North American Cyber Threats, Infostealers, and North Korean IT Workers: What We Covered in the Third Episode of The Phish Bowl

In the third episode of The Phish Bowl podcast, my cohost Mike Kosak and I discuss cyber activities and trends that we’re tracking as cyber threat intelligence analysts. Every month we publish a rotating regional report that explores trends and threat activity, which serves as the foundation for the podcast and allows folks to dive deeper into threat activity. Last month, we covered Europe, and before that was the Asia-Pacific region.

This month, we are sticking with a “North” theme and talking about key findings from our recently published North America regional report and North Korean IT worker schemes. This month’s special guests, Grayson North and Justin Timothy, Principal Threat Intelligence Consultants from GuidePoint Security’s Research and Intelligence Team (GRIT), join us to talk about their cybercriminal research with a deep dive on infostealers (be sure to read our joint blog post!)

Important sidenote: You may judge us for our musical hot takes, but don’t knock ‘em ‘til you try ‘em. Mike’s firm opinion that Alice in Chains is the best grunge band may get some pushback from the Nirvana fans out there. And be warned that songs from the K-Pop Demon Hunter movie are phenomenal bops that will get stuck in your head, guaranteed.

North America remains the top global target

*Note: While North America is geographically composed of multiple countries, this report focuses exclusively on the United States and Canada. This narrowed scope is intentional and based on several considerations, including data availability and consistency, audience, and scope management.

North America is the top targeted region globally and faces a significant, pervasive threat from cyberespionage and financially motivated attacks. It’s an attractive target due to its strong economy, extensive digital infrastructure, and large consumer market. North America was the second most investigated region of all reported incidents in 2024. We wanted to highlight two key trends from this report: the pervasive nature of ransomware threats and the steep costs associated with data breaches in the US.

The US was by far the most targeted region by ransomware in H1 2025. The US experienced over 2,000 attacks, while Canada had 249 attacks. GuidePoint Security’s report on ransomware attacks in 2025 Q2 backed up this trend too, reporting that about 50% of ransomware attacks targeted the US. Notably, North American victims listed on ransomware data leak sites (DLS’s) were primarily small and medium sized businesses (SMBs), indicating attackers’ shift from larger to smaller enterprises. SMBs are typically seen as low-hanging fruit due to their historically weaker security infrastructure and lower cybersecurity budgets compared to larger entities.

We also wanted to call out the cost associated with data breaches. IBM recently published its Cost of a Data Breach Report, including costs associated with breach-related detection and escalation, notification, post-breach response and lost business. IBM found the cost of a breach in the US grew to more than $10 million, driven in part by steeper regulatory penalties and rising detection and escalation costs. This is in stark contrast compared to the global average cost of a data breach, which fell to $4.88 million, and the average cost of a data breach in Canada was $4.66 million.

North Korean IT worker scheme

To raise funds for the North Korean regime, a state-sponsored plan has DPRK operatives infiltrate Western companies as employees to gain access to intellectual property, steal cryptocurrency, and earn salary money for the regime. Typically, these operatives will use real Americans they recruit (or insiders of whichever country they’re targeting) to set up laptop farms and steal identities so these North Korean workers can work from abroad but make it appear as if they were based in the US.

This sounds like a lot of work for a country to generate, but it is quite lucrative, especially considering North Korea’s dismal economic outlook – thanks to international sanctions in attempts to curb its nuclear program and a stagnant economy (apart from its apparent thriving wig industry, according to Mike).

The use of AI is also a key element to these operations to help make them more convincing. They use AI to write resumes and eliminate grammatical or spelling errors, create AI-generated images on LinkedIn, use deepfake software to cover/obscure their real faces in online interviews, and mimic cultural fluency.

This scheme puts companies at risk of violating sanctions when they unknowingly hire a DPRK worker. A good example is KnowBe4 who has been upfront and transparent about their experiences detecting fake North Korean employees and job applicants. They have shared campaign details including tactics, techniques, and procedures (TTPs) so other companies can protect themselves against this threat.

Digital identity theft drives cybercrime

LastPass Threat Intelligence, Mitigation, and Escalations (TIME) and GuidePoint Security’s GRIT Threat Intelligence teams recently published a joint report to highlight the infostealer threat. Grayson and Justin from GuidePoint Security joined us as special guests to dive into what makes infostealers particularly dangerous, how they operate in the cybercriminal ecosystem, and a couple of things you can do immediately to shore up defenses against infostealers. Check out the full report for more in-depth analysis.

Infostealers have been a major contributing factor driving cybercrime activity. It’s not unique to North America, but credential harvesting activity is widely prevalent, impacting 40% of reported incidents in the region, according to IBM. Between stealers’ high attack volume and growing sophistication, this threat will remain one of the key challenges to securing identity. 

Browser targeting is the natural progression of credential stealing malware, so infostealers are the modern equivalent. Everything we do is available via Software-as-a-Service (SaaS), so it makes sense to go after the credentials for those services. Something else Grayson and Justin highlighted was that infostealers are increasingly going after session tokens. We’ve seen threat actors talk about this as passkeys become more common and they are seen as the next natural target to maintain access to unauthorized systems.

How to protect yourself against infostealers?

Justin and Grayson shared some suggestions on how folks can do more than the bare minimum to protect your accounts. As they pointed out, the human element is the weakest link in cybersecurity. The odds are stacked against us, but if we do more than just the basics, oftentimes that’s enough to prevent being the victim of a cyberattack.

• Use a password vault: That prevents whole browser impact that threat actors have and cripples the effect infostealers can have. It doesn’t mitigate it completely, but it is a step in the right direction.
• Implementing MFA: Threat actors frequently can login with stolen credentials and access accounts without additional layers of security.

Hackers can breach and leverage anybody’s credentials in an attack. Even if an employee isn’t the ultimate intended target, once hackers have gained unauthorized access to a system, they can move laterally or target downstream clients. That’s why it’s critical that all employees’ accounts and credentials are protected.

Listen to the full episode  

We’re glad you’re coming back for more cyber threat intelligence substance and hope you come away from these episodes with some new knowledge (or will at least give K-Pop Demon Hunters a try, if only for the catchy songs).

• Listen to Episode 3 of The Phish Bowl wherever you get your podcasts:  
  • YouTube 
  • Spotify 
  • Apple 
• Subscribe for monthly threat intel deep dives. 
• Access LastPass's Regional Report for detailed analysis of recent North American trends and activity. 
• Check out the LastPass Labs blog for more insights. 

See you next month to talk about more threat environment updates in Asia-Pacific, along with a corresponding regional report!