Spur released a list of roughly 2,400 Astrill VPN IP addresses active as of December 19, 2024 because DPRK-linked remote worker personas have used the service to hide their locations. The post says intelligence and threat-analysis teams have observed North Korean state actors infiltrating organizations worldwide to earn funds for the regime, and customer reporting continued to show fraudulent remote worker campaigns from Astrill VPN addresses. The data is intended to help hiring, identity, and security teams flag anonymized access patterns associated with DPRK IT worker fraud.