Fake IT workers from North Korea target UK crypto projects in global espionage scheme
04/02/2025 / By Cassie B.
- North Korean tech workers posing as remote employees infiltrated UK blockchain firms, stealing data and funneling profits to fund Pyongyang’s nuclear program.
- Google’s Threat Intelligence Group reports operatives shifted to Europe, using fake identities and lax hiring checks to evade detection.
- Workers target blockchain projects (e.g., Solana, Anchor) and have escalated to extortion, threatening to leak proprietary code unless paid.
- North Korean hackers have already stolen billions of dollars, with groups like Lazarus laundering funds via Bitcoin swaps.
- Experts warn businesses to tighten remote hiring protocols as the threat grows more sophisticated and dangerous.
North Korean tech workers with ties to Pyongyang’s regime have infiltrated blockchain projects in the United Kingdom, posing as legitimate remote employees while stealing sensitive data and funneling profits back to fund the country’s nuclear weapons program.
According to a report from Google’s Threat Intelligence Group (GTIG), these operatives — previously concentrated in the U.S. — have shifted focus to Europe, exploiting lax verification processes and creating a global network of fake identities to evade detection. With some now resorting to extortion, threatening to leak proprietary code unless paid, experts warn that the threat is growing more sophisticated — and more dangerous.
A global network of fake identities
The scheme, detailed in a recent report by GTIG adviser Jamie Collier, reveals that North Korean IT workers have established a sprawling web of fraudulent personas to bypass employment checks. “In response to heightened awareness of the threat within the United States, they’ve established a global ecosystem of fraudulent personas to enhance operational agility,” Collier said. “Coupled with the discovery of facilitators in the UK, this suggests the rapid formation of a global infrastructure and support network that empowers their continued operations.”
These operatives are targeting companies working on advanced blockchain applications, including projects involving Solana and Anchor smart contracts. One firm developing a blockchain job marketplace and an AI-powered web application was also compromised. “These individuals pose as legitimate remote workers to infiltrate companies and generate revenue for the regime,” Collier warned. “This places organizations that hire DPRK IT workers at risk of espionage, data theft, and disruption.”
From theft to extortion
The situation has grown even more alarming in recent months. Since late October, North Korean-linked workers have escalated their tactics, launching extortion campaigns against former employers. “Recently fired IT workers threatened to release their former employers’ sensitive data or to provide it to a competitor,” Collier said. “This data included proprietary data and source code for internal projects.”
The shift suggests desperation amid a U.S. crackdown. In January, the Department of Justice indicted two North Koreans for defrauding at least 64 American companies through IT work schemes between 2018 and 2024. Meanwhile, the Treasury Department has sanctioned firms allegedly acting as fronts for Pyongyang’s remote-work operations.
But the U.S. is not the only target. Investigations have uncovered North Korean workers using at least 12 fake identities across Europe, falsified resumes listing degrees from Belgrade University, and even a broker specializing in counterfeit passports. Login credentials for European job sites and step-by-step guides on navigating them have also been discovered, indicating a highly organized effort.
The stakes couldn’t be higher. According to the United Nations, North Korean hackers have stolen an estimated $3 billion between 2017 and 2023 — with a staggering $1.7 billion taken in 2024 alone from attacks on exchanges like WazirX and ByBit. Paradigm, a crypto research firm, warns that at least five North Korean hacking groups — including the notorious Lazarus Group — are behind these operations.
Lazarus, responsible for the 2022 Ronin Bridge hack ($600 million stolen) and the 2025 ByBit heist ($1.5 billion), has perfected its laundering techniques. After breaking stolen funds into smaller amounts and swapping them for Bitcoin, the group waits for law enforcement attention to fade before cashing out. The FBI has identified three alleged members, but arrests remain unlikely unless they leave North Korea.
A growing threat with no easy solution
The infiltration of UK blockchain firms underscores a troubling reality: North Korea’s cyber warfare apparatus is evolving, and Western companies remain vulnerable. With operatives now leveraging extortion and fake identities, businesses must tighten hiring protocols and monitor remote workers more closely or risk becoming the next victim funding Pyongyang’s nuclear ambitions.
Sources for this article include:
Submit a correction >>
Tagged Under:
big government, blockchain, computing, conspiracy, cryptocurrency, cyber war, Dangerous, deception, espionage, evil, Glitch, hackers, information technology, insanity, national security, North Korea, privacy watch, Spygate, surveillance, terrorism, Twisted
This article may contain statements that reflect the opinion of the author
RECENT NEWS & ARTICLES
