There has been an increase in targeting of European and Japanese organizations in this campaign, likely as a result of increased awareness among U.S.-based organizations and actions taken to combat the threat. The origins of this campaign, publicly tracked as Wagemole, have been traced back to 2018, although infrastructure links suggest that NICKEL TAPESTRY has been conducting money-making schemes since at least 2016. Human resources staff and recruiters should be regularly updated on tactics used in these campaigns to help them identify potential fraudulent North Korean IT workers. While the threat actors’ primary objective is to obtain a salary that can fund North Korean government interests, a secondary method of revenue generation is data theft extortion.