North Korean IT Worker Army Expands Operations in Europe
Summary:
North Korean IT workers, often referred to as “IT warriors,” have expanded their operations beyond the United States and are now increasingly targeting organizations across Europe. These individuals operate covertly, concealing their true identities and posing as freelance IT professionals from countries such as Italy, Japan, Malaysia, Singapore, Ukraine, the United States, and Vietnam. They rely on deceptive tactics, including the use of both real and fabricated identities, and access company networks remotely using infrastructure like laptop farms to fraudulently obtain employment. Their primary objective is to generate revenue for the Democratic People’s Republic of Korea (DPRK) regime, which retains up to 90 percent of the earnings to fund national programs, including weapons development.
According to researchers from Google’s Threat Intelligence Group (GTIG), North Korean IT workers have increasingly targeted companies in Germany, Portugal, and the United Kingdom, especially after many of them were exposed and sanctioned in the United States. GTIG found that these workers infiltrate European organizations by applying for freelance roles through platforms such as Upwork, Freelancer, and Telegram. They receive payments through cryptocurrency and international financial services such as Payoneer and TransferWise, which obscure the origin and destination of funds and complicate enforcement efforts.
Investigations have revealed that user credentials belonging to North Korean IT personas were discovered on European job and human capital management platforms. These workers have secured positions in various technology sectors, including artificial intelligence, blockchain, and web development. In one case, a DPRK IT worker targeted multiple European entities in the defense industrial base and government sector using fraudulent resumes and references to deceive recruiters.
Security Officer Comments:
Security experts from Mandiant and Google have warned that these IT workers are now infiltrating larger organizations not only to earn income but also to steal sensitive data. In some cases, North Korean operatives have leveraged insider access to extort employers, threatening to release confidential information after being dismissed. As this campaign grows, it presents a dual threat: financial enrichment of the DPRK regime and increased risk of espionage or cyber extortion within compromised enterprises.
The United Kingdom’s Office of Financial Sanctions Implementation issued an advisory on September 12, 2024, highlighting the risk of unknowingly hiring North Korean IT workers and warning that doing so may violate financial sanctions. In parallel, the U.S. government has taken action by issuing multiple warnings through the FBI and the Department of Justice. In January 2025, the Justice Department indicted two North Korean nationals and three enablers in connection with a multi-year fraudulent IT employment scheme that affected at least sixty-four U.S. companies. The U.S. Treasury’s Office of Foreign Assets Control (OFAC) also sanctioned DPRK-linked front companies associated with the Ministry of National Defense for their involvement in illicit IT operations. Additionally, the U.S. State Department now offers financial rewards for information that leads to the disruption of these fraudulent activities.
Governments in South Korea and Japan have also issued alerts, citing similar tactics involving the impersonation of foreign nationals to secure employment with private-sector companies. These ongoing operations underscore the persistent threat posed by North Korean IT workers to the global technology workforce and highlight the need for organizations to conduct thorough due diligence and implement robust identity verification processes during hiring.
Suggested Corrections:
https://www.bleepingcomputer.com/ne...-it-worker-army-expands-operations-in-europe/
North Korean IT workers, often referred to as “IT warriors,” have expanded their operations beyond the United States and are now increasingly targeting organizations across Europe. These individuals operate covertly, concealing their true identities and posing as freelance IT professionals from countries such as Italy, Japan, Malaysia, Singapore, Ukraine, the United States, and Vietnam. They rely on deceptive tactics, including the use of both real and fabricated identities, and access company networks remotely using infrastructure like laptop farms to fraudulently obtain employment. Their primary objective is to generate revenue for the Democratic People’s Republic of Korea (DPRK) regime, which retains up to 90 percent of the earnings to fund national programs, including weapons development.
According to researchers from Google’s Threat Intelligence Group (GTIG), North Korean IT workers have increasingly targeted companies in Germany, Portugal, and the United Kingdom, especially after many of them were exposed and sanctioned in the United States. GTIG found that these workers infiltrate European organizations by applying for freelance roles through platforms such as Upwork, Freelancer, and Telegram. They receive payments through cryptocurrency and international financial services such as Payoneer and TransferWise, which obscure the origin and destination of funds and complicate enforcement efforts.
Investigations have revealed that user credentials belonging to North Korean IT personas were discovered on European job and human capital management platforms. These workers have secured positions in various technology sectors, including artificial intelligence, blockchain, and web development. In one case, a DPRK IT worker targeted multiple European entities in the defense industrial base and government sector using fraudulent resumes and references to deceive recruiters.
Security Officer Comments:
Security experts from Mandiant and Google have warned that these IT workers are now infiltrating larger organizations not only to earn income but also to steal sensitive data. In some cases, North Korean operatives have leveraged insider access to extort employers, threatening to release confidential information after being dismissed. As this campaign grows, it presents a dual threat: financial enrichment of the DPRK regime and increased risk of espionage or cyber extortion within compromised enterprises.
The United Kingdom’s Office of Financial Sanctions Implementation issued an advisory on September 12, 2024, highlighting the risk of unknowingly hiring North Korean IT workers and warning that doing so may violate financial sanctions. In parallel, the U.S. government has taken action by issuing multiple warnings through the FBI and the Department of Justice. In January 2025, the Justice Department indicted two North Korean nationals and three enablers in connection with a multi-year fraudulent IT employment scheme that affected at least sixty-four U.S. companies. The U.S. Treasury’s Office of Foreign Assets Control (OFAC) also sanctioned DPRK-linked front companies associated with the Ministry of National Defense for their involvement in illicit IT operations. Additionally, the U.S. State Department now offers financial rewards for information that leads to the disruption of these fraudulent activities.
Governments in South Korea and Japan have also issued alerts, citing similar tactics involving the impersonation of foreign nationals to secure employment with private-sector companies. These ongoing operations underscore the persistent threat posed by North Korean IT workers to the global technology workforce and highlight the need for organizations to conduct thorough due diligence and implement robust identity verification processes during hiring.
Suggested Corrections:
- Consider utilizing periodic mandatory spot checks where remote employees are required to go on camera.
- Offer continuous education for users and employees on current threats and trends, which is critical for identifying potentially malicious activity. Provide additional training on reporting suspicious activity.
- Collaborate with information-sharing communities and security vendors to stay abreast of the latest threats and mitigation strategies.
- Require the use of U.S. banks for financial transactions to hinder IT worker efforts, as the acquisition of U.S. bank accounts is more difficult and entails stricter identity verification than those in many other countries.
https://www.bleepingcomputer.com/ne...-it-worker-army-expands-operations-in-europe/