Overview

• The compromised laptop detailed expense logs for fake Social Security numbers, AI subscriptions, VPNs, proxies and computer rentals tied to each fabricated identity.
• Exports from Google Calendar, Sheets and Docs showed a five-person cell maintaining scripted backstories and schedules across more than 30 personas.
• AnyDesk remote-access sessions and VPN routing through Russian relays masked the operatives’ true locations and confirmed their North Korean origins through Chrome browser history.
• One Ethereum wallet on the device was traced to the June 2025 Favrr breach that siphoned $680,000, with earnings funneled through Payoneer before conversion to cryptocurrency.
• Analysts say weak ID verification on hiring platforms and limited private–public data sharing have allowed similar DPRK infiltration schemes to persist despite recent DOJ and FBI disruptions.