Secureworks describes DPRK-linked IT worker schemes in which North Korean nationals use stolen or falsified identities to obtain jobs at Western companies, including organizations in the United States, the United Kingdom, and Australia. Recent cases escalated from revenue generation to insider theft and extortion, with one contractor exfiltrating proprietary data through a corporate VDI environment and later sending ransom demands with proof of stolen files. The report highlights laptop-farm logistics, delivery-address changes, personal laptop requests, Astrill VPN and residential proxy use, Chrome Remote Desktop, AnyDesk, and SplitCam as recurring tradecraft. Secureworks links several behaviors to NICKEL TAPESTRY and notes suspicious payment changes through digital payment services such as Payoneer.