On Wednesday, Google’s Threat Intelligence Group (GTIG) reported a concerning rise in cyber threats tied to North Korean IT workers. North Korean IT workers, once primarily active in the U.S., are now expanding significantly into the European market.
As the U.S. strengthens its awareness and defensive measures—marked by a rise in arrests and investigations involving individuals linked to North Korea—these operatives are increasingly shifting their focus to more vulnerable regions, especially in Europe, according to GTIG analysis.
In a notable case from late 2024, a North Korean IT worker was found using at least a dozen fake identities across Europe and the U.S. The individual actively sought positions in sectors vital to national security, such as defense industrial bases and government agencies in Europe. Their efforts were part of a highly coordinated scheme that included forged references, strategic rapport-building with recruiters, and the repeated use of false personas to mislead employers.
Similar patterns have emerged in countries such as Germany and Portugal, where North Korean IT workers have manipulated credentials on local job platforms and capital management systems to secure employment. The United Kingdom has also been targeted, with North Korean developers actively contributing to projects ranging from website and bot development to content management systems (CMS) and blockchain technologies. This highlights a concerning level of expertise spanning both traditional and emerging tech fields, including artificial intelligence.
To obscure their origins, these operatives have falsely claimed nationalities from a diverse range of countries, including Italy, Japan, Singapore, Ukraine, the U.S., and Vietnam. Their fake identities often combine elements of real and entirely fabricated personas.
Recruitment and operations are carried out through widely used platforms like Upwork, Telegram, and Freelancer. Payments are typically made via cryptocurrencies or financial services such as TransferWise and Payoneer, adding layers of anonymity and making the flow of funds more difficult to trace.
Perhaps most alarming is the recent rise in extortion-related cyber activities. Since October 2024, North Korean-affiliated workers have significantly escalated efforts to extort companies. This trend seems to align with heightened enforcement actions in the U.S., including arrests and indictments, which may be driving these operatives to adopt more aggressive tactics to sustain their revenue streams.
The risk is further heightened by corporate policies like Bring-Your-Own-Device (BYOD), which permit employees to access sensitive systems using personal devices. This approach introduces substantial blind spots in cybersecurity monitoring, providing malicious actors with critical opportunities to exploit vulnerabilities.
Dr. Jamie Collier, Lead Threat Intelligence Advisor for Europe at GTIG, cautioned, “A decade of diverse cyberattacks—including SWIFT network breaches, ransomware campaigns, cryptocurrency theft, and supply chain compromises—has laid the groundwork for North Korea’s current cyber offensive. Given their track record of success, we should anticipate an intensification of this global expansion, especially in regions like APAC and parts of Europe where awareness and preparedness remain low.”
As North Korea’s IT operations continue to adapt and expand, experts are calling on governments and corporations to strengthen their cyber defenses and raise awareness of the increasingly sophisticated and globalized threat posed by these state-sponsored actors.
Related article: Fourteen North Korean nationals indicted in multi-year IT fraud scheme
The U.S. has accused 14 North Korean nationals of defrauding American companies, violating sanctions, and extorting employers through an elaborate six-year IT fraud scheme that funneled illicit funds to North Korea’s missile programs.
The indictment, unsealed Thursday, alleges that the conspirators used fake identities to secure remote IT jobs, steal sensitive company data, and extort firms, funneling millions to the North Korean regime.
The accused individuals worked for DPRK-controlled companies Yanbian Silverstar in China and Volasys Silverstar in Russia. Both companies employed at least 130 North Korean IT workers, internally referred to as “IT Warriors.” According to the allegations, these workers collectively generated $88 million in illicit revenue for the North Korean government. READ MORE
Editor’s note: This article was initially written by ChatGPT-4o according to the author’s specific instructions, which included news judgment, fact-checking, and thorough editing prior to publication.