North Korean Tech Workers Expand to UK Blockchain Firms Amid US Scrutiny

North Korean tech workers have expanded their infiltration operations to blockchain firms outside the US, particularly in the UK, following increased scrutiny from authorities. According to an April 2 report by Google's Threat Intelligence Group (GTIG), while the US remains a key target, heightened awareness and right-to-work verification challenges have forced North Korean IT workers to seek roles at non-US companies.

Jamie Collier, an adviser to the GTIG, noted that North Korean IT workers have established a global ecosystem of fraudulent personas to enhance their operational agility. This development, coupled with the discovery of facilitators in the UK, suggests the rapid formation of a global infrastructure and support network that empowers their continued operations.

The North Korea-linked workers are infiltrating a variety of projects, including traditional web development and advanced blockchain applications. These projects involve technologies such as Solana and Anchor smart contract development, as well as a blockchain job marketplace and an artificial intelligence web application leveraging blockchain technologies.

These individuals pose as legitimate remote workers to infiltrate companies and generate revenue for the regime. This places organizations that hire North Korean IT workers at risk of espionage, data theft, and disruption.

In addition to the UK, there is a notable focus on Europe. One worker was found using at least 12 personas across Europe, with others listing degrees from Belgrade University in Serbia and residences in Slovakia. Separate investigations found personas seeking employment in Germany and Portugal, login credentials for user accounts of European job websites, instructions for navigating European job sites, and a broker specializing in false passports.

Since late October, the North Korean workers have increased the volume of extortion attempts and targeted larger organizations. This is speculated to be a response to feeling pressure to maintain revenue streams amid a crackdown in the US. In these incidents, recently fired IT workers threatened to release their former employers’ sensitive data or to provide it to a competitor. This data included proprietary data and source code for internal projects.

In January, the US Justice Department indicted two North Korean nationals for their involvement in a fraudulent IT work scheme involving at least 64 US companies from April 2018 to August 2024. The US Treasury Department’s Office of Foreign Assets Control also sanctioned companies accused of being fronts for North Korea that generated revenue via remote IT work schemes.

Crypto founders have also reported an increase in activity from North Korean hackers, with at least three founders reporting on March 13 that they foiled attempts to steal sensitive data through fake Zoom calls. In August, a blockchain investigator claimed to have uncovered a sophisticated network of North Korean developers earning significant amounts working for “established” crypto projects.