DPRK IT Workers Shift to Europe Amid Rising U.S. Scrutiny

New developments in tracking the threat orchestrated by North Korean IT workers—posing as legitimate remote freelancers to infiltrate companies and generate revenue for the DPRK regime—have been released by the Google Threat Intelligence Group (GTIG). These individuals present severe security risks, including espionage, data theft, and operational disruption. GTIG credits growing public awareness and enforcement in the United States with helping to thwart the campaign; however, this has caused actors to shift their focus toward Europe, where DPRK-linked workers are now actively pursuing employment opportunities. One such worker reportedly managed at least 12 personas across the US and Europe, targeting sectors including government and defense. GTIG warns that organizations who “hire DPRK IT workers [are] at risk of espionage, data theft, and disruption.”

The campaign’s scale and capabilities are notable. DPRK IT workers engage in a broad range of technical projects—spanning web and bot development, CMS platforms, and blockchain initiatives—across the UK and other parts of Europe. GTIG confirms that “projects included web development, bot development, content management system (CMS) development, and blockchain technology, indicating a broad range of technical expertise.” Workers rely on false national identities, fabricate references, and use job platforms such as Upwork, Freelancer, and Telegram to secure work and payments. Facilitators assist with job onboarding, identity verification, and fund transfers, with cases showing devices intended for US-based roles being activated in locations like London. European infrastructure used by these facilitators includes falsified documents and instructions for navigating local job markets, such as advice for employment in Serbia and sourcing fake passports.

The threat extends beyond initial access. GTIG reports a notable uptick in extortion efforts, stating, “In these incidents, recently fired IT workers threatened to release their former employers’ sensitive data or to provide it to a competitor,” with stolen information including source code and proprietary business data. These incidents align with recent law enforcement pressure in the US, suggesting the shift in tactics may be financially motivated. Additionally, IT workers are now exploiting bring-your-own-device (BYOD) environments and virtual workspaces, where conventional security tools are often lacking. GTIG warns these conditions make it difficult to trace malicious activity, representing a growing risk as the DPRK’s remote worker operations evolve in scope, infrastructure, and aggressiveness.