- North Korean cyber operatives have expanded operations to target blockchain startups in the EU and UK, posing as remote developers.
- Google Threat Intelligence Group reports that these workers operate under multiple fake identities to bypass security checks and generate revenue for the North Korean regime.
- Recent activities include extortion threats from laid-off DPRK developers blackmailing former employers with threats to leak source code.
Google has revealed that North Korean cyber operatives are expanding their target range beyond U.S. companies to include blockchain startups across Europe. According to a report released Tuesday by Google’s Threat Intelligence Group (GTIG), IT workers linked to North Korea have embedded themselves in crypto projects throughout the UK, Germany, Portugal, and Serbia, posing serious security risks to these organizations.
The report indicates that these operatives have infiltrated various blockchain projects, including marketplaces, AI web applications, and the development of Solana and Anchor/Rust smart contracts. One instance involved building a Nodexa token Hosting platform, while other cases included creating blockchain job marketplaces and AI-enhanced blockchain tools.
“In response to heightened awareness of the threat within the United States, they’ve established a global ecosystem of fraudulent personas to enhance operational agility,” said GTIG adviser Jamie Collier in the report. Some workers reportedly operated under as many as 12 fake identities simultaneously, using falsified credentials from Belgrade University and fake residency documents from Slovakia.
These cyber operatives receive assistance from facilitators in the UK and U.S. who help them bypass identity verification processes and receive payments through services like TransferWise, Payoneer, and cryptocurrency platforms, effectively concealing funds flowing back to North Korea.
Rising Extortion Threats
Since October 2024, GTIG has observed an increase in extortion attempts as terminated North Korean developers have started blackmailing former employers by threatening to leak proprietary information and source code. This aggressive behavior coincides with “heightened United States law enforcement actions against DPRK IT workers,” according to Google’s report.
Last December, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) sanctioned two Chinese nationals for laundering digital assets to benefit North Korea’s government. In January, the Justice Department indicted two North Korean nationals for operating a fraudulent IT work scheme that compromised at least 64 U.S. companies between 2018 and 2024.
Broader Cyber Threat Network
In March, Paradigm security researcher Samczsun warned that North Korea’s cyber strategy extends beyond the state-backed Lazarus Group, which has been connected to major cryptocurrency hacks. “DPRK Hackers are an ever-growing threat against our industry,” Samczsun noted, describing various subgroups specialized in social engineering and supply chain attacks.
This February, hackers associated with Lazarus stole $1.4 billion from crypto exchange Bybit, later routing the funds through coin mixers and decentralized exchanges.
GTIG warns that many crypto startups remain vulnerable due to their heavy reliance on remote talent and bring-your-own-device work environments, often lacking proper security monitoring tools. This vulnerability is precisely what North Korean operatives are exploiting through “the rapid formation of a global infrastructure and support network,” according to Collier.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- SEC and Gemini Seek 60-Day Case Pause to Discuss Settlement
- Bitcoin Investors Since 2020 HODL Strong Despite Price Surge to $110,000
- Circle’s USDC issuer files IPO prospectus, shows Coinbase revenue burden
- Sony Singapore Launches USDC Payments on Online Store via Crypto.com
- UK trade groups urge Starmer for crypto envoy, blockchain plan
