North Korean-linked IT workers have reportedly expanded their operations beyond the United States, targeting crypto, blockchain and web development projects in the United Kingdom and Europe, according to a new report from Google’s Threat Intelligence Group (GTIG).
These individuals, operating under false identities, have allegedly embedded themselves into remote crypto, blockchain-related positions in order to generate revenue for the North Korean regime.
Growing Global Infrastructure and Risks for Companies
The increased scrutiny and verification challenges in the US have pushed many of these workers to seek opportunities elsewhere, primarily in Europe. According to GTIG adviser Jamie Collier, the actors have established a global network of fraudulent personas to better navigate international hiring systems.
The report notes that some of these workers have taken roles in blockchain development involving smart contract platforms or crypto networks such as Solana and Anchor, and in projects leveraging artificial intelligence through blockchain integrations.
Collier highlights the existence of facilitators in the UK, supporting the formation of a broader infrastructure that enables continued operations. GTIG’s investigation found North Korean workers had managed to join projects spanning advanced blockchain ecosystems and traditional tech development.
Some individuals reportedly used multiple fake personas across Europe, even presenting credentials from universities such as Belgrade University and claiming residence in countries including Slovakia, Germany, and Portugal.
The fraudulent activity carries significant risks for cypto companies involved. GTIG warns that organizations hiring these workers may face espionage threats, data theft, and internal disruption.
These risks have reportedly escalated since October, with former workers allegedly threatening employers with data leaks if severance conditions were not met. Sensitive proprietary data, including source code, has been cited in these threats.
Fraud Tactics and Recruitment Manipulation
GTIG’s report also uncovered broader evidence of recruitment manipulation, including login credentials for European job portals and detailed instructions for navigating these platforms.
A broker facilitating the use of falsified passports was also identified. Collier emphasized that the campaign appears driven by financial motives tied to the North Korean state, with increased pressure to replace lost US-based income streams.
Notably, with the ongoing diversification of their targets and improved use of international job-seeking strategies, the infiltration of blockchain and crypto firms may continue if left unchecked.
Meanwhile, organizations across Europe and elsewhere seem to already be taking steps to strengthen identity verification procedures and monitor for unusual activity among remote staff. Collier wrote:
To avoid distributing corporate laptops, some companies operate a bring your own device (BYOD) policy, allowing employees to access company systems through virtual machines. Unlike corporate laptops that can be monitored, personal devices operating under a BYOD policy may lack traditional security and logging tools, making it difficult to track activities and identify potential threats.
Featured image created with DALL-E, Chart from TradingView
