North Korean cyber operatives are expanding their reach beyond the United States, infiltrating blockchain firms in the United Kingdom and across Europe, according to a new report by Google Threat Intelligence Group (GTIG). The regime-backed workers are securing roles in crypto and blockchain projects using fraudulent identities, increasing cybersecurity risks for businesses.
North Korea’s Global Infiltration Strategy
Google’s cybersecurity expert Jamie Collier revealed in an April 2 report that while the US remains a primary target, heightened scrutiny and stricter work verification processes have forced North Korean IT operatives to seek opportunities elsewhere.
“In response to increased awareness of their activities in the US, they have built a global network of fake personas to maintain operational flexibility,” Collier stated.
Investigations have identified North Korean-linked individuals working on blockchain and crypto projects, including smart contract development for Solana and Anchor. Additionally, one infiltrated project was building a blockchain-powered job marketplace alongside an AI web application. These operatives pose as remote workers, earning salaries that ultimately fund the North Korean regime.
European Expansion and Fake Identities
North Korea’s influence in Europe is growing, with fraudulent job seekers using multiple personas across the continent. Some have submitted fake resumes listing degrees from Serbia’s Belgrade University, while others claim to reside in Slovakia. Google’s research also uncovered attempts to secure employment in Germany and Portugal, along with the use of European job websites to find targets.
To support these efforts, brokers specializing in false passports have reportedly assisted in fabricating identities, making it easier for North Korean operatives to bypass security measures.
Extortion and Cyber Threats on the Rise
As US authorities crack down on these schemes, North Korean cyber operatives have resorted to more aggressive tactics. Since October, extortion attempts have surged, targeting larger organizations. Recently terminated workers have threatened to leak proprietary data or sell it to competitors, putting companies at risk.
“These workers have access to sensitive company data, making their employers vulnerable to espionage, data theft, and operational disruptions,” Collier warned.
US Crackdown on North Korean Cyber Threats
The US government has been actively pursuing North Korean cybercriminals. In January, the Department of Justice indicted two North Korean nationals linked to a fraudulent IT work scheme that affected at least 64 US companies between 2018 and 2024. Additionally, the US Treasury Department imposed sanctions on firms accused of serving as financial fronts for the North Korean government.
Meanwhile, crypto founders have reported increased hacking attempts from North Korean operatives. On March 13, at least three founders disclosed that they had thwarted attempts to steal sensitive data through fake Zoom calls.
The Growing Risk for Blockchain and Crypto Firms
As North Korean cyber operatives refine their tactics, businesses—particularly in blockchain and crypto—must strengthen their cybersecurity measures. Companies should implement rigorous identity verification processes, monitor employee activities, and stay updated on emerging threats to avoid falling victim to these sophisticated schemes.
