North Korean Tech Workers Expand Infiltration to UK Blockchain Projects

TLDR

• North Korean tech workers are expanding their infiltration beyond the US to Europe, particularly the UK
• They’re involved in blockchain projects, web development, and AI applications
• These workers operate in teams, working impossibly long hours and sharing access
• Organizations that hire them risk espionage, data theft, and system disruption
• North Korean workers are increasingly using extortion tactics when discovered

North Korean tech workers are expanding their covert operations to blockchain firms and tech companies outside the US. According to recent reports from Google’s Threat Intelligence Group (GTIG), these workers have infiltrated projects in the UK and across Europe. This expansion comes as US authorities increase scrutiny and enforcement actions against the regime’s IT worker scheme.

Jamie Collier, a GTIG adviser, noted in an April 2 report that while the US remains a key target, North Korean workers are establishing “a global ecosystem of fraudulent personas” to enhance their operational flexibility. This shift follows heightened awareness and stricter employment verification procedures in the US.

The infiltration spans multiple technology sectors. In the UK, North Korean workers have been found working on blockchain applications, including projects involving Solana and Anchor smart contract development. They’ve also worked on traditional web development and AI applications that leverage blockchain technologies.

These tech workers pose serious risks to the organizations that hire them. “This places organizations that hire DPRK IT workers at risk of espionage, data theft, and disruption,” Collier warned in the report. The workers use deceptive tactics, falsely claiming nationalities from countries including Italy, Japan, Malaysia, and the US.

European Expansion and Sophisticated Operations

The expansion into Europe is well-coordinated. Google identified one North Korean worker using at least 12 different personas across Europe and the US. Others used resumes listing degrees from Belgrade University in Serbia and claiming residences in Slovakia.

Investigations uncovered IT worker personas seeking employment in Germany and Portugal. GTIG also found login credentials for European job websites, instructions for navigating European job portals, and contacts for brokers specializing in false passports.

The North Korean operation extends beyond simple infiltration. According to Mohan Koo, co-founder and president of insider risk management firm DTEX, their research indicates the scheme is more extensive than previously thought. “Some of the roles that we’re investigating, the infiltrators that we’re investigating right now, have actually got the keys to the kingdom,” Koo told CyberScoop.

These workers often have privileged access rights. They can control access for other employees, install and uninstall software, and write code. This level of access presents serious security concerns for affected organizations.

The Operation: Team-Based Approach

The North Korean operation employs a team-based approach that allows them to work impossibly long hours. Rob Schuett, director of insider intelligence investigations at DTEX, explained that these workers typically show anomalous login patterns.

“What we see with the DPRK worker is completely anomalous compared to everybody else, meaning you’ll see a login time that runs an extremely long amount of time and then there is no logout activity,” Schuett said. DTEX observed instances where workers remained logged in for four to five days continuously, with one case lasting three weeks.

This unusual productivity occurs because the North Korean workers share their desktop access with other co-conspirators who have similar technical skills. Multiple people work on a single employee’s account, taking shifts and sometimes working side by side.

Increasing Extortion Attempts

Since late October 2024, North Korean IT workers have increased extortion attempts, targeting larger organizations. After being fired, these workers threaten to release sensitive data or provide it to competitors. The data at risk includes proprietary information and source code for internal projects.

The rise in extortion coincides with increased US law enforcement actions. This suggests pressure on these workers to maintain revenue streams through more aggressive measures.

Previously, terminated workers would try to provide references for their other personas to get rehired. Now, suspecting their true identities have been discovered, they resort to extortion.

Scale of the Infiltration

The scale of infiltration is concerning. DTEX, which works with many Fortune Global 2000 organizations, currently has active investigations with 7% of its customer base. The firm estimates thousands of critical infrastructure organizations have been infiltrated by North Korean operatives.

Once hired, these workers move quickly to further infiltrate the organization. They pivot into virtual desktop infrastructure environments and use their access to target trusted partners, creating supply chain risks.

Multiple threat hunters have observed a surge in insider threat activity linked to North Korea. Adam Meyers, head of CrowdStrike’s counter adversary operations, noted a “tremendous amount of companies” have unknowingly hired North Koreans for technical roles.

Nearly 40% of CrowdStrike’s incident response cases involving North Korea last year were insider-threat operations. Palo Alto Networks’ Unit 42 reported that insider threats tied to North Korea tripled in 2024.

Revenue Generation for the Regime

The primary motivation for these operations appears to be financial. North Korean technical workers generate hundreds of millions of dollars for the regime, according to Unit 42.

In January, the US Justice Department indicted two North Korean nationals for their involvement in a fraudulent IT work scheme involving at least 64 US companies from April 2018 to August 2024.

The US Treasury Department’s Office of Foreign Assets Control also sanctioned companies accused of being fronts for North Korea that generated revenue via remote IT work schemes.

Beyond Financial Motivation

While the current focus seems to be revenue generation, security experts worry about the potential for more damaging activities. Koo from DTEX suggests it’s “inconceivable” to think these workers won’t eventually plant backdoors, disable critical infrastructure, or commit other forms of sabotage.

“For any of us to be naive enough to think that that’s all they’re ever going to do is ridiculous,” Koo said. “We have to be vigilant because, at the point that they decide to weaponize in a different way, they have the access to do it.”

Identifying the Threat

Organizations can take steps to identify potential threats during the hiring process. Security professionals recommend requiring remote job candidates to be on camera and show government-issued identification. Paying attention to candidates’ behavior during video interviews can provide insights.

“We can see other people in the room with them taking an interview,” Schuett said. “I don’t know about you, but when I’m applying for a job, I’m probably not doing it in a Starbucks or some other public location.”

Other red flags include long pauses during interviews and inconsistencies on resumes, such as claimed expertise in technologies before they were widely available.

Human resources professionals and recruiters serve as the first line of defense. For workers who make it past the hiring stage, companies should watch for unusual behaviors, such as a lack of casual communication in meetings or emails.

North Korean technical workers “don’t ask how your kid did in soccer last night,” Schuett noted. “They don’t talk about the new, cool restaurant they found, because they can’t.”