Kudelski Security examines the DPRK fake IT-worker fraud ecosystem as a blended operation involving North Korean workers, recruited helpers, fake identities, and supporting cybercrime services. The excerpt says workers approach developers in countries including Iran, Syria, and South Africa through LinkedIn and WhatsApp, while U.S.-based “local persons” or “supporters” are recruited to provide identities for about $250. It describes use of data brokers and PSD identity files to bypass hiring, social-media, job-platform, and background-check verification, with DPRK workers controlling the document modifications. The report also links the ecosystem to developer-level access at sanctioned hosting service Funnull, Goedge CDN maintenance, and Tron/USDT cash-out practices, showing how DPRK IT-worker revenue generation intersects with broader cybercrime infrastructure.