North Korean Fraudulent Tech Workers Are Expanding Their Reach to Europe After US Crackdown

Fraudulent tech workers with ties to North Korea are expanding their infiltration operations to blockchain firms outside the US

After U.S. authorities cracked down on fraudulent tech workers with ties to North Korea, the workers are expanding their infiltration operations to blockchain firms outside of the U.S. and fibbing about their employment history, Google Threat Intelligence Group (GTIG) adviser Jamie Collier says in an April 2 report.

The North Korea-linked workers are capable of speaking English and have been applying for roles in traditional web development and advanced blockchain applications, such as projects involving Solana and Anchor smart contract development, according to Collier. Another project building a blockchain job marketplace and an artificial intelligence web application leveraging blockchain technologies was also found to have North Korean workers.

“These individuals pose as legitimate remote workers to infiltrate companies and generate revenue for the regime,” Collier said.

Along with the U.K., GTIG identified a notable focus on Europe, with one worker using at least 12 personas across Europe and others using resumes listing degrees from Belgrade University in Serbia and residences in Slovakia.

Separate GTIG investigations found personas seeking employment in Germany and Portugal, login credentials for user accounts of European job websites, instructions for navigating European job sites, and a broker specializing in false passports.

At the same time, since late October, the North Korean workers have increased the volume of their extortion attempts and gone after larger organizations, which GTIG speculates is the workers feeling pressure to maintain revenue streams amid a crackdown in the U.S.

“In these incidents, recently fired IT workers threatened to release their former employers' sensitive data or to provide it to a competitor. This data included proprietary data and source code for internal projects,” Collier said.

In January, the U.S. Justice Department indicted two North Korean nationals for their involvement in a fraudulent IT work scheme that spanned April 2018 to August 2024 and affected at least 64 U.S. companies.

The U.S. Treasury Department’s Office of Foreign Assets Control also sanctioned companies it accused of being fronts for North Korea that generated revenue via remote IT work schemes.

The new report from Google comes amid crypto founders reporting an increase in activity from North Korean hackers. At least three founders reported on March 13 that they foiled attempts to steal sensitive data through fake Zoom calls. Having audio issues on your Zoom call? That's not a VC, it's North Korean hackers. Fortunately, this founder realized what was going on.The call starts with a few "VCs" on the call. They send messages in the chat saying they can't hear your audio, or suggesting there's an…

— Haider Hejaz (KhashChain) (@HaiderHejaz) March 13, 2024

The identity theft scheme has been ongoing for at least a year, with blockchain investigator ZachXBT in August claiming to have uncovered a sophisticated network of North Korean developers earning $500,000 a month working for “established” crypto projects.