North Korean IT workers are intensifying their efforts to infiltrate technology and cryptocurrency firms across Europe.

According to insights from Google’s Threat Intelligence Group, there has been a significant increase in the number of North Korean IT professionals targeting both tech and crypto companies in various European nations since the last update in September 2024. These individuals often operate under false identities, crafting numerous fake personas to land lucrative positions in firms dealing with technology and blockchain. In one notable instance, a single worker was discovered managing at least 12 different identities across Europe and the United States, with a focus on companies within the defense and government sectors.

Recent findings suggest that several North Korean IT workers are actively engaged in blockchain-related projects in the United Kingdom, including the development of smart contracts for Solana and Anchor/Rust and the creation of a blockchain-based job marketplace utilizing the MERN stack along with Solana.

Furthermore, investigations have identified a supporting network that aids these workers in navigating European job platforms and provides them with counterfeit identity documents.

The surge in North Korean IT worker infiltration is largely motivated by the regime’s imperative to bypass international sanctions that limit its access to global financial systems. Faced with increasing economic challenges, the country has turned to cyber operations as a crucial source of revenue, with IT workers securing high-paying roles and sending their earnings back to the state. In 2022, estimates from the U.S. Treasury Department suggested that these workers collectively generated hundreds of millions of dollars annually for North Korea. The regime retains up to 90 percent of these salaries, funneling significant resources into military initiatives.

In addition to directing their earnings to the government, North Korean IT workers can also serve as conduits for state-sponsored hacking groups, including the notorious Lazarus Group. This group recently gained attention for orchestrating a $1.5 billion hack of Bybit exchange. In 2022, Lazarus was responsible for stealing over $600 million from the Ronin Network, with IT workers playing a pivotal role in accessing internal systems. A recent investigation by on-chain analyst ZachXBT uncovered that over 25 cryptocurrency projects had been compromised by North Korean developers.

While the Lazarus Group’s hack of Bybit—following which North Korea emerged as the fifth-largest government holder of Bitcoin—was linked to the exploitation of weaknesses in the exchange’s multi-signature wallet rather than direct infiltration, it has underscored the potential threat posed by North Korea to the United States. The increased awareness of this threat is a significant factor driving the expansion of North Korean infiltration into European markets, supplemented by heightened public scrutiny, indictments from the U.S. Department of Justice, and complexities concerning employment verification processes.