North Korean developers operating under fake identities are increasingly securing employment in cryptocurrency and blockchain projects outside the United States. According to Google’s Threat Intelligence Group (GTIG), these actors have shifted their focus to Europe and the United Kingdom amid stricter verification procedures in the U.S.
Jamie Collier, a GTIG advisor, stated that new regulations and enhanced employment eligibility checks in the U.S. have pushed DPRK-linked individuals to seek alternative opportunities with European employers. At the same time, they have built a global network of fake identities to increase operational flexibility and speed.
Fake Profiles and Fabricated Résumés
GTIG reports that many fake profiles reference degrees from the University of Belgrade in Serbia and provide addresses in Slovakia. Some of these identities are managed simultaneously under a dozen different aliases. Such schemes have been detected in Germany and Portugal. Google also uncovered brokers offering counterfeit passports and guides for using European job platforms.
The threat is not limited to frontend or traditional development roles. These individuals are infiltrating projects related to Solana, smart contracts on Anchor, and platforms that combine blockchain with artificial intelligence. One example involves a blockchain hiring marketplace that unknowingly included North Korean developers.
Threat of Hacking and Extortion
Working under cover, DPRK specialists not only gain access to internal information but also generate income for the regime. Collier warned of industrial espionage risks, data leaks, and potential sabotage.
Since October, GTIG has observed a rise in extortion attempts. Dismissed employees have threatened to leak source code and confidential data unless they are paid. This trend coincides with increased pressure in the U.S., and experts believe the extortion is a tactic to maintain financial inflows.
Links to the Crypto Industry and Sanctions
According to blockchain investigator ZachXBT, in August 2024, North Korean developers were earning around $500,000 per month by working in legitimate crypto projects.
It was also reported that these actors attempted to gain access to sensitive information through fake Zoom calls. At least three such incidents have been documented by analysts.
DPRK hackers are also suspected in the Bybit exchange hack, which caused losses estimated at $1.5 billion. Following the breach, OKX temporarily disabled its DEX aggregator service due to suspicions that stolen funds were being laundered through it.
Response from the U.S., South Korea, and Japan
In response to the growing threat, the U.S. Department of Justice in January filed charges against two North Korean nationals for their involvement in a fraudulent IT scheme that targeted 64 American companies between April 2018 and August 2024.
Simultaneously, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions on several companies believed to be fronts used by DPRK for remote work.
On January 14, South Korea, the U.S., and Japan issued a joint statement condemning North Korea’s cyberattacks. The statement noted that DPRK stole $6.6 billion in cryptocurrency during 2024. Targets included DMM Bitcoin, Upbit, Rain Management, WazirX, and Radiant Capital. The countries pledged to increase cybersecurity coordination, stating that North Korea’s actions threaten the stability of the global financial system.
This post is for informational purposes only and is not an ad or investment advice. Please do your own research making any decisions.