BSides Canberra 2026

Sohan Lokula

Sohan is a Senior Analyst in PwC’s Threat Intelligence team and the North Korea-based threats lead. He is a technical Cyber Threat Intelligence analyst focused on cyber crime and North Korea-based threat actors, with experience across deep and dark web intelligence, threat actor tracking, cyber criminal activity, and strategic intelligence reporting.


Session

09-24
10:30
25min
From Dream Jobs to Developer Tokens: How North Korea-based threat actors abuse trust
Sohan Lokula

For years, defending against North Korea-based threat actors meant defenders using the same standard checklist. Block the phishing email, sandbox the lure document, or kill the macro. Since 2021 that checklist has been quietly going out of date. This talk looks at how North Korea-based threat actors changed their game. They did not just write better malware, but they moved closer to targeting the workflows and assets that organisations often implicitly trust. They target developers, maintainers, recruiters, SaaS logins, CI/CD pipelines, browser sessions, crypto wallets, and in a growing number of cases, they stopped breaking in entirely and simply got hired.

Drawing on PwC Threat Intelligence research into North Korea-based threat actor activity through 2026, I will walk through how the access model works today, using real world examples. A recruiter message that turns into a terminal command. A job interview that becomes the malware delivery mechanism. A developer laptop that quietly hands over source code, cloud keys and wallets, and a new remote hire who was never a real person. The point is simple and a little uncomfortable. The North Korea-based threat actor’s intrusion path no longer starts where most defenders are looking. It starts in your hiring pipeline, your dependency tree, your build system and your payroll.

Whether you work in defence, threat intel, offensive security, or you are just breaking into the industry, you will leave this talk able to spot what these intrusions look like, not just "what payload ran" but "which trust relationship did they abuse, and what did it expose?".

Off-Main Track
Off-Main Track