North Korean Cyber Operatives Expand Their Reach to U.S. Companies
North Korean cyber operatives have extended their reach to U.S. companies, targeting blockchain startups in the EU and the UK, as well as remote developers, leaving behind compromised data and attempted ransomware attacks.
This was revealed in a report released by the Google Threat Intelligence Group (GTIG) on Tuesday, which disclosed that IT workers linked to the Democratic People’s Republic of Korea (DPRK) have expanded operations beyond the U.S., embedding themselves in cryptocurrency projects in the UK, Germany, Portugal, and Serbia.
Compromised Projects Include
Blockchain marketplaces, AI web applications, as well as Solana and Anchor/Rust smart contracts. One case involved the construction of the Nodexa token hosting platform using Next.js and CosMossDK, while other instances included the development of a blockchain job market built with the MERN stack and Solana, and the creation of AI-enhanced blockchain tools using Electron and Tailwind CSS.
GTIG consultant Jamie Collier stated in the report, “To enhance awareness of threats within the U.S., they have established a global ecosystem of fraudulent roles to increase operational agility.”
The report noted that some workers utilize degrees from the University of Belgrade, fake residency documents from Slovakia, and guidance on navigating European job platforms, operating with up to 12 false identities at a time.
Collier mentioned that facilitators based in the UK and the U.S. assist these actors in bypassing ID checks and receive payments through Transferwise, Payoneer, and crypto, effectively concealing the sources of funds flowing back to the North Korean regime.
Ransom Threats
The GTIG report indicates that workers are generating income for the North Korean regime, with U.S., Japanese, and South Korean diplomats previously accusing overseas IT specialists, including those engaged in malicious cyber activities, of helping finance its sanctioned weapons programs.
Collier warned, “This poses a risk of espionage, data theft, and disruption for organizations hiring DPRK IT workers.”
Since October 2024, GTIG has observed a spike in ransomware threats, as laid-off developers have begun extorting former employers, threatening to leak source code and proprietary documents.
GTIG noted that this aggressive rise is linked to “increased enforcement actions against North Korean IT workers, including disruptions and prosecutions.”
In December, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) sanctioned two Chinese nationals for laundering digital assets to fund the North Korean government, using a UAE-based front company associated with the Pyongyang regime.
Then, in January, the Justice Department indicted two North Korean nationals for operating a fraudulent IT job scheme that infiltrated at least 64 companies between 2018 and 2024.
Beyond the Lazarus Group
In March, Paradigm security researcher Samczsun warned that North Korean cyber strategies extend far beyond the state-sponsored Lazarus Group, which has been linked to some of the largest cryptocurrency incidents in history.
Samczsun wrote, “The threat of DPRK hackers to our industry is growing,” outlining a sub-network including TraderTraitor and Applejeus, which specialize in social engineering, fake job offers, and supply chain attacks.
In February, hackers linked to Lazarus stole $140 million from the cryptocurrency exchange Bybit, with the funds later funneled through coin mixers and DEX.
As the cryptocurrency industry tends to attract remote talent and bring-your-own-device (BYOD) environments, GTIG warned that many startups lack the appropriate monitoring tools to detect such threats.
Collier remarked, “This is precisely where North Korea is focusing its development: the rapid formation of global infrastructure and support networks, enabling its sustained operations.”
