Google Cloud has issued a warning regarding the increasing illicit activity of North Korean IT workers across Europe, particularly targeting blockchain projects. In a detailed report released on Wednesday, the tech giant outlined how operatives from the Democratic People’s Republic of Korea (DPRK) are posing as legitimate remote workers to infiltrate European companies, subvert critical systems, and steal sensitive data with potentially dire ramifications.
As projects built on the widely-used Solana network, such as applications and job boards, become favored targets, it is clear that the landscape of cyber threats is shifting. The focus has transitioned from the United States, where DPRK-linked entities faced significant scrutiny following indictments from the Department of Justice and tight hiring restrictions, to Europe, where these threats are now proliferating.
One striking element of the report highlights the extent of deception employed by these so-called IT workers. They managed to maintain up to twelve fake personas across the U.S. and Europe. Employing tactics such as fabricating references and cultivating relationships with recruiters, they devise elaborate strategies to build credibility and gain access to sensitive information.
Importantly, these workers are not merely pretending to have IT skills. The report reveals they have demonstrated a solid technical ability, taking on projects involving modern technologies such as Next.js, React, and CosmosSDK. Several even contributed to the development of an entire Solana-based job marketplace and implemented Anchor and Rust for smart contract development. Notably, one individual even ventured into artificial intelligence, developing web applications that combine AI with blockchain functionality.
Of particular concern is the use of Bring Your Own Device (BYOD) policies in workplaces, which may be providing fertile ground for these cyber intrusions. Google Cloud’s report cites that in January 2025, North Korean IT workers have increasingly targeted environments that allow employees to use their own devices, claiming, “IT workers have identified BYOD environments as potentially ripe for their schemes.”
The tactics of global expansion, extortion, and the utilization of virtualized infrastructure further illustrate the adaptability of DPRK IT workers as they evolve their strategies to evade detection and capitalize on vulnerabilities in various sectors.
DPRK entities and associated hacking groups have emerged as some of the most significant threat actors in the cryptocurrency landscape. In 2024 alone, they are estimated to have stolen approximately $1.3 billion from various projects and executed a massive $1.5 billion breach of the crypto exchange Bybit in February.
As the threat from North Korean operatives burgeons, it becomes increasingly critical for businesses, particularly those in the tech and blockchain domains, to bolster their cybersecurity measures and remain vigilant against these evolving tactics.
