North Korean IT Workers Infiltrate European Tech Firms, Circumvent Sanctions

North Korean IT workers have intensified their efforts to infiltrate tech and crypto firms across Europe, according to the latest observations from the GoogleGOOGL-- Threat Intelligence Group. Since September 2024, these workers have been using fake identities and multiple personas to secure high-paying jobs in various tech and blockchain companies. This strategy involves creating additional fabricated personas for references, making it difficult for companies to detect their true identities. In one notable instance, a single individual was found operating under at least 12 different personas across Europe and the U.S., targeting organizations within the defense and government sectors.

The infiltration efforts are not limited to Europe; North Korean IT workers have also been actively involved in blockchain projects in the UK. These projects include developing Solana and Anchor/Rust smart contracts, as well as building a blockchain-based job marketplace using the MERN stack and Solana. The network of facilitators supporting these workers is extensive, providing them with false identity documents and helping them navigate European job websites.

The aggressive expansion of North Korean IT worker infiltration is driven by the regime's need to circumvent international sanctions that have restricted its access to global financial systems. With economic pressure mounting, North Korea has turned to cyber operations as a major revenue stream. IT workers secure high-paying jobs and funnel earnings back to the state, with the DPRK government withholding up to 90 percent of the wages earned by these workers. These funds are then channeled into military projects, highlighting the strategic importance of these cyber operations for the regime.

Beyond directly funneling their salaries to the regime, North Korean IT workers sometimes act as entry points for state-sponsored hacking groups like the Lazarus Group. This group was recently in the spotlight for orchestrating the $1.5 billion hack of the Bybit exchange. Notably, Lazarus stole over $600 million from the Ronin Network (Axie Infinity) in 2022, with IT workers playing a key role in providing access to internal systems. In August 2024, on-chain sleuth ZachXBT uncovered over 25 crypto projects infiltrated by DPRK developers.

While the Lazarus Group's hack of Bybit was linked to the exploitation of vulnerabilities in its multi-sig wallet rather than direct infiltration, it has raised awareness of the DPRK’s threat. This heightened awareness is one of the key factors behind the expansion of North Korean infiltration efforts into Europe. Other factors include increased public reporting, U.S. Department of Justice indictments, and challenges related to right-to-work verification. The DPRK's cyber operations are not only a means to generate revenue but also a strategic tool to advance its military and technological capabilities, posing a significant threat to global cybersecurity.