The Google Threat Intelligence Group (GTIG) revealed that North Korean fake IT engineers' operations continue to expand, with infiltration scope extending from the United States to the United Kingdom and multiple European countries. They disguise themselves as legitimate remote engineers, infiltrate corporate systems, participate in high-tech projects, and steal data, posing a significant threat to global information security and corporate confidentiality.

From the United States to Europe: Blockchain and AI Projects Become North Korea's Primary Targets

Since the second half of 2024, GTIG has observed North Korean IT personnel significantly accelerating their penetration of the European market, particularly focusing on the United Kingdom, Germany, Portugal, and Central and Eastern European regions. They apply for corporate positions by forging nationalities, educational backgrounds, and residential addresses, with one individual even using 12 different fake identities to infiltrate defense industry and government projects.

Reportedly, their resumes often include degrees from Serbian universities, Slovak addresses, and guidance documents for operating European job sites.

Revealing the Global Fake Identity Network Behind Fake Developers

GTIG is concerned that these North Korean engineers are not working alone, but may have a transnational support system helping to forge identities, pass reviews, and transfer funds.

The report revealed that an enterprise laptop originally intended for use in New York was found to be activated in London, demonstrating infiltration operations spanning Europe and the United States. The investigation also discovered that the laptop was used to provide fake passports, guide application strategies, and even list time zones to be used in different countries to enhance identity disguise.

Recently, blockchain security experts also discovered a new fraud method where North Korean hackers impersonate Venture Capital (VC) experts, using common Zoom meeting audio issues to trick victims into downloading malware-laden audio repair files, potentially leading to personal fund or sensitive data theft.

(Meeting Call Issues? Beware of North Korean Hackers Impersonating VCs, Throwing Audio Repair Links to Scam)

Ransomware Frequency Rises, Threats of Information Leakage Emerge Continuously

Facing prosecution and sanctions pressure from the United States, North Korean IT personnel have continued to increase their ransomware attack frequency since October last year, targeting large enterprises and threatening to leak confidential information or sell it to competitors:

Previously, IT personnel would attempt to re-enter using different identities after being fired, but now they directly use internal confidential documents and project data as leverage to maintain the country's income sources.

(US, Japan, and South Korea Joint Statement Warns: North Korean Crypto Hackers' Threat Escalates, Requiring Collective Prevention)

GTIG discovered they have already participated in multiple projects, including blockchain applications based on Solana and Rust, AI websites or apps based on Electron or Next.js, and even automated robots and content management systems:

Some projects involve sensitive technologies, and payment in cryptocurrencies makes tracking fund sources and flows more difficult.

Convenient or Careless? BYOD Work Environment Becomes a New Vulnerability

Additionally, GTIG specifically noted that some enterprises' "Bring Your Own Device (BYOD)" policy, allowing employees to remotely access company systems through personal devices, may render traditional security monitoring and device identification ineffective:

North Korean technical personnel have viewed the BYOD environment as an ideal target and began operations in such enterprises in early 2025. The lack of comprehensive monitoring, device tracking, and recording capabilities makes it easier for them to lurk and execute data theft and other malicious operations.

Global Enterprises Sound the Alarm, Calling for Enhanced Verification and Cybersecurity Monitoring

North Korean hackers continue to evolve their attack methods. The FBI and blockchain detective ZachXBT have previously revealed that they target crypto projects and related companies with carefully designed and hard-to-detect social engineering attacks, attempting to spread malware and steal companies' cryptocurrency assets.

(ZachXBT Reveals North Korean Hacker Criminal Network, Infiltrating Teams by Impersonating Developers and Stealing Funds: Monthly Income of $500,000)

Facing such infiltration operations, enterprises must raise their vigilance, strengthen candidate background checks, verification processes, and cybersecurity protection, especially in controlling remote personnel and outsourcing platforms:

North Korea has established a comprehensive network of fake identity operations and transnational support systems, whose flexibility and infiltration scope have made them a major security concern for the global technology industry.