The so-called IT army of North Korea has expanded its operations beyond the United States and is now increasingly targeting companies across Europe. They conceal their true identities and pose as employees from other countries, including Ukraine.
North Korean IT specialists are connecting through laptop farms to fraudulently secure remote freelance IT positions at companies worldwide, generating profit for the regime of the Democratic People's Republic of Korea (DPRK).
As discovered by security researchers from Google Threat Intelligence Group (GTIG), the North Korean IT army is increasingly attacking the positions of companies in Germany, Portugal, and the UK, after many of its members faced charges and sanctions in the US.
"To secure these positions, North ban IT workers used deceptive tactics, posing as citizens of various countries, including Italy, Japan, Malaysia, Singapore, Ukraine, the United States, and Vietnam. They used a combination of real and fabricated identities," said Jamie Collier, senior threat intelligence advisor at GTIG.
IT workers in Europe were hired through various online platforms, including Upwork, Telegram, and Freelancer. Payment for their services was made via cryptocurrency, TransferWise, and Payoneer, methods that conceal the origin and destination of the funds. For instance, GTIG investigators discovered user credentials on European employment websites and HR platforms linked to North Korean IT workers seeking jobs at companies in Germany and Portugal. These North Korean IT specialists were also associated with numerous projects in the UK, ranging from artificial intelligence and blockchain technologies to website development, bots, and content management systems, according to BleepingComputer.
Another North Korean IT worker targeted several European defense industry and government sector organizations at the end of 2024, using fabricated references and identities to more easily deceive recruiters hiring them.
After being discovered and dismissed, some of these North Korean IT workers used insider information to extort former employers, threatening to leak confidential information stolen from company systems.