
North Korea-linked tech operatives are broadening their infiltration of global blockchain companies, with a noticeable shift toward targeting firms in the United Kingdom and Europe, according to Google’s Threat Intelligence Group (GTIG).
The move follows heightened scrutiny from U.S. authorities, pushing many of these actors to seek employment beyond American borders.
DISCOVER: Best Meme Coin ICOs to Invest in March 2025
North Korea-Linked IT Fraudsters Build Global Network of Fake Identities, Says Google
In a report released on April 2, GTIG adviser Jamie Collier stated that fraudulent IT workers tied to North Korea are adapting to increased awareness in the U.S. by creating a global network of fake identities. “In response to heightened awareness of the threat within the United States, they’ve established a global ecosystem of fraudulent personas to enhance operational agility,” Collier noted.
Collier emphasized that the presence of enablers in the UK suggests the creation of a broader support network, which allows these operatives to continue their schemes. These workers have infiltrated a variety of projects, including traditional web development and advanced blockchain applications, such as Solana and Anchor smart contracts.
One notable case involved North Korean developers working on a blockchain-based job marketplace and an AI-driven web application. These individuals often pretend to be legitimate remote employees, thus gaining access to company systems and siphoning income back to the North Korean regime.
“This places organizations that hire DPRK IT workers at risk of espionage, data theft, and disruption,” Collier warned.
Outside of the UK, GTIG has noted an increase in activity throughout Europe, with at least one North Korean worker using 12 different identities across various countries.
Having audio issues on your Zoom call? That’s not a VC, it’s North Korean hackers. Fortunately, this founder realized what was going on. The call starts with a few ‘VCs’ on the call. They send messages in the chat saying they can’t hear your audio, or suggest there’s an issue.
— Nick Bax.eth (@bax1337) March 11, 2025
Several applicants also submitted resumes citing degrees from Belgrade University and addresses in Slovakia. The investigation uncovered attempts to gain employment in Germany and Portugal, fraudulent credentials for job platforms, and a broker offering fake passports.
EXPLORE: 10 Best AI Crypto Coins to Invest in 2025
Report Reveals Surge in Extortion Threats by Dismissed Workers Since October
The report also highlights a rise in extortion attempts since October, with recently dismissed employees threatening to leak or sell sensitive data to competitors. Targeted data consisted of proprietary source code and internal project files.
In the U.S., measures against such activities have tightened. In January, the Justice Department indicted two North Korean nationals for running a fraudulent IT employment scheme involving over 60 companies. Simultaneously, the U.S. Treasury sanctioned organizations alleged to be front companies for North Korean IT operations.
Crypto project founders continue raising alarms. On March 13, at least three reported foiling North Korean phishing attempts disguised as fake Zoom interviews. In August, blockchain investigator ZachXBT revealed that North Korean developers were earning up to $500,000 monthly while embedded in legitimate crypto firms.
EXPLORE: 10 Coins with High Returns: Crypto Forecast 2025
Key Takeaways
- North Korea-linked IT operatives are expanding their focus to blockchain firms in the UK and Europe according to Google’s Threat Intelligence Group (GTIG).
- These workers use fake identities to infiltrate companies and redirect funds to the North Korean regime.
- Google reports a rise in extortion threats from dismissed workers, putting sensitive data at risk.