A new analysis from Google’s Threat Intelligence Group (GTIG) highlights a growing cybersecurity risk as North Korean IT operatives expand their activities beyond the United States, increasingly targeting companies in Europe. 

These individuals, posing as legitimate remote workers, engage in cyber-espionage, financial fraud, and extortion, generating revenue for the North Korean regime while posing a serious security threat to businesses worldwide.‍

Shifting Focus to Europe

With heightened scrutiny in the US, North Korean IT workers are shifting their operations to Europe, where detection efforts are less advanced. GTIG’s research found that these operatives use sophisticated deception tactics, creating multiple false identities to secure employment. In some instances, individuals were found managing over a dozen fraudulent identities to gain access to sensitive corporate data.

Recruitment platforms such as Upwork and Freelancer have been primary tools for these workers, allowing them to secure positions under assumed identities. They often receive payments through cryptocurrency services and online financial platforms like Payoneer and TransferWise, making it difficult for companies to track the true source of transactions. Their expertise spans blockchain development, AI-powered applications, and cybersecurity, making them valuable yet dangerous hires.

These operatives fabricate identities by using a mix of real and invented information, falsely claiming nationalities from countries such as Italy, Japan, and the US. They submit counterfeit credentials and references to appear credible to recruiters. One recent investigation uncovered a North Korean IT worker in the UK who developed blockchain-based job marketplaces using Solana and MongoDB while simultaneously working on other high-tech projects.

A critical element of this operation is the network of facilitators aiding these workers in various regions. 

These intermediaries assist in job applications, identity falsification, and payment processing, allowing operatives to evade detection. One notable incident involved a corporate laptop meant for use in New York being remotely operated from London, showcasing the complex web of deception.‍

Rise in Extortion Attempts

In addition to fraud, extortion efforts by North Korean IT workers have escalated. When terminated or exposed, some individuals have threatened companies with data leaks unless payments were made. These tactics appear to be a reaction to increased law enforcement scrutiny in the U.S., pushing workers to adopt more aggressive measures to sustain their income.

GTIG reported that many of these workers, once dismissed, attempt to re-enter the workforce under new false identities, making it difficult for businesses to permanently block them. Their ability to adapt quickly and change tactics presents an ongoing cybersecurity challenge.

A growing concern is the exploitation of virtualized corporate infrastructure. Many businesses, especially those with Bring Your Own Device (BYOD) policies, lack strict security measures on personal devices. This enables North Korean IT operatives to infiltrate systems unnoticed. 

Since early 2025, there has been an uptick in attacks where workers use virtualized environments to avoid detection, executing cyber threats from within corporate networks without triggering security alerts.