the $1.4 billion ByBit cryptocurrency heist, using an email address previously linked to Lazarus Group activities.

Within the acquired logs, researchers identified 27 unique Astrill VPN IP addresses associated with test records created by Lazarus members during their infrastructure setup, further solidifying the group’s preference for this VPN service.

Sophisticated Obfuscation Techniques Uncovered

SecurityScorecard’s STRIKE team has mapped out the operational infrastructure used by the Lazarus Group, revealing a ...