Last time we saw a Chollima was in March, when he tried to hack me using one of the most creative malwares I’ve seen lately.
He failed. We tricked him into joining a meet with me, and he was mocked and recorded.
We knew it was only a matter of time before they sent a bigger, meaner Chollima back looking for payback.
But there’s something worse than a big, bad Chollima.
And that’s two Chollimas.
Intro: Hack-A-Mole
You may think the Lazarus guys have it hard. Long working hours, a buggy boss who wants to nuke the world from time to time, some weirdos from the Quetzal Team calling you names like wet wipe or muppet, hurting your little nuky feelings. So far away is that dream life of being a government hacker superstar, working under the guise of evil cyber geniuses.
But there’s someone who has it worse. North Koreans who actually have to work for real. And I don’t mean those working in the everyday North Korean economy, I mean those Lazarus guys who actually have to hold a legit job. With a real boss. Real KPIs. Hiding from HR meetings you can’t really fake your way through, and offsites that… well, let’s say your passport might not be super cooperative about those.
These guys actually work 9 to 5 for a salary that ultimately goes to the regime. But they’re not victims. While doing so, they’ll take every single opportunity to conduct corporate espionage, and maybe even steal your funds.
These guys are the Famous Chollima division. But I’ve fallen in love with a name that takes away the glamour and fits them better:
Wage Mole(s).
The first interview: My name i-is Jo-José
I first heard of “José” the Mole after he applied for a Senior Software Engineer position at Bitso, and one of our Technical Interviewers raised an early warning, flagging the interview as suspicious.
José introduced himself as someone from Mexico, who had studied for five years at the University of Guadalajara and had over ten years in the market, working for a big pharma company, implementing HIPAA compliance from scratch, and basically acing everything related to Java, Spring Boot, and all the wizardry devs do.
But something didn’t quite add up.
“His English was good, but his Spanish, we can say, was ‘intermediate’.
There were lots of connection drops, he was having network issues.
He was an Asian-looking man.”
— Talent Acquisition Analyst
So, you lived in Mexico for years, studied a technical degree, worked over a decade in a Spanish-speaking country… and yet, your Spanish is just so-so?
We kept an eye on him. He was allowed to move forward with an async exercise as part of the interview process.
The longer he stayed in the loop, the better for everyone.
If he was genuinely applying, he’d eventually complete the process.
If he wasn’t… well, we’d keep him in the “process” for the intel.
The exercise: IllegalMoleException
The exercise was graded at 51%. For someone with that level of experience, completing an asynchronous coding challenge with such a result was more than suspicious.
The technical interviewers were asked if there was still interest in moving forward.
They all agreed, not because of his potential, but because it was a good chance to study the subject more closely.
So we advanced to a monitored live-programming session.
The second interview: The cat is under the table
“José” joined the second round and that’s when things got even weirder.
“He doesn’t speak Spanish at all, and his English is barely passable, which doesn’t match his résumé or his years of experience.
He took at least 10 minutes just to log into the collaborative coding platform, which was literally a link emailed to him, nothing complex.
I onboarded a second interviewer just to double-check I wasn’t being biased, but she thought the same.
When asked for feedback or follow-up questions, the candidate simply replied: ‘What are your ongoing projects?’, which I obviously dismissed.
He barely speaks, and when he does, it’s muttering something we can’t even understand.”
— Technical Interviewers
What happened here? Did José just take a hit to his Broca’s area and was now unable to speak English as he used to?
Was he simply having a shy day, or did the nerves get the best of him, making him forget his mother tongue?
“All of this is very weird. The interviewee disappears for minutes and doesn’t respond to emails right away.
He started off ok, but added a lot of fluff in certain classes and gave odd explanations when questioned.
He’s stuck writing mapping code instead of advancing through the exercise.
I believe he may be writing the test for someone else.”
— Technical Interviewer Notes
Or maybe, just maybe… this wasn’t José.
The backstage: Wage Moles
And that’s exactly what happened. There’s not just one José, there are two: one who acts as the frontman in the first interview, knows his way around with westerners, can speak a little in a second language (enough to pass a first screening); and a second, more technical one who plays ghost coder, solving exercises and challenges for the first José.
These muppets move, think, and act as a group. Separately, they each lack a critical skill to land the job, whether it’s language proficiency, technical ability, or even something as basic as common sense. Their weird behaviour isn’t a minor thing: remember, they come from a closeted country, cut off from most of the world. Culturally and socially, this creates a noticeable gap. One that is easy to spot once you learn how to use it to your advantage. Ask them what cartoons from the country they claim to be from they liked as a kid. Ask about pastimes, hobbies, or if they know a specific place in their town. You can even invent one and see if they fall for the trap.
We finally rejected the candidate, and he quickly deleted all his accounts: LinkedIn, WhatsApp, Telegram, all gone.
Happy ending?
Not quite.
Because what if I told you… there was actually a third José in this play?
Final Act: The Good, the Bad and the Ugly
There were three Josés all along. Let me explain.
These operatives almost always copy real people’s profiles across different platforms, mimicking every detail. When hunting back Wage Moles or Famous Chollimas, it’s trivial to stumble upon the real person they’re impersonating.
That’s why it’s crucial not to hunt them based on surface-level details like (copied) names or online portfolios, which are often stolen. Instead, focus on digital artefacts tied to the actor or under their control: phone numbers, email accounts, IP addresses, and so on. Even if disposable, those artefacts can still yield intel, while also helping you avoid disrupting the life of someone innocent whose identity has been cloned.
In this story, the Bad José tried to scam us with his forked tongue, but failed.
The Ugly José hid behind him, buried in the shadows, showing only his claws to type out code as broken as his partner-in-crime’s alibi.
And the Good José?
Well, we won’t disclose his details for obvious reasons, but yes, we found him. And he truly earns the title. His identity was stolen along with his entire résumé. He’s an engineer, doing well in life, and an environmental activist in his community, something these muppets could never dream of.
And that’s exactly where these actors belong: buried in the ground, hiding from the light.
IOCs, Extras & A Hunter’s Note
Given the nature and recency of the incident, and in order to protect the identity of the original José, only partial IOCs will be disclosed.
Email:oscarjj0924@gmail.com
Phone:+522212528618 #(WhatsApp, Telegram)To compensate for this, and as thanks for reading this far, here’s a little extra.
The image of the Mole wearing a Mexican hat isn’t just satire, it’s actually a reference to a real profile picture used by the Mole on LinkedIn. A photo stolen from the original José, defaced with a Korean face clumsily pasted on top.
These campaigns are on the rise. Aside from the usual advice, I want to share a concern.
We have observed an interesting behaviour from Wage Mole operatives. They can copy and mimic every single detail of a LinkedIn account in little to no time. This suggests they may have developed a tool capable of using LinkedIn’s API or scraping its contents to automate that effort. We still lack full visibility and evidence on this matter, but it is something we are actively investigating.
Now the usual.
Stay safe.
Ask candidates to show IDs on your interviews (any proctored exam does it, anyway).
Don’t get rekt.
And do not hesitate to stomp on those muddy moles.
Do not let them overrun the garden you worked so hard to make bloom.