North Korean IT professionals are expanding their operations around the world, particularly in Europe, posing significant cybersecurity, espionage and financial risks to companies unaware of their employment, according to a new threat report prepared by the Google Threat Intelligence Group (GTIG).
A report published this week highlights how operatives from the Democratic People’s Republic of Korea (DPRK) continue to infiltrate organizations under false pretenses, using freelance platforms and remote work opportunities to generate revenue for the sanctioned regime. Their tactics are evolving, from using virtualized IT environments to launching aggressive extortion campaigns against former employers.
Following increased awareness and enforcement efforts in the US, North Korean IT operatives have shifted their focus to European firms. GTIG found North Korean workers actively seeking employment in Germany, Portugal and the UK, often targeting defence and government organisations. One worker was found to be using at least a dozen front persons in Europe and the US, simultaneously applying for different positions and providing false references – sometimes through other individuals he controlled.
In the UK, North Korean contractors were involved in a wide range of development projects, including web platforms, blockchain systems, bot development, and AI applications. This included the development of Solana smart contracts and AI-based applications built using frameworks such as React, MongoDB, Tailwind CSS, and Golang.
To avoid detection, North Korean IT workers often pose as citizens of Ukraine, as well as countries such as Italy, Singapore, and Vietnam, using a combination of real and fictitious identities. They are typically hired through freelance platforms such as Upwork, Freelancer, and Telegram, and paid in cryptocurrency or through services such as Payoneer and TransferWise to hide the origin and flow of funds.
GTIG also uncovered a support infrastructure in Europe, including intermediaries who helped North Korean operatives obtain fraudulent identification, bypass identity verification processes, and divert corporate equipment. In one case, a company laptop destined for New York was used in London.
GTIG is urging companies, especially in Europe, to strengthen their identity verification processes, closely monitor the engagement of freelancers, and ensure robust endpoint security in virtual workspaces.