North Korea Expands Covert Operations in Europe, Threat Actors Pose as IT Specialists

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer
Created using Copilot | Powered by DALL.E 3

North Korea's infiltration tactics have reached new heights, with their elusive IT worker network now targeting European companies to generate revenue for the regime. Previously concentrated in the U.S., these operations have expanded to nations like Germany, Portugal, and the U.K.

Posing as remote IT professionals, often under fabricated or stolen identities, these "IT warriors" leverage online platforms like Upwork, Freelancer, and Telegram to secure freelance contracts. 

Sophisticated tactics allow them to disguise their true locations, with personas claiming nationalities ranging from Italy and Japan to the U.S. and Vietnam.

Countries impacted by DPRK IT workers
Countries impacted by DPRK IT workers | Source: Mandiant

According to Google's Threat Intelligence Group (GTIG), these operatives are paid through cryptocurrency and international services like Payoneer and TransferWise. Using these methods hides the true origin of funds and minimizes traceability.

North Korea's IT operatives are embedding themselves in European industries such as artificial intelligence, blockchain technology, and web development. 

Cases have already linked these agents to projects in Germany, Portugal, and the UK. Worryingly, some have targeted sensitive sectors like government and defense, fabricating references and credentials to access critical organizational systems.

Google Cloud’s Mandiant warns of the growing sophistication of these operations, highlighting the fact that these hackers moved from freelancing for revenue to extorting employers, stealing sensitive data, and issuing threats.

Authorities in Europe and worldwide have issued warnings and sanctions to curb these operations. In the U.K., the Office of Financial Sanctions Implementation (OFSI) issued warnings emphasizing the legal risks of unknowingly hiring North Korean IT workers.

The FBI and the U.S. Treasury Department have sanctioned North Korean entities linked to these fraud schemes. U.S. companies are alert to the ongoing risks, with reports suggesting hundreds of businesses have unknowingly employed these operatives. Sanctions block their earnings, intended to fund North Korea's weapon programs.


For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: