North Korean IT Scammers Shift Focus to Europe Amid Tightened US Scrutiny

North Korean IT workers are expanding their deceptive employment tactics beyond their usual targets, now seeking job opportunities across Europe by disguising their identities and locations. According to researchers at Google Threat Intelligence Group (GTIG), these individuals secure remote freelance IT jobs under false pretenses, ultimately funneling their earnings back to the DPRK regime.

A Growing European Target

Previously, North Korean cyber operatives primarily infiltrated US tech companies, but heightened awareness, stricter employment verification processes, and right-to-work laws have made it more challenging to sustain their deception. In response, they are increasingly targeting countries like Germany, Portugal, and the UK, leveraging tactics such as:

• Fake references and controlled personas to build credibility with recruiters

• Establishing rapport with hiring managers to secure high-paying roles

• Using laptop farms and relocating to nations like China and Russia to mask their true origins

These job seekers typically secure positions in Web development, bot development, CMS development, and blockchain technology, fields where they can manipulate digital infrastructure or exfiltrate sensitive data.

A Well-Orchestrated Cyber Scheme

This deceptive operation extends far beyond simple financial fraud. Some North Korean IT workers have landed six-figure salaries, using illicit earnings to help fund missile and nuclear weapons programs. Their efforts are often aided by foreign nationals, recruited to assist in securing positions or masking access.

However, not all attempts go undetected. Earlier this year, a multi-national fraud case led to the indictment of two Americans, two North Koreans, and a Mexican accomplice for helping DPRK operatives secure jobs at over 60 US companies. Additionally, in 2024, the US Department of Justice charged a Tennessee resident for providing IT access to North Korean and Chinese nationals, enabling them to connect to corporate networks in the US and UK.

More Than Just Financial Gain

While securing income for the DPRK is a primary motive, these operations pose deeper cybersecurity threats. The presence of North Korean operatives in IT roles enables them to:

• Exfiltrate sensitive corporate data

• Compromise intellectual property

• Sabotage critical systems

• Plant backdoors for future cyber-espionage operations

According to Casey Ellis, founder of Bugcrowd, North Korea's survival depends on these unconventional revenue streams due to international sanctions cutting off traditional financial resources.

Europe Must Adapt to the Threat

With North Korean IT workers now shifting their focus to Europe, cybersecurity experts suggest European nations should look to the US for countermeasures. Jason Soroko, senior fellow at Sectigo, warns that Europe may be perceived as a "softer target", making it critical for organizations to:

• Cross-check employment references and credentials

• Conduct thorough technical interviews to verify skills

• Monitor for AI-enhanced deception, such as voice and video deepfakes

• Report fraudulent hires to national cybersecurity agencies

As these cyber threats evolve, swift action and improved hiring security measures are essential to mitigating infiltration risks and protecting sensitive corporate assets.