North Korean Tech Workers Expand Operations to European Blockchain Firms Amid U.S. Crackdown

According to Cointelegraph, North Korean tech workers are broadening their infiltration efforts into blockchain firms outside the United States due to increased scrutiny from U.S. authorities. These workers have reportedly penetrated UK crypto projects, as revealed by Google Threat Intelligence Group (GTIG) adviser Jamie Collier in a report dated April 2. While the United States remains a primary target, heightened awareness and challenges related to right-to-work verification have compelled North Korean IT workers to seek employment with non-U.S. companies. Collier noted that in response to the increased awareness of the threat within the United States, North Korean operatives have established a global network of fraudulent personas to enhance their operational flexibility. The discovery of facilitators in the UK suggests the rapid development of a global infrastructure and support network that enables their continued operations. These workers are infiltrating projects that range from traditional web development to advanced blockchain applications, including those involving Solana and Anchor smart contract development. The GTIG has identified North Korean workers involved in projects building blockchain job marketplaces and artificial intelligence web applications leveraging blockchain technologies. These individuals pose as legitimate remote workers to infiltrate companies and generate revenue for the regime, placing organizations that hire Democratic People's Republic of Korea (DPRK) IT workers at risk of espionage, data theft, and disruption. Collier also highlighted a notable focus on Europe, with North Korean workers using multiple personas across the continent. Some workers have used resumes listing degrees from Belgrade University in Serbia and residences in Slovakia. Separate investigations by GTIG found personas seeking employment in Germany and Portugal, login credentials for user accounts on European job websites, instructions for navigating these sites, and a broker specializing in false passports. Since late October, North Korean workers have increased extortion attempts, targeting larger organizations. GTIG speculates that this is due to pressure to maintain revenue streams amid the U.S. crackdown. Recently fired IT workers have threatened to release sensitive data from their former employers or provide it to competitors, including proprietary data and source code for internal projects. In January, the U.S. Justice Department indicted two North Korean nationals for their involvement in a fraudulent IT work scheme affecting at least 64 U.S. companies from April 2018 to August 2024. The U.S. Treasury Department’s Office of Foreign Assets Control also sanctioned companies accused of being fronts for North Korea, generating revenue through remote IT work schemes. Additionally, crypto founders have reported increased activity from North Korean hackers, with attempts to steal sensitive data through fake Zoom calls.