The scope, scale, and evolving tactics of North Korean IT workers infiltrating western organizations continues to grow. Europe is targeted, and extortion is added.
The US remains a key target for North Korea (DPRK); but the threat is understood, and the right-to-work verification challenge is making the scheme and scam more difficult. This is probably a key factor to increasing operations in other countries. Google Threat Intelligence Group (GTIG) now calls the operation a global threat.
In late 2024, one worker operated at least 12 personas across Europe and the US. These personas would provide job references for each other. Other IT worker personas were discovered in Germany and Portugal.
In the UK, DPRK IT workers have been involved in projects including web, bot, and CMS development, blockchain technology and AI applications – showcasing the wide technical expertise of the infiltrators.
In Europe generally, the IT workers – claiming to be of various nationalities including Japanese, Malaysian, Vietnamese, Ukrainian and American – have been recruited through platforms such Upwork, Telegram and Freelancer. Payment is sought in cryptocurrency and Payoneer to help obfuscate the source and destination of funds.
As in the US, facilitators are used to support the workers. In one instance, a DPRK IT worker used facilitators in both the US and UK. In another, a corporate laptop intended for use in New York was found to be operational in London. Contact details for a broker specializing in false passports were also discovered.
The use of extortion, with recently fired IT workers threatening to release their employer’s sensitive data including source code, has also increased since late October 2024. “The increase in extortion campaigns coincided with heightened United States law enforcement actions against DPRK IT workers, including disruptions and indictments. This suggests a potential link, where pressure on these workers may be driving them to adopt more aggressive measures to maintain their revenue stream,” report the GTIG researchers.
GTIG also believes that DPRK IT workers are focusing efforts on employers known to operate a BYOD policy for remote workers. The advantage to the employer is less capital cost in supplying corporate laptops; but the advantage to the fake worker is less oversight on activity.
“In response to heightened awareness of the threat within the United States, [DPRK IT workers] have established a global ecosystem of fraudulent personas to enhance operational agility. Coupled with the discovery of facilitators in the UK, this suggests the rapid formation of a global infrastructure and support network that empowers their continued operations.”
Related: Mandiant Offers Clues to Spotting and Stopping North Korean Fake IT Workers
Related: Thousands of Remote IT Workers Sent Wages to North Korea to Fund Weapons Program
Related: US Charges Five People Over North Korean IT Worker Scheme
Related: KnowBe4 Hires Fake North Korean IT Worker, Catches New Employee Planting Malware
