Reports from the Google Threat Intelligence Group (GTIG) reveal alarming developments regarding North Korean tech workers infiltrating blockchain projects outside the United States. This shift follows increased scrutiny and challenges in verifying the right to work in the U.S., prompting these individuals to seek opportunities in countries such as the United Kingdom.
According to GTIG adviser Jamie Collier, although the U.S. remains a pivotal target, the emergence of a global ecosystem of fraudulent personas has provided North Korean IT workers with enhanced operational agility. “In response to heightened awareness of the threat within the United States, they’ve established a global ecosystem of fraudulent personas to enhance operational agility,” Collier stated.
This strategy highlights a rapid formation of a support network that empowers their continued operations internationally. Projects that involve web development and advanced blockchain technologies, including Solana and smart contract development, have been identified as particular targets, increasing the complexity of the threat landscape.
Google’s Threat Intelligence Group alerts on North Korea’s tech worker expansions amid a U.S. crackdown. Source: Google
These individuals often present themselves as legitimate remote workers, infiltrating companies and generating revenue for the North Korean regime. Collier warned, “This places organizations that hire DPRK [Democratic People’s Republic of Korea] IT workers at risk of espionage, data theft, and disruption.”
North Korea’s Growing Focus on European Tech Jobs
Collier’s investigation found that the escalation of North Korean operatives extends beyond the UK, demonstrating a pronounced interest in European nations. Specific tactics include the use of multiple personas to apply for jobs across Europe, such as fabricated resumes claiming credentials from Belgrade University in Serbia.
Furthermore, this infiltration is paired with an increase in extortion attempts aimed at larger organizations, indicating pressure on North Korean workers to maintain revenue streams amidst intensified U.S. enforcement efforts.
Since late October, reports have emerged that recently terminated IT workers threaten to leak their former employers’ sensitive data, which may include proprietary information and source code.
To illustrate the evolving nature of threats, in January, the U.S. Justice Department indicted two North Korean nationals for their roles in a fraudulent IT work scheme affecting at least 64 U.S. companies from April 2018 to August 2024. Concurrently, the U.S. Treasury Department’s Office of Foreign Assets Control has sanctioned entities believed to be aiding North Korean revenue generation through remote IT work.
In conclusion, the presence of North Korean tech workers within blockchain and IT sectors not only raises significant security concerns for individual companies but also poses a broader risk to the integrity of entire industries. Organizations must remain vigilant, implementing stringent vetting processes, and increasing awareness of foreign infiltration tactics to safeguard themselves against these sophisticated threats.
