Kudelski Security links mail-dump material, Hudson Rock stealer logs, and public research to DPRK fake IT worker infrastructure and internal coordination. The excerpt maps Russian public IP ranges, a Hong Kong proxy pivot, and a private 192.168.91.x network containing Squid proxies, smart-proxy routing for Telegram traffic, PTC2 proxy pools, and reporting servers. IP Messenger chat artifacts show centralized coordination, internal identifiers, financial reporting URLs, and language patterns such as use of “Comrade,” while browser artifacts suggest multilingual work and possible remote access or target-country time-zone tracking. The infrastructure matters because it turns fake IT worker activity from an abstract fraud pattern into network segments, proxy roles, and coordination evidence defenders can compare against logs and stealer-derived artifacts.