Introduction
North Korea has been orchestrating a sophisticated scheme involving fake IT workers to infiltrate companies, particularly in Europe [1] [2] [4] [5], across sectors such as defense, government [1] [2] [4], and blockchain [1] [3] [5]. This operation has expanded from the United States to Europe, leveraging false identities and advanced technical skills to secure employment and conduct illicit activities.
Description
North Korea’s scheme involving fake IT workers has increasingly targeted European companies [1], particularly in the defense [1] [2] [4], government [1] [2] [4], and blockchain sectors. Individuals from the Democratic People’s Republic of Korea (DPRK) have expanded their operations from the US to Europe, applying for jobs while falsely claiming to be based in various countries [2], including Italy [2], Japan [1] [2], Ukraine [2], and Vietnam [1] [4]. These operatives possess strong coding skills and have taken on projects involving technologies such as Next.js [3], React [3], CosmosSDK [3], and Golang [3], even developing a Solana-based job marketplace and an AI web application [3]. Facing challenges in securing employment in the US [1], they have shifted their focus to Europe [5], where they utilize multiple fake personas to gain freelance positions [1]. Reports indicate that these operatives have established a global network of fraudulent identities to enhance their operational agility [5], with at least 12 different personas reported across Europe and the United States [4]. They often employ fabricated references and build rapport with recruiters through online platforms such as Upwork, Freelancer [1] [2] [4], and Telegram [1].
To conceal their identities [1], DPRK workers have falsely claimed nationalities and have used facilitators in Europe and the UK to acquire fraudulent identification documents, bypass identity verification [1], and receive payments [1]. They often manage transactions via cryptocurrency and services like TransferWise and Payoneer, obscuring the destination of their earnings [4]. These workers have infiltrated companies in the UK that develop websites and web applications [4], utilizing personal devices under Bring Your Own Device (BYOD) policies to evade detection [4]. This lack of traditional security measures complicates tracking their activities and makes environments allowing employees to use their own devices particularly vulnerable to these schemes.
In addition to generating revenue [1], these operations have escalated to include extortion tactics [1], where sensitive data [1] [3] [5], including proprietary information and source code [5], is stolen and held for ransom [1]. Recent activities have shown a rise in extortion attempts targeting larger organizations, including threats to leak proprietary code unless paid [5]. This escalation is likely in response to intensified US law enforcement actions against DPRK workers [1]. Organizations are advised to be cautious with their BYOD policies [2], as these may be exploited by the fake workers [2]. Recommendations include maintaining tight security measures [2], monitoring unusual network traffic [2], and implementing strict identity-verification processes during the hiring of remote workers [2]. The evolving tactics of DPRK IT workers highlight their adaptability and the establishment of a global network to support their operations [2], including a notable increase in the use of AI and face-swapping technology during video interviews [2], which organizations should be vigilant against [2]. Additionally, DPRK entities are recognized as significant threat actors in the crypto ecosystem [3], having stolen an estimated $1.3 billion from various projects in 2024 and executing a $1.5 billion hack on the crypto exchange Bybit in February [3].
Conclusion
The activities of North Korean IT operatives pose significant threats to global cybersecurity, particularly in Europe [1] [2] [4] [5]. Organizations must enhance their security protocols, especially concerning BYOD policies and identity verification processes, to mitigate these risks. The increasing sophistication of these schemes, including the use of AI and face-swapping technology [2], underscores the need for vigilance and proactive measures. As DPRK entities continue to exploit vulnerabilities in the crypto ecosystem, international cooperation and robust cybersecurity strategies will be crucial in countering these threats and safeguarding sensitive information.
References
[1] https://www.infosecurity-magazine.com/news/north-korea-fake-it-worker-europe/
[2] https://www.itpro.com/security/google-warns-that-fake-north-korean-it-workers-have-expanded-to-europe
[3] https://www.coindesk.com/markets/2025/04/02/google-warns-solana-projects-that-north-koreans-are-increasingly-targeting-european-projects
[4] https://www.helpnetsecurity.com/2025/04/02/north-korean-it-workers-target-europe/
[5] https://www.newstarget.com/2025-04-02-fake-it-workers-north-korea-target-uk-crypto.html
