North Korean cyber operatives have expanded their reach beyond U.S. firms to target blockchain startups in the EU and UK, posing as remote developers and leaving a trail of compromised data and extortion attempts.
In a report released on Tuesday, Google’s Threat Intelligence Group (GTIG) revealed that IT workers linked to the Democratic People’s Republic of Korea (DPRK) have scaled up operations outside the U.S., embedding themselves in crypto projects across the UK, Germany, Portugal, and Serbia.
❗️North Korean IT Workers: A Growing Threat!
GTIG has seen increased DPRK IT worker ops in Europe, expanding beyond the U.S. They pose as remote workers, putting orgs at risk of espionage, data theft, and disruption.
Learn more: pic.twitter.com/7oOW1WguoJ
— Google Cloud Security (@GoogleCloudSec) April 1, 2025
Compromised projects include blockchain marketplaces, AI web apps, and the development of Solana and Anchor/Rust smart contracts.
One case involved building a Nodexa token hosting platform using Next.js and CosmosSDK, while others included a blockchain job marketplace built using the MERN stack and Solana, and the development of AI-enhanced blockchain tools using Electron and Tailwind CSS.
“In response to heightened awareness of the threat within the United States, they’ve established a global ecosystem of fraudulent personas to enhance operational agility,” said GTIG adviser Jamie Collier in the report.
Some workers operated under 12 fake identities at once, using degrees from Belgrade University, false residency documents from Slovakia, and guidance for navigating European job platforms, the report noted.
Collier said that facilitators based in the UK and U.S. helped these actors bypass ID checks and receive payments via TransferWise, Payoneer, and crypto, effectively hiding the source of funds flowing back to the North Korean regime.
A spokesperson for Wise told Decrypt that, “we take the responsibility of complying with all applicable sanctions laws very seriously,” adding that the firm performs “numerous verification checks,” using “over 250 data points to monitor transactions on Wise to catch and identify potential misuse of our services.” They explained that, “When we identify potential financial crime or any other misuse of our service, we take immediate steps to investigate the case, including suspensions or freezing of the transactions and customer accounts,” adding that Wise reports breaches to “authorised agencies globally.”
GTIG reports the workers are generating revenue for the North Korean regime, which U.S., Japanese, and South Korean envoys have previously accused of using overseas IT specialists, including those engaged in malicious cyber activity, to help fund its sanctioned weapons programs.
“This places organizations that hire DPRK IT workers at risk of espionage, data theft, and disruption,” Collier warned.
Extortion threats
Since October 2024, GTIG observed a surge in extortion threats as laid-off DPRK developers have begun blackmailing former employers with threats to leak source code and proprietary files.
This uptick in aggression, GTIG noted, coincides with “heightened United States law enforcement actions against DPRK IT workers, including disruptions and indictments.”
Last December, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) sanctioned two Chinese nationals for laundering digital assets to finance North Korea’s government, using a UAE-based front company tied to the regime in Pyongyang.
Then, in January, the Justice Department indicted two North Korean nationals for operating a fraudulent IT work scheme that infiltrated at least 64 U.S. companies between 2018 and 2024.
Beyond Lazarus Group
In March, Paradigm security researcher Samczsun warned that the DPRK’s cyber strategy goes far beyond the State-backed Lazarus Group, which has been linked to some of the largest crypto hacks in history.
“DPRK hackers are an ever-growing threat against our industry,” Samczsun wrote, outlining a web of subgroups like TraderTraitor and AppleJeus, which specialize in social engineering, fake job offers, and supply chain attacks.
In February, hackers tied to Lazarus stole $1.4 billion from crypto exchange Bybit, with the funds later funneled through coin mixers and DEX.
As the crypto industry leans heavily on remote talent and bring-your-own-device (BYOD) environments, GTIG warned that many startups lack proper monitoring tools to detect such threats.
And that, Collier said, is exactly the point—with North Korea exploiting, “the rapid formation of a global infrastructure and support network that empowers their continued operations.”
This story was updated on April 2 to include comment from TransferWise.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
