Fraudulent tech workers with ties to North Korea are expanding their infiltration operations to blockchain firms outside the US after increased scrutiny from authorities, with some having worked their way into UK crypto projects, Google says.

Google Threat Intelligence Group (GTIG) adviser Jamie Collier said in an April 2 report that while the US is still a key target, increased awareness and right-to-work verification challenges have forced North Korean IT workers to find roles at non-US companies.

“In response to heightened awareness of the threat within the United States, they’ve established a global ecosystem of fraudulent personas to enhance operational agility,” Collier said. 

“Coupled with the discovery of facilitators in the UK, this suggests the rapid formation of a global infrastructure and support network that empowers their continued operations,” he added. 

The North Korea-linked workers are infiltrating projects spanning traditional web development and advanced blockchain applications, such as projects involving Solana and Anchor smart contract development, according to Collier. 

Another project building a blockchain job marketplace and an artificial intelligence web application leveraging blockchain technologies was also found to have North Korean workers. 

“These individuals pose as legitimate remote workers to infiltrate companies and generate revenue for the regime,” Collier said. 

“This places organizations that hire DPRK [Democratic People's Republic of Korea] IT workers at risk of espionage, data theft, and disruption.”

North Korea looking to Europe for tech jobs

Along with the UK, Collier says the GTIG identified a notable focus on Europe, with one worker using at least 12 personas across Europe and others using resumes listing degrees from Belgrade University in Serbia and residences in Slovakia. 

Separate GTIG investigations found personas seeking employment in Germany and Portugal, login credentials for user accounts of European job websites, instructions for navigating European job sites, and a broker specializing in false passports.

At the same time, since late October, the North Korean workers have increased the volume of extortion attempts and gone after larger organizations, which the GTIG speculates is the workers feeling pressure to maintain revenue streams amid a crackdown in the US. 

“In these incidents, recently fired IT workers threatened to release their former employers’ sensitive data or to provide it to a competitor. This data included proprietary data and source code for internal projects,” Collier said. 

In January, the US Justice Department indicted two North Korean nationals for their involvement in a fraudulent IT work scheme involving at least 64 US companies from April 2018 to August 2024.

The US Treasury Department’s Office of Foreign Assets Control also sanctioned companies it accused of being fronts for North Korea that generated revenue via remote IT work schemes.

Crypto founders have also been reporting an increase in activity from North Korean hackers, with at least three founders reporting on March 13 that they foiled attempts to steal sensitive data through fake Zoom calls.

  In August, blockchain investigator ZachXBT claimed to have uncovered a sophisticated network of North Korean developers earning $500,000 a month working for “established” crypto projects.