North Korea Expands Covert Operations in Europe, Threat Actors Pose as IT Specialists

• North Korean threat actors shift their focus from the U.S. to target countries in Europe.
• The hackers pretend to be remote IT professionals looking for freelance jobs in AI, blockchain technology, and web development.
• They leverage Upwork, Freelancer, and Telegram and claim to be from various other countries, including the U.S., Italy, and Japan.

North Korea's infiltration tactics have reached new heights, with their elusive IT worker network now targeting European companies to generate revenue for the regime. Previously concentrated in the U.S., these operations have expanded to nations like Germany, Portugal, and the U.K.

Posing as remote IT professionals, often under fabricated or stolen identities, these "IT warriors" leverage online platforms like Upwork, Freelancer, and Telegram to secure freelance contracts. 

Sophisticated tactics allow them to disguise their true locations, with personas claiming nationalities ranging from Italy and Japan to the U.S. and Vietnam.

According to Google's Threat Intelligence Group (GTIG), these operatives are paid through cryptocurrency and international services like Payoneer and TransferWise. Using these methods hides the true origin of funds and minimizes traceability.

North Korea's IT operatives are embedding themselves in European industries such as artificial intelligence, blockchain technology, and web development. 

Cases have already linked these agents to projects in Germany, Portugal, and the UK. Worryingly, some have targeted sensitive sectors like government and defense, fabricating references and credentials to access critical organizational systems.

Google Cloud’s Mandiant warns of the growing sophistication of these operations, highlighting the fact that these hackers moved from freelancing for revenue to extorting employers, stealing sensitive data, and issuing threats.

Authorities in Europe and worldwide have issued warnings and sanctions to curb these operations. In the U.K., the Office of Financial Sanctions Implementation (OFSI) issued warnings emphasizing the legal risks of unknowingly hiring North Korean IT workers.

The FBI and the U.S. Treasury Department have sanctioned North Korean entities linked to these fraud schemes. U.S. companies are alert to the ongoing risks, with reports suggesting hundreds of businesses have unknowingly employed these operatives. Sanctions block their earnings, intended to fund North Korea's weapon programs.