TLDR
- North Korean tech workers have infiltrated UK blockchain projects and expanded operations globally after US crackdown
- These workers pose as legitimate remote employees while funneling wages back to North Korea’s regime
- Up to 7% of Fortune Global 2000 organizations may be compromised, with some infiltrators having privileged access rights
- Workers often operate in teams, working impossibly long shifts and demonstrating unusual login patterns
- The scheme generates hundreds of millions of dollars for North Korea’s weapons programs with potential for future espionage or sabotage
North Korean tech workers are expanding their reach into blockchain companies worldwide, with some having already infiltrated UK crypto projects, according to recent reports from Google and cybersecurity experts. These workers pose as legitimate remote employees while secretly working for the North Korean regime, generating income that is believed to fund weapons programs.
The Growing Scope of Infiltration
Google Threat Intelligence Group (GTIG) adviser Jamie Collier reported on April 2 that North Korean IT workers are targeting companies outside the US after facing increased scrutiny from American authorities. “In response to heightened awareness of the threat within the United States, they’ve established a global ecosystem of fraudulent personas to enhance operational agility,” Collier stated.
The workers have been found in projects spanning traditional web development and advanced blockchain applications. Some have worked on Solana and Anchor smart contract development, as well as blockchain job marketplaces and AI web applications that leverage blockchain technologies.
Beyond the UK, Google has identified a focus on Europe. Some workers use at least 12 different personas across the continent, with resumes listing degrees from Belgrade University in Serbia and residences in Slovakia. Investigations have uncovered personas seeking employment in Germany and Portugal.
DTEX, an insider risk management firm, told CyberScoop that the problem is larger than previously thought. “We work with a fair cross-section of the Fortune Global 2000 organizations, and right now we have active investigations going on with 7% of our customer base,” said Mohan Koo, co-founder and president of DTEX.
How They Operate
The North Korean workers aren’t just freelancers or contractors. Many have gained full-time employment as engineers and specialists with high-level access to enterprise systems. “Some of the roles that we’re investigating, the infiltrators that we’re investigating right now, have actually got the keys to the kingdom,” Koo explained.
These workers often operate in teams, with multiple people performing tasks assigned to one person. This creates unusual work patterns that can serve as red flags. DTEX discovered that suspected North Korean workers show login times that run for extremely long periods, sometimes four to five days without logging out.
The average time between North Korean worker logins and logoffs is six to seven days, with one instance of continuous activity lasting three weeks. This superhuman productivity occurs because workers open remote sessions and share their desktop with other co-conspirators who have similar skills.
Once hired, they move quickly to further infiltrate organizations. They pivot into virtual desktop infrastructure environments and use their access to move into trusted partner networks, creating supply chain vulnerabilities. They also install various remote access tools during onboarding, when such activity is expected and less likely to raise suspicion.
Financial Motives and Future Threats
According to GTIG, since late October, North Korean workers have increased the volume of extortion attempts and targeted larger organizations.
“In these incidents, recently fired IT workers threatened to release their former employers’ sensitive data or to provide it to a competitor,” Collier said.
The current focus appears to be financial gain, with these operations generating hundreds of millions of dollars for the North Korean regime, according to Unit 42. However, security experts warn that the potential for follow-on activity, including espionage, extortion, and disruptive attacks on critical infrastructure, is a real concern.
“For any of us to be naive enough to think that that’s all they’re ever going to do is ridiculous,” Koo warned. “We have to be vigilant because, at the point that they decide to weaponize in a different way, they have the access to do it.”
In January, the US Justice Department indicted two North Korean nationals for their involvement in a fraudulent IT work scheme involving at least 64 US companies from April 2018 to August 2024. The US Treasury Department also sanctioned companies it accused of being fronts for North Korea.
Having audio issues on your Zoom call? That's not a VC, it's North Korean hackers.
Fortunately, this founder realized what was going on.
The call starts with a few "VCs" on the call. They send messages in the chat saying they can't hear your audio, or suggesting there's an… pic.twitter.com/ZnW8Mtof4F
— Nick Bax.eth (@bax1337) March 11, 2025
Crypto founders have reported an increase in activity from North Korean hackers, with at least three founders reporting in March that they foiled attempts to steal sensitive data through fake Zoom calls. In August, blockchain investigator ZachXBT claimed to have uncovered a network of North Korean developers earning $500,000 a month working for established crypto projects.
Identifying the Threat
Security professionals acknowledge it’s difficult for organizations to identify potential insider threats from job applicants, but not impossible. Requiring remote job candidates to be on camera and show government-issued identification is recommended, though not foolproof.
Warning signs include candidates looking away from the camera or taking prompts from someone else, conducting interviews from public locations, long pauses during interviews, and inconsistencies on resumes such as claimed expertise in technologies before they were widely available.
Human resources professionals and recruiters are the first line of defense. For those who pass initial screening, companies should watch for lack of communication in meetings, emails, or collaboration platforms. As one expert noted, North Korean technical workers “don’t ask how your kid did in soccer last night. They don’t talk about the new, cool restaurant they found, because they can’t.”
Stay Ahead of the Market with Benzinga Pro!
Want to trade like a pro? Benzinga Pro gives you the edge you need in today's fast-paced markets. Get real-time news, exclusive insights, and powerful tools trusted by professional traders:
- Breaking market-moving stories before they hit mainstream media
- Live audio squawk for hands-free market updates
- Advanced stock scanner to spot promising trades
- Expert trade ideas and on-demand support
