The scope and sophistication of North Korean (DPRK) IT workers schemes is continuing to expand, warns a new report from the Google Threat Intelligence Group (GTIG). Posing as legitimate remote workers, DPRK IT workers infiltrate organizations to generate revenue for the North Korea regime, while engaging espionage and data theft.
GTIG reports a surge in DPRK IT worker activities in Europe, expanding beyond the United States. The schemes also come with new tactics, including aggressive extortion campaigns and corporate virtualized infrastructure compromises.
In late 2024, one DPRK IT worker operated at least 12 personas across both Europe and the US, targeting organizations in the defense sector and government agencies. The worker employed a range of deceptive tactics, such as falsifying references and creating a network of fake personas to vouch for their credibility.
Further analysis uncovered multiple other IT worker personas operating in Germany and Portugal, with login credentials for European job platforms and human capital management systems being compromised. These workers are seeking employment through online platforms like Upwork, Telegram, and Freelancer, with payments funneled through cryptocurrency and services like TransferWise and Payoneer to obscure the origin and destination of funds.
In the United Kingdom, DPRK IT workers have engaged in a wide range of technical projects, including web development, blockchain applications, and AI-powered solutions. Specific projects include the development of a job marketplace using Next.js, React, MongoDB, and blockchain-based platforms like Solana, Google said.
The researchers also noted an uptick in extortion attempts, particularly against larger organizations. Workers, often dismissed after being discovered, have been threatening to leak sensitive company data, including proprietary information and source code, to competitors. In some cases, these threats appear to stem from workers realizing they were terminated due to the discovery of their true identities, making reemployment attempts impossible.
The rise of Bring Your Own Device (BYOD) policies in many organizations has further increased the risk.
“Unlike corporate laptops that can be monitored, personal devices operating under a BYOD policy may lack traditional security and logging tools, making it difficult to track activities and identify potential threats. This absence of conventional security measures means that typical evidence trails linked to IT workers, such as those derived from corporate laptop shipping addresses and endpoint software inventories, are unavailable. All of this increases the risk of undetected malicious activity,” the report said. “GTIG believes that IT workers have identified BYOD environments as potentially ripe for their schemes, and in January 2025, IT workers are now conducting operations against their employers in these scenarios.”
