North Korean Hackers Infiltrate European Blockchain Firms Using Fake IT Jobs

North Korean hackers have been actively infiltrating European blockchain firms, posing as IT workers to steal sensitive data and conduct espionage. This tactic involves the use of fake identities and credentials to gain access to these firms, allowing the hackers to snoop on internal communications and steal valuable information. The infiltration is part of a broader strategy by North Korean cyber operatives to expand their operations in the face of increased scrutiny and crackdowns by U.S. authorities.

The hackers, believed to be linked to the Lazarus Group, have been exploiting vulnerabilities in IT tools and VPNs to gain initial access to networks. Once inside, they use stolen credentials to move laterally within the organization, elevating their privileges and accessing sensitive data. This method has been particularly effective in targeting blockchain firms, which often handle large amounts of cryptocurrency and other valuable digital assets.

The infiltration of these firms is a significant concern for the cybersecurity community, as it highlights the evolving tactics of state-sponsored hackers. The use of fake IT hires to conduct espionage is a sophisticated approach that can be difficult to detect, as the hackers blend in with legitimate employees. This tactic allows them to operate undetected for extended periods, increasing the risk of data theft and disruption.

According to a report released by GoogleGOOGL-- Threat Intelligence Group (GTIG) advisor Jamie Collier, North Korean tech spies are systematically infiltrating global blockchainGBBK-- enterprises. After the United States strengthened identity verification, these individuals turned to European markets such as the UK, successfully infiltrating multiple projects including a blockchain job platform, Anchor smart contract development, and others. The tech fraudsters have forged at least 12 European identities, establishing a global network of false personas.

Blockchain has become the new battlefield for North Korean hackers. The report shows that these North Korean tech workers have built a vast network of fake identities: forging a degree from the University of Belgrade in Serbia, using a residential address in Slovakia, gaining access to European job site credentials, and utilizing professional fake passport services, among other tactics. More alarmingly, since October 2024, related ransomware incidents have significantly increased. Dismissed "employees" will threaten to expose sensitive data of former employersEIG--, including proprietary project source code. GTIG believes this reflects North Korea's financial strain due to US sanctions.

Blockchain detective ZachXBT had exposed the North Korean developer network as early as August 2024, with these individuals receiving a monthly reward of $500,000 from a "well-known crypto project." In January 2025, the US Department of Justice indicted two North Korean citizens, accusing them of penetrating 64 US companies through fake IT jobs between 2018 and 2024.

This infiltration highlights the evolving tactics of state-sponsored hackers, who are increasingly targeting blockchain firms due to the valuable digital assets they handle. The use of fake IT hires to conduct espionage is a sophisticated approach that can be difficult to detect, as the hackers blend in with legitimate employees. This tactic allows them to operate undetected for extended periods, increasing the risk of data theft and disruption.

The North Korean hackers have been using a variety of tools and techniques to carry out their operations. They have been observed exploiting common IT tools like remote management software and VPNs to gain initial access to networks. Once inside, they use stolen credentials to move laterally within the organization, elevating their privileges and accessing sensitive data. This method has been particularly effective in targeting blockchain firms, which often handle large amounts of cryptocurrency and other valuable digital assets.

The infiltration of these firms is a significant concern for the cybersecurity community, as it highlights the evolving tactics of state-sponsored hackers. The use of fake IT hires to conduct espionage is a sophisticated approach that can be difficult to detect, as the hackers blend in with legitimate employees. This tactic allows them to operate undetected for extended periods, increasing the risk of data theft and disruption.