North Koreans, pretending to be legitimate remote IT workers, are infiltrating Western companies to generate revenue for the isolated regime. Now, they have expanded the scope and scale of their operations, Google has warned.
American law enforcement agencies have long sent warnings over North Korea’s infamous remote worker schemes.
The operation looks like this: workers, often hackers, working for the North Korean government, create fake identities and pose as job seekers trying to infiltrate US companies as programmers. The money earned is fed back to North Korea to support the regime.
In January, the US Department of Justice finally indicted five suspects said to be behind the years-long scheme. These particular individuals fraudulently obtained work from at least 64 American companies, DoJ said.
But the “laptop farms” are just as active as ever, Google Threat Intelligence Group (GTIG) has now said in a new report. In fact, active operations have now been detected in Europe, too, confirming the threat’s expansion beyond the US.
The latter country remains a key target, GTIG said, but over the past months, North Korean ITG workers have encountered challenges in seeking and maintaining employment in the US.
According to the researchers, this is likely due to increased awareness of the threat through public reporting, DoJ indictments, and right-to-work verification challenges. Naturally, these factors have instigated a global expansion of IT worker operations, with a notable focus on Europe.
“This growth is coupled with evolving tactics, such as intensified extortion campaigns and the move to conduct operations within corporate virtualized infrastructure,” GTIG said.
Organizations that hire North Korean workers are at risk of espionage, data theft, and disruption, the report pointed out.
In late 2024, one North Korean IT worker operated at least 12 personas across Europe and the US, for example. They sought employment with organizations within the defense industrial base and government sectors.
The facilitators used by IT workers to help them get jobs, defeat identity verification, and receive funds fraudulently have also been found in European countries.
One incident involved a North Korean IT worker utilizing facilitators located in both the United States and the United Kingdom. Notably, a corporate laptop, ostensibly intended for use in New York, was found to be operational in London, indicating a complex logistical chain, GTIG said.
Your email address will not be published. Required fields are markedmarked