Fraudulent North Korean Tech Workers Expand Operations Beyond US
Fraudulent tech workers linked to North Korea are broadening their infiltration efforts into blockchain companies globally, particularly in the UK, as they face tighter scrutiny from U.S. authorities. According to a report by Google’s Threat Intelligence Group (GTIG), these individuals are adapting their strategies to target firms outside the United States. Jamie Collier, an advisor at GTIG, noted that while the U.S. remains a significant objective, the rise in awareness and the implementation of employment verification measures have compelled North Korean IT workers to seek opportunities with non-U.S. organizations.
Collier highlighted, “To respond to the increased recognition of this threat within the U.S., they have cultivated a worldwide network of deceptive identities to improve their operational flexibility.” He also pointed out the emergence of facilitators in the UK, indicating the swift creation of a global support structure that assists in the continuation of their activities.
North Korean Workers Targeting Blockchain Projects
According to Collier, these North Korea-affiliated workers are engaging in both traditional web development and sophisticated blockchain initiatives, including projects related to Solana and the development of Anchor smart contracts. Furthermore, investigations revealed that a project aimed at creating a blockchain job marketplace and an AI web application utilizing blockchain technology also involved North Korean personnel. Collier remarked, “These individuals masquerade as legitimate remote employees to infiltrate organizations and generate revenue for the regime.” He cautioned that employing DPRK IT workers places companies at risk of espionage, data breaches, and operational disruptions.
North Korea Shifts Focus to European Job Markets
Collier also noted a significant emphasis on Europe, with one worker reportedly utilizing at least 12 different identities across the continent. Investigations uncovered resumes claiming degrees from Belgrade University in Serbia and residential addresses in Slovakia. Additional findings from GTIG revealed individuals seeking work in Germany and Portugal, along with login details for European job site accounts and a broker who specializes in counterfeit passports.
Since late October, North Korean workers have escalated their extortion activities, targeting larger organizations as they feel the pressure to sustain their revenue streams in light of the U.S. crackdown. Collier explained, “In these incidents, recently terminated IT employees have threatened to disclose sensitive information from their former employers or share it with competitors. This data included proprietary information and source code from internal projects.”
U.S. Indictments and Increased Cyber Threats
In January, the U.S. Department of Justice charged two North Korean nationals for participating in a fraudulent IT work scheme that affected at least 64 U.S. companies from April 2018 to August 2024. Additionally, the U.S. Treasury Department’s Office of Foreign Assets Control imposed sanctions on entities identified as fronts for North Korea, which generated income through remote IT work schemes.
Crypto entrepreneurs have also reported a rise in activity from North Korean hackers, with at least three founders sharing on March 13 that they thwarted attempts to steal sensitive information through deceptive Zoom meetings. One founder recounted an experience where he faced audio issues during a call, revealing the presence of North Korean hackers masquerading as venture capitalists.
In August, blockchain investigator ZachXBT claimed to have uncovered an intricate network of North Korean developers generating approximately $500,000 a month by working with established cryptocurrency projects.
