Thought Leadership
A single North Korean agent operated with twelve different identities in Europe and the USA at the same time, while other IT employees were specifically looking for jobs in Germany and Portugal.
North Korean IT professionals acting on behalf of the regime have expanded their operations geographically and intensified their efforts to penetrate Western companies, according to a recent report by the Google Threat Intelligence Group (GTIG).
While the US remains a prime target, North Korean actors have found it increasingly difficult to find and retain employment there in recent months. According to Google researchers, this is probably due to increased awareness of this threat – not least as a result of public reporting, charges brought by the US Department of Justice and increased scrutiny of labour laws.
North Korean agents infiltrate European labor market
At the same time, further North Korean IT agents have been identified who are specifically looking for employment in Germany and Portugal. They use European job websites and HR platforms with stolen or falsified credentials. In the UK, GTIG documented a broad portfolio of projects under North Korean control, ranging from traditional web development, bot programming and content management systems to blockchain technology and AI applications.
At the end of 2024, an “IT employee” from North Korea is said to have had at least 12 personas in Europe and the United States. “The IT Worker actively sought employment with multiple organizations within Europe, particularly those within the defense industrial base and government sectors. This individual demonstrated a pattern of providing fabricated references, building a rapport with job recruiters, and using additional personas they controlled to vouch for their credibility.,” the research team writes.
Complex network of deception and fake identities
The North Korean actors pretend to be citizens of Italy, Japan, Malaysia, Singapore, Ukraine, the USA or Vietnam. They are recruited via platforms such as Upwork, Telegram and Freelancer, while payment is processed via cryptocurrencies, TransferWise and Payoneer to conceal cash flows.
During the investigation, GTIG discovered materials with instructions on how to navigate European job websites, fake CVs with Serbian university degrees and Slovakian residences, as well as contact details for an intermediary specializing in fake passports. One revealing find was a document with precise instructions on how to find a job in Serbia.
Increasing attempts at blackmail after exposure
According to GTIG, North Korean IT workers have also stepped up their tactics since the end of October 2024. The security researchers have registered an increase in blackmail attempts aimed at larger organizations. In several documented cases, recently dismissed IT employees threatened to publish sensitive data from their former employers or pass it on to competitors. This data included proprietary information and source code for internal projects. The rise in extortion campaigns has coincided with increased action by US law enforcement agencies, suggesting that increasing pressure is driving actors to more aggressive methods to maintain their revenue streams.
