North Korean IT specialists expand activities in Europe by posing as citizens of other countries

North Korean IT specialists have expanded their operations into European companies while posing as citizens of other nations. Researchers from Google Threat Intelligence Group (GTIG) found that these specialists targeted companies in Germany, Portugal, and the UK. Leading GTIG consultant Jamie Collier noted the use of combinations of real and fictional identities to deceive recruiters.

Specialists were recruited through platforms like Upwork, Telegram, and Freelancer. Payments were made via cryptocurrency using TransferWise and Payoneer. North Korean specialists were linked to projects in the UK related to artificial intelligence and website development.

The lead analyst at Mandiant, Michael Barnhart, reported an increase in cyberattacks from North Korea on US organizations. The ruling regime retains about 90% of the income generated by these activities, which annually brings in hundreds of millions of dollars.

In Spring 2024, the US Department of Justice uncovered Christina Chapman's involvement from Arizona in a scheme to assist North Korean specialists. She used both fake and real identities of US citizens, laundering about $6.8 million.

In Summer 2024, an American company, KnowBe4, inadvertently hired a hacker from North Korea who passed the interview using manipulated stock images. After the fraud was exposed, the perpetrator was fired.

In January 2025, the US Department of Justice filed charges against two North Korean citizens and three intermediaries for their involvement in fraudulent schemes. The Office of Foreign Assets Control imposed sanctions on front companies associated with the Ministry of National Defense of North Korea.

The US State Department offers rewards for information about fraudulent activities by 'IT warriors.'