Tech Warriors of DPRK: The European Infiltration
UK Blockchain Initiatives Widen Exposure to North Korean Infiltration of Tech Workforce
Here's the lowdown on North Korea's tech troops intensifying their covert ops beyond the US, creeping into Europe, particularly the UK. These soldiers are diving deep into blockchain projects, web development, and AI applications.
Strategizing to fly beneath the radar, these workers operate in teams, often executing never-ending hours, handing over the digital keys to their desktops to fellow conspirators with similar tech skills. This shared access facilitates round-the-clock work, causing quite a stir in the organizations they join.
Companies that open their doors to North Korean IT workers face the sobering reality of espionage, data theft, and system disruptions. With these workers donning disguises from nations such as Italy, Japan, Malaysia, and the US, it's a risky game they're playing.
The European Takeover
North Korea's tactical excursion into Europe is tightly organized, with operatives utilizing multiple personas across the Continents. Google's Threat Intelligence Group (GTIG) uncovered one such worker using 12 distinct identities, while others boasted degrees from Belgrade University, Serbia, and residences in Slovakia.
Ambitious job seekers in Germany and Portugal were also in the investigators' sights, with findings of login credentials for European job websites, navigation instructions for job portals, and links to brokers specializing in forged passports.
In-depth Infiltration
Detailed research by experts like Mohan Koo, co-founder of insonify, unveils a more pervasive North Korean scheme than initially suspected. According to Koo, insider investigations are revealing that some infiltrators wield the powerful "keys to the kingdom," granting them control over other employees, software installation, and uninstallation rights, and writing code.
These workers often exhibit bizarre login patterns, staying logged in for lengthy periods – as much as four to five days at a stretch, or even three weeks – without logging out. This odd productivity results from shared desktop access among co-conspirators, making it seem as though a single employee is tirelessly working around the clock.
The Extortion Game
Since October 2024, North Korean IT workers have ramped up their extortion schemes, targeting prominent organizations once dismissed from their employ. These workers threaten to expose sensitive information or distribute it to competitors, placing at risk proprietary assets and source code for internal projects.
This sudden surge in extortion attempts coincides with increased US law enforcement actions, hinting at these workers feeling the squeeze and resorting to more aggressive tactics to maintain revenue streams.
Previously dismissed workers would attempt to provide references for their alternate personas to secure rehiring. Now, suspecting their true identities have been exposed, they resort to extortion.
The Shocking Scope of the Infiltration
Investigations by companies like insonify, which partner with many Fortune Global 2000 organizations, indicate that at least 7% of their client base has been targetted by North Korean operatives. It's estimated that thousands of critical infrastructure organizations worldwide have succumbed to such infiltrations.
Once hired, these North Korean workers swiftly penetrate deeper into the organization, pivoting into virtual desktop infrastructure environments and using their access to target trusted partners, increasing supply chain risks.
Multiples threat hunters have observed a surge in insider threat activity linked to North Korea, with a "tremendous amount of companies" inadvertently hiring North Koreans for technical roles. In 2024, nearly 40% of CrowdStrike's incident response cases involving North Korea involved insider-threat operations, while insider threats tied to North Korea tripled according to Palo Alto Networks' Unit 42 reports.
Money Matters
Infiltration appears to be motivated by financial gain, with North Korean technical workers generating hundreds of millions for the regime annually, according to Unit 42.
In January 2025, the US Justice Department indicted two North Korean nationals for involvement in a fraudulent IT worker scheme involving at least 64 US companies between 2018 and 2024. The US Treasury Department's Office of Foreign Assets Control also sanctioned companies accused of being fronts for North Korea that generated revenue via remote IT work schemes.
- Reports suggest that North Korean IT workers, currently operating in Europe, are not only involved in espionage and data theft but have also been found to possess cybersecurity skills, using them to infiltrate blockchain projects, web development, and AI applications.
- The infiltration by North Korean operatives extends beyond just accessing organizations' digital systems; these workers are asserting control over other employees, software installation, and uninstallation rights, and writing code, making them the "keys to the kingdom."
- In the realm of general news, the US government has taken action against such infiltration, with the US Justice Department indicting two North Korean nationals for their involvement in a fraudulent IT worker scheme that generated hundreds of millions for the regime annually.
