North Korean technology workers have infiltrated blockchain projects in the United Kingdom, reflecting a shift in their activities due to intensified scrutiny by U.S. authorities, according to intelligence reported by Google’s Threat Intelligence Group (GTIG).
Previously centered largely on businesses within the United States, these North Korean IT workers have now expanded to the UK and other European countries, establishing a sophisticated network of false online identities and digital infrastructure designed to conceal their true affiliations. GTIG adviser Jamie Collier indicated that this shift has taken place in reaction to increased vigilance within the U.S., prompting these actors to seek new venues where identity verification and regulatory oversight may be weaker or more easily bypassed.
In addition to adopting broader geographic outreach, these operatives have also diversified into fields beyond traditional IT roles, now entering advanced blockchain-related opportunities. Evidence reveals their involvement in high-tech blockchain initiatives, including smart contract development using platforms such as Solana and Anchor. One project impacted was even focused on building a blockchain-based recruiting marketplace as well as an artificial-intelligence-driven web application.
Collier emphasized that these covert workers operate under the pretense of being legitimate, qualified remote developers and technology specialists. By gaining employment at targeted companies, they pose significant threats including espionage, intellectual property theft, and potentially severe operational disruptions. Such activities are reportedly crucial revenue streams for the North Korean regime.
GTIG further identified extensive operations across Europe beyond the United Kingdom. Investigations into these activities revealed operatives using multiple fake identities, claimed academic credentials from Belgrade University in Serbia, and addresses located in Slovakia. GTIG also uncovered North Korean-linked profiles actively seeking employment within German and Portuguese tech sectors, possession of login credentials for European job platforms, and instructions related to navigating these employment systems. A facilitator specializing in providing fraudulent passports was also discovered, further indicating the operational scale and intent of these illicit networks.
In recent months, North Korean actors’ tactics have grown more aggressive. Alongside covert employment, they have increasingly resorted to extortion targeting larger entities. In some cases, dismissed workers have threatened former employers with leaking sensitive internal data, such as proprietary source codes, in exchange for payment or other demands. Such measures highlight increased pressure faced by these operatives amid tighter enforcement in traditional regions, particularly the United States.
Earlier this year, U.S. authorities elevated their response, indicting two North Korean citizens accused of engaging in an extensive fraudulent scheme targeting 64 American corporations over a period of several years. Simultaneously, the U.S. Treasury introduced sanctions against companies accused of serving as covers for North Korean activities by facilitating remote IT employment scams yielding substantial revenues for the Pyongyang regime.
Concerns have also been voiced recently by crypto sector founders, who report a spike in attempted hacks originating from North Korean groups. These attempts have involved sophisticated attacks, including simulated Zoom calls purportedly with venture capitalists designed to extract sensitive business information.
Additionally, blockchain investigator ZachXBT recently revealed the existence of a significant, highly coordinated network of North Korean developers earning approximately $500,000 monthly working undercover for reputable cryptocurrency projects. This underscores the growing global threat posed by Pyongyang-backed operatives firmly embedded within tech communities and enterprises worldwide.
