Google reports that fraudulent tech workers linked to North Korea are covertly infiltrating blockchain companies outside the United States following stricter government investigations in the country. Some of these workers have also gained access to UK crypto projects.
The Google report highlighted that the fake employees have also increased extortion attempts in reaction to demands to maintain sources of income in the face of a U.S. crackdown.
North Korean tech workers are infiltrating UK companies
In a report released on April 2, Jamie Collier, an adviser to the Google Threat Intelligence Group (GTIG), stated that although the U.S. remains a primary target, North Korean IT workers have been forced to find employment at non-U.S. companies due to heightened awareness and difficulties with right-to-work verification.
Collier stated that they have created a global network of fraudulent personas to enhance operational flexibility in response to increased awareness of the threat in the United States.
He added, “Coupled with the discovery of facilitators in the UK, this suggests the rapid formation of a global infrastructure and support network that empowers their continued operations.”
The adviser to the Google Threat Intelligence Group claimed that the North Korean-affiliated employees are infiltrating projects that range from traditional web development to cutting-edge blockchain applications, including those involving the creation of Solana and Anchor smart contracts.
Moreover, it was also discovered that North Korean workers were involved in another project that used blockchain technology to create an artificial intelligence web application and a blockchain job marketplace.
“These individuals pose as legitimate remote workers to infiltrate companies and generate revenue for the regime,” Collier said. This puts businesses that employ IT personnel from the Democratic People’s Republic of Korea (DPRK) at risk of disruption, data theft, and espionage.
North Korean employees have been stepping up their operations to maintain revenue sources
Collier said that apart from the UK, there was a big focus on Europe, with one member of the GTIG using at least 12 personas from across the continent and others using resumes naming homes in Slovakia and degrees from Belgrade University in Serbia.
In a different GTIG analysis, they identified a broker offering fake passports, login credentials for user accounts from European job-seeking websites, guidance on how to use European job sites, and fake personas searching for work in Germany and Portugal.
Notably, North Korean laborers have made more extortion attempts and targeted larger organizations since late October.
GTIG speculates that this is because the workers are under pressure to sustain income streams in the face of a U.S. crackdown.
Collier said that recently fired IT employees threatened to give sensitive information to a competitor or their former employers in these cases. This information contained source code for internal projects as well as proprietary data.
Furthermore, in January, the U.S. Justice Department charged two North Korean nationals with a crime for participating in a fraudulent IT work scheme involving at least 64 U.S. companies between April 2018 and August 2024.
The Office of Foreign Assets Control at the U.S. Treasury Department also imposed sanctions on businesses that claimed to be fronts for North Korea and made money through remote IT work schemes.
According to cryptocurrency founders, North Korean hackers have been increasing their activity. On March 13, at least three founders reported stopping attempts to steal sensitive data using fake Zoom calls.
Blockchain researcher ZachXBT reported in August that they had discovered a highly skilled network of North Korean developers making $500,000 per month working on “established” cryptocurrency projects.
Cryptopolitan Academy: Coming Soon - A New Way to Earn Passive Income with DeFi in 2025. Learn More
