North Korean (DPRK) IT workers are intensifying their efforts to infiltrate tech and cryptocurrency firms, particularly focusing on Europe.
Since the last update in September 2024, a certain threat intelligence group has noted an increase in DPRK IT personnel penetrating tech and cryptocurrency companies across various European nations. These individuals often assume fake identities and craft numerous false personas in order to land lucrative positions within tech and blockchain sectors, frequently resorting to additional fabricated profiles for references. In one instance, a single worker was discovered operating under at least 12 distinct personas throughout Europe and the U.S., strategically targeting defense and governmental organizations.
As detailed in the latest report, several DPRK IT workers have been identified as actively participating in blockchain initiatives in the UK, including the development of Solana and Anchor/Rust smart contracts and the creation of a blockchain-based job marketplace utilizing the MERN stack and Solana.
Beyond these workers, investigations have revealed a support network assisting them in maneuvering through European job platforms and supplying them with counterfeit identification documents.
The North Korean regime’s aggressive push to expand IT worker infiltration is primarily motivated by the need to evade international sanctions that limit its access to global financial systems. With increasing economic pressure, the nation has turned to cyber operations as a significant source of revenue, utilizing IT workers to secure well-paying jobs and direct the proceeds back to the state. Estimates from the U.S. Treasury Department indicate these workers generate hundreds of millions of dollars for North Korea each year. The regime retains up to 90 percent of the earnings acquired by these workers, funneling considerable resources into military initiatives.
In addition to redirecting their salaries to the regime, North Korean IT workers sometimes serve as gateways for state-sponsored hacking groups, such as Lazarus Group, which recently gained notoriety for executing a $1.5 billion hack of the Bybit exchange. Lazarus was also responsible for stealing over $600 million from the Ronin Network (Axie Infinity) in 2022, with IT personnel playing a crucial role in breaching internal systems. In August 2024, on-chain investigator ZachXBT uncovered more than 25 crypto projects that had been compromised by DPRK developers.
Although the Lazarus attack on Bybit—after which North Korea became the fifth-largest governmental holder of Bitcoin (BTC)—was attributed to the exploitation of vulnerabilities in its multi-signature wallet rather than direct infiltration, it has raised awareness regarding the DPRK’s threat level in the U.S. This increased concern is one of the main factors driving the growth of North Korean infiltration activities in Europe, along with heightened public disclosures, U.S. Department of Justice indictments, and issues related to right-to-work verification.