North Korean IT Workers Expand Global Reach and Tactics
4:53
Thu | Apr 3, 2025 | 4:24 AM PDT

The Google Threat Intelligence team (GTIG) has published new research outlining how IT workers from the Democratic People's Republic of Korea (DPRK) are expanding both the scope and scale of their operations, targeting companies across the globe with more advanced deception and cyber extortion tactics. The report offers a stark reminder that nation-state threats don't always originate with malware—they can also come disguised as job applicants.

"DPRK IT workers present a unique threat by posing as non-North Korean nationals and applying for remote employment opportunities around the globe," Google Threat Intelligence wrote in its April 1st blog post. "While they appear to be freelance IT workers, in reality, they are bad actors using the access gained as contractors to enable a range of malicious activities, including theft of intellectual property, planting of backdoors, and stealing money."

A shift toward Europe

While much of the initial focus has been on the United States, Google says North Korea's strategy is evolving. Recent U.S. enforcement actions have made it harder for DPRK IT workers to operate undetected within the U.S., pushing them to pivot toward other regions.

"As U.S. authorities have grown more effective at identifying and prosecuting DPRK IT workers, the workers' operations have expanded globally, with a growing emphasis on European countries," the report says.

One individual identified by GTIG was found operating at least 12 distinct personas, actively applying for jobs across Europe and the U.S., including roles in government and defense contracting. These personas often used falsified documentation and references—sometimes vouching for one another to increase their credibility.

"Our team uncovered evidence of one DPRK IT worker managing at least 12 personas. These personas applied for jobs across multiple countries and had accounts on multiple job platforms."

[RELATED: Unmasking North Korea's Covert IT Army... Before You Hire Them]

Technical expertise across modern stacks

These aren't entry-level operators. According to Google, North Korea IT workers often show fluency in cutting-edge web frameworks and blockchain development tools. One worker developed projects using Next.js, React, CosmosSDK, Golang, Solana, and Anchor/Rust, and was found contributing to freelance jobs on major platforms.

"We've observed DPRK IT workers using skills in modern web development and blockchain environments, likely to blend in with real contractors and support lucrative freelance projects."

Deception, payments, and BYOD exploits

To hide their identity and location, workers claimed nationalities such as Japan, Italy, Malaysia, Ukraine, and the United States. Payments were processed via cryptocurrency or third-party services like Payoneer and TransferWise to obscure origins.

The report also reveals that some companies were unknowingly sending corporate laptops overseas. In one example, a U.S. company shipped a device to New York for onboarding—but the machine was activated in London.

"In one instance, a corporate laptop sent for onboarding in the U.S. was activated in London. These types of schemes are enabled by facilitators who help North Korean operatives bypass ID verification and establish presence in other countries."

Bring your own device (BYOD) policies are another point of exploitation. Google emphasized that devices lacking enterprise monitoring solutions make it easier for these workers to operate undetected.

"In BYOD environments, DPRK IT workers may be able to operate without endpoint detection or oversight, making it easier for them to exfiltrate data or establish persistence."

A rise in extortion

Perhaps most concerning is a new trend in cyber extortion. Dismissed workers—once embedded inside organizations—have begun threatening to leak proprietary code, customer data, or internal documents if demands aren't met.

"These threats often follow termination and are accompanied by a demand for compensation. Threatened disclosures have included proprietary data and evidence of code backdoors."

The GTIG report ends with a clear call to action for companies hiring remote workers or operating in hybrid environments: "The combination of global expansion, extortion tactics, and the use of virtualized infrastructure all highlight the adaptable strategies employed by DPRK IT workers."

For CISOs and security leaders, this is a moment to re-evaluate remote hiring practices, contractor vetting procedures, and endpoint monitoring in BYOD environments. 

As DPRK threat actors become more sophisticated in blending in with legitimate contractors, detection will depend less on signatures and more on patterns of behavior, access anomalies, and proactive threat hunting.

Follow SecureWorld News for more stories related to cybersecurity.

Comments