North Korean IT workers set their sights on European organizations
North Korean IT workers are expanding their efforts beyond the US, and are seeking to fraudulently gain employment with organizations around the world, but most especially in Europe.
According to Google’s threat researchers, they are also increasingly attempting to extort money from these companies once they get discovered and/or fired.
“Previously, workers terminated from their places of employment might attempt to provide references for their other personas so that they could be rehired by the company. It is possible that the workers suspected they were terminated due to discovery of their true identities, which would preclude attempts to be rehired,” the researchers opined.
“The increase in extortion campaigns coincided with heightened United States law enforcement actions against DPRK IT workers, including disruptions and indictments. This suggests a potential link, where pressure on these workers may be driving them to adopt more aggressive measures to maintain their revenue stream.”
European targets
For the past few years, there has been a concentrated push in the US to raise awareness about the threat, to root out and punish US-based facilitators of these schemes, to bring to justice the IT workers engaged in them, to uncover front companies that help these workers mask their true origin, and to help organizations spot the threat before it’s too late.
In all probability, this influenced the workers to concentrate more on targets located in other economically and technologically advanced countries in Europe, Asia, Australia and Latin America.
Countries targeted by DPRK IT workers (Source: Google Threat Intelligence Group)
“Google Threat Intelligence Group (GTIG) has identified an increase of active operations in Europe,” the company said.
“In late 2024, one DPRK IT worker operated at least 12 personas across Europe and the United States. The IT Worker actively sought employment with multiple organizations within Europe, particularly those within the defense industrial base and government sectors.”
In another case, North Korean tech workers have been spotted using fake personas on European job websites and human capital management platforms to search for work in Germany and Portugal.
In the UK, North Korea-linked workers infiltrated companies that work on developing websites and web applications, job marketplaces, content management systems, bots, and blockchain-based technologies.
Google researchers have also noticed these workers’ growing predilection for organizations that allow workers to use their own devices and access company systems through virtual machines.
“Unlike corporate laptops that can be monitored, personal devices operating under a BYOD policy may lack traditional security and logging tools, making it difficult to track activities and identify potential threats. This absence of conventional security measures means that typical evidence trails linked to IT workers, such as those derived from corporate laptop shipping addresses and endpoint software inventories, are unavailable,” they explained.
The techniques and tools employed
To snag jobs in Europe, Nort Korean IT workers:
- Use fake identities of different nationalities (Italian, Japanese, Ukrainian, Vietnamese, etc.) that combine real and fabricated personas
- Cosy up to job recruiters
- Use fake identities to provide job references
- Use online platforms like Upwork, Telegram, and Freelancer to get recruited by target organizations
- Use TransferWise, Payoneer and similar payment services to obfuscate the destination of the money they get paid for the work.
Individuals and entities facilitating this fraud have also been uncovered in Europe and the UK, helping North Korean IT workers to acquire fraudulent identification documents, navigate European job sites, more convincingly impersonate European-based workers, etc.