Microsoft Suspends 3,000 Outlook and Hotmail Accounts Linked to North Korean IT Worker Scam Posing as Remote Employees - 2025 Crackdown

In July 2025, Microsoft suspended over 3,000 Outlook and Hotmail accounts tied to North Korea’s APT group "Jasper Sleet," who infiltrated Fortune 500 firms using fake identities and “laptop farms.” These operatives posed as remote IT freelancers to steal sensitive data and fund cyber and weapons programs. The action, coordinated with the U.S. Department of Justice, is part of a wider effort to curb global cyber espionage and protect organizations from insider threats disguised as legitimate remote workers.

  Security News & Threat Intelligence   Jul 7, 2025   20  Add to Reading List

Table of Contents

In July 2025, Microsoft took a major step in global cybersecurity by suspending nearly 3,000 Outlook and Hotmail accounts. These accounts were tied to a North Korean IT worker scheme called “Jasper Sleet” (also known as Thallium). The move is part of a broader international operation involving the U.S. Department of Justice (DOJ), aimed at dismantling North Korea’s hidden cyber workforce, which has been secretly supporting the country’s weapons and surveillance programs.

What Was the Operation About?

The suspended accounts were operated by North Korean nationals who posed as freelance IT professionals working remotely for large U.S. and global companies—many of them Fortune 500 corporations. By blending into the remote tech workforce, they generated millions of dollars, which were allegedly funneled back to fund North Korea’s nuclear and cyber warfare capabilities.

How Did the Scam Work?

These operatives often used stolen or fake identities, and in some cases, rented U.S.-based laptops and IP addresses to appear as American workers. These setups, sometimes referred to as “laptop farms,” were used to trick companies’ HR and IT teams.

Key Tactics Used:

  • Fake resumes and social media profiles

  • Stolen personal details of real people

  • Use of anonymizing tools and VPNs

  • U.S.-based intermediaries to access employer systems

  • Remote desktop access via hired virtual machines or "rented" devices

By gaining trust, these imposters gained access to sensitive internal data, source code, and system infrastructure from the companies they worked for.

Why Microsoft Took Action

Microsoft identified that many of the tools used in these operations relied on Outlook.com and Hotmail.com email addresses. These email accounts were used to:

  • Communicate with employers

  • Register for job portals

  • Set up fake online identities

  • Receive payments from freelance platforms

By shutting down these 3,000+ accounts, Microsoft aimed to disrupt communication channels and break the digital infrastructure that enabled the scam.

Who Is Jasper Sleet?

Jasper Sleet, also known by cybersecurity firms as Thallium, is a North Korean advanced persistent threat (APT) group. They specialize in espionage, cyberattacks, and financial theft. Over the past few years, they have:

  • Infiltrated tech companies

  • Stolen cryptocurrency

  • Distributed spyware via phishing emails

  • Targeted government and defense systems

This recent operation shows their evolution into stealthy employment fraud, allowing them to bypass sanctions by working within the global economy.

What Are Laptop Farms?

Laptop farms” are physical locations in the U.S. or other Western countries where devices are leased or rented out to foreign workers who want to appear as local employees. These setups help:

  • Mimic local IP addresses

  • Appear on U.S. networks

  • Bypass geofencing and fraud detection

  • Make background checks appear clean

Microsoft’s findings suggest that some American-based laptop farms were unknowingly helping these operatives by leasing resources without understanding their end use.

DOJ’s Global Crackdown

This suspension was coordinated with the U.S. DOJ’s larger crackdown on North Korea’s shadow IT force. This includes:

  • Sanctions on entities aiding Jasper Sleet

  • Seizure of email accounts and domains

  • Indictments of middlemen involved in laundering payments

  • Warnings to companies that may have unknowingly hired these operatives

What This Means for Businesses

The case highlights how critical insider threats and remote work security have become. Companies must:

  • Verify employee identities thoroughly

  • Monitor login behavior and access logs

  • Use strong endpoint protection

  • Educate HR and IT teams on fraud risks

  • Audit freelance platforms and contractor vetting processes

How to Stay Protected

To defend against these types of attacks and fraud schemes, organizations and individuals should:

✅ Use Multi-Factor Authentication (MFA)

Secure logins with an extra layer of protection.

✅ Monitor Unusual Access

Track login times, IP addresses, and device types.

✅ Vet Remote Workers

Use identity verification and video interviews.

✅ Disable Unused Accounts

Remove former contractors' access immediately after contracts end.

✅ Partner With Trusted Platforms

Use platforms that enforce KYC (Know Your Customer) policies.

Conclusion

The suspension of these 3,000 Outlook and Hotmail accounts is not just about email—it represents a global cybersecurity battle. North Korean cyber operatives are using remote work culture, cloud tools, and digital freelancing to slip into organizations undetected. As companies go remote and global, the need to verify identities, monitor networks, and enforce zero-trust principles is more important than ever.

Microsoft’s action, combined with DOJ's crackdown, serves as a strong reminder: Cybersecurity isn't just about firewalls—it's about people, policies, and proactive vigilance.

FAQs:

What is the Jasper Sleet operation?

Jasper Sleet is a North Korean APT group targeting global firms by posing as remote freelance IT workers.

Why did Microsoft suspend 3,000 accounts?

Microsoft suspended the accounts to stop North Korean operatives from using them for cyber espionage and fraud.

Who is behind the remote IT worker scam?

The operation is run by North Korean hackers, known as APT36 or Thallium.

What types of accounts were suspended?

Microsoft suspended Outlook.com and Hotmail.com accounts involved in the operation.

How did the attackers hide their identity?

They used fake or stolen identities and sometimes relied on U.S.-based “laptop farms” to appear legitimate.

What is a laptop farm?

A laptop farm is a facility where attackers lease real devices and internet connections to pose as local workers.

How much data did the operatives steal?

While exact amounts vary, millions of dollars and sensitive data were potentially stolen and exfiltrated.

What industries were affected?

Targeted sectors include Fortune 500 firms across tech, finance, defense, and more.

Did the attackers use freelancing websites?

Yes, they posed as freelancers on remote work platforms to get hired under false identities.

How does this scam support North Korea?

The money and access gained were funneled back to fund North Korea's cyber and weapons programs.

What tools did the attackers use?

They used Outlook, VPNs, anonymizing tools, fake LinkedIn profiles, and cloud services.

Is this attack ongoing in 2025?

Yes, despite takedowns, similar campaigns remain active as of 2025.

What are some warning signs for employers?

Unusual login locations, inconsistent identities, and device/IP mismatches are key indicators.

How can organizations protect against this?

Use MFA, identity verification, behavioral monitoring, and zero-trust principles.

What action did the DOJ take?

The U.S. Department of Justice coordinated global enforcement and account takedowns with Microsoft.

How do attackers bypass geofencing?

They use VPNs and laptop farms to spoof locations and blend in with local traffic.

What is APT36?

APT36, also known as Jasper Sleet or Thallium, is a North Korean cyber espionage group.

What role did Hotmail play in the attack?

Hotmail accounts were used for communication, identity management, and fraud.

Can businesses check if they hired one of these operatives?

Yes, internal audits and digital forensics can uncover suspicious login histories and behavior.

What email subject lines were used by the attackers?

Subjects often resembled onboarding, HR verification, and project delivery notices.

Is this considered insider threat?

Yes, although external actors, they pose as insiders by working within the company.

Are there tools to detect this kind of fraud?

Yes, behavior analytics, endpoint detection, and identity verification tools can help.

Can freelancers be safely hired online?

Yes, with thorough vetting, background checks, and identity validation.

What is the role of MFA in protection?

Multi-Factor Authentication reduces the chances of unauthorized access by requiring multiple identity checks.

Is Microsoft still monitoring similar activities?

Yes, Microsoft continues proactive monitoring and reporting suspicious activities to authorities.

Can VPN detection help?

Yes, monitoring for unusual VPN activity can flag potential misuse.

What is zero-trust architecture?

It’s a security model that assumes no user or device is trustworthy by default, requiring continuous validation.

Can cloud access be controlled better?

Yes, with cloud access security brokers (CASBs) and strict access policies.

Will attackers shift to other platforms now?

Possibly, which is why cross-platform vigilance is essential.

What should companies do next?

Review freelancer policies, audit cloud activity, retrain staff, and improve identity verification.

Join Our Upcoming Class!

Tags