North Korean fraudulent IT workers found in UK blockchain projects

Operatives pose an increasing threat to global tech and finance

North Korean operatives have created an extensive ecosystem of fraudulent personas to evade detection and maintain operational flexibility beyond the United States.

A new report from Google's Threat Intelligence Group (GTIG) has revealed that fraudulent tech workers with ties to North Korea have infiltrated blockchain firms in the United Kingdom, marking an expansion of the regime's cyber operations beyond the United States.

Google GTIG adviser Jamie Collier disclosed in an 2nd April report that the North Korean IT workforce, long active in the US, has shifted focus to non-US companies due to heightened awareness and enforcement actions.

The report suggests that these operatives have created an extensive ecosystem of fraudulent personas to evade detection and maintain operational flexibility.

"In response to heightened awareness of the threat within the United States, they've established a global ecosystem of fraudulent personas to enhance operational agility," Collier explained.

"Coupled with the discovery of facilitators in the UK, this suggests the rapid formation of a global infrastructure and support network that empowers their continued operations."

The North Korean-linked workers have been found working on blockchain and cryptocurrency projects involving Solana and Anchor smart contract development, as well as AI applications leveraging blockchain technology.

Their roles span traditional web development to more advanced crypto-related work, making them an increasing threat to financial and tech sectors worldwide.

Earlier this year, the US and South Korea governments issued a joint statement accusing North Korean state-backed hacking groups of stealing over $659 million in cryptocurrency across multiple heists.

Beyond the UK, GTIG has identified a growing presence of North Korean tech workers across Europe. Investigators found that one worker used at least 12 different personas across multiple European countries, while others had falsified credentials claiming degrees from the University of Belgrade in Serbia or residences in Slovakia.

Separate CTIG investigations revealed that North Korean operatives have attempted to secure employment in Germany and Portugal. The researchers uncovered login credentials for European job websites as well as detailed instructions on navigating those platforms.

Additionally, a broker specialising in counterfeit passports was uncovered, highlighting the elaborate infrastructure supporting these fraudulent activities.

Since late October, North Korean operatives have also ramped up extortion attempts, targeting larger organisations in an apparent bid to sustain revenue streams amid the US crackdown.

Recently fired workers threatened to release sensitive data, including proprietary data and source code, to competitors.

This escalation in extortion coincides with increased US law enforcement actions, suggesting a link between pressure on these workers and their adoption of more aggressive tactics.

In January, the US Department of Justice indicted two North Korean nationals for participating in fraudulent IT operations that infiltrated at least 64 American companies between April 2018 and August 2024.

Meanwhile, the US Treasury Department sanctioned multiple companies it accused of acting as fronts for North Korean cyber operatives.

Cryptocurrency founders have also been reporting an uptick in cyberattacks linked to North Korea.

On 13 March, at least three crypto founders disclosed attempts by North Korean hackers to steal sensitive data through fake Zoom calls.

The report also raises concerns about the growing use of bring your own device (BYOD) policies, which allow employees to access company systems through virtual machines.

GTIG believes that DPRK IT workers are exploiting these environments, which often lack traditional security and logging tools, to conduct undetected malicious activities.

Want to know more? Computing 's Cybersecurity Festival returns to London in May, where senior IT decision makers can learn about modern challenges, compare strategies with peers, and source solutions. Click here to register for free.