North Korean IT Workers Expand Operations Globally with a Focus on Europe

A recent report by Google Threat Intelligence Group (GTIG) has revealed that North Korean IT workers are rapidly expanding their global operations, with Europe emerging as a key target. Under increasing scrutiny and enforcement in the United States, these workers are now attempting to infiltrate blockchain companies outside of the U.S. This shift highlights a growing global threat, as North Korean IT operatives adopt advanced virtualization infrastructure and escalate their extortion tactics.

North Korean Blockchain Fraud: A Persistent Threat

North Korean IT workers have gained infamy in the blockchain industry for their deceptive practices. These individuals often pose as legitimate remote employees, infiltrating blockchain companies worldwide to generate revenue for the DPRK regime. Organizations that unknowingly hire these workers face significant risks, including espionage, data theft, and operational disruptions. Beyond corporate security threats, these activities also facilitate illegal funding streams for the North Korean government. The prevalence of blockchain fraud and theft linked to North Korean hackers underscores the scale of this issue. In August 2024, prominent on-chain investigator ZachXBT claimed to have uncovered a sophisticated network of North Korean IT workers operating as developers across more than 25 crypto projects.

Global Expansion: Europe in the Crosshairs

In a report dated April 2, GTIG advisor Jamie Collier confirmed that North Korean IT workers have shifted their focus from the U.S. to Europe, which is becoming a critical new target. While the U.S. remains a primary focus for these operatives, heightened awareness of the threat—fueled by public reporting, Department of Justice indictments, and stricter right-to-work verification processes—has made it increasingly challenging for North Korean IT workers to secure employment in the U.S. These obstacles have prompted a global expansion of their operations, with Europe receiving special attention.

Figure: List of countries impacted by DPRK IT workers

Source: GTIG report

Advanced Extortion Tactics

Investigations have revealed that North Korean IT workers frequently use multiple fake identities to seek employment in sectors such as defense and government. They leverage forged references and coordinated fake personas to gain the trust of recruiters. In Europe, these workers have been involved in advanced technology projects, including blockchain development, AI applications, and web development. Specific blockchain-related projects include smart contract development on Solana, employment marketplaces built using the MERN stack and Solana, and platforms developed with CosmosSDK and Golang.

A network of intermediaries plays a crucial role in supporting these activities, providing fake identification documents and logistical assistance. For instance, investigations have uncovered falsified resumes listing degrees from Serbian universities and fake guides on how to secure jobs in Europe. This indicates the existence of a coordinated network that aids North Korean IT workers in bypassing identity verification processes and securing employment opportunities.

Since late 2024, North Korean IT workers have intensified their extortion attempts, targeting larger organizations. In these incidents, recently dismissed IT workers have threatened to release sensitive data from their former employers or share it with competitors. This data includes proprietary information and source code for internal projects. These aggressive tactics coincide with increased enforcement actions by U.S. authorities against North Korean IT workers, suggesting that mounting pressure may be driving them to adopt more desperate measures.

Exploitation of Virtualization Infrastructure

The adoption of "Bring Your Own Device" (BYOD) policies by companies has further amplified vulnerabilities. BYOD allows employees to access corporate systems through virtual machines, but the lack of traditional security measures on personal devices makes it easier for malicious activities to go undetected. GTIG believes that North Korean IT workers are exploiting BYOD environments to carry out harmful activities against their employers.