North Korea’s IT worker scheme expands into Europe

North Korean IT operatives, often termed "IT warriors," have broadened their scope beyond the United States, now targeting companies across Europe, notably in Germany, Portugal, and the United Kingdom.

Researchers revealed that a single DPRK IT worker managed at least 12 false identities across Europe and the U.S., targeting sectors such as defense and government. These operatives often present fabricated references and control multiple personas to enhance their credibility with recruiters.

The operatives have been observed disguising themselves as professionals from countries such as Italy, Japan, and Vietnam, to secure remote freelance IT positions.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Researchers have also noticed that the DPRK IT workers have diversified their methods and continue to engage in extortion schemes where they threaten to expose sensitive data unless ransoms are paid. They have also begun using remote access tools, virtual desktop environments, and commercial VPNs, to operate undetected inside a company’s IT infrastructure.

Additionally, these operatives are experimenting with artificial intelligence tools to create fake profile images, utilize deepfake technology in video interviews, and overcome language barriers.

Source: Bleeping Computer

Analysis

It’s not surprising that North Korea’s fraudulent IT worker scheme has expanded into Europe and other countries, given that the U.S. has cracked down on such activity within its borders and has done a good job of alerting its companies to this particular threat.

For example, in January 2025, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) imposed sanctions on two individuals and four entities linked to the scheme.

North Korea leverages its fraudulent IT worker program to generate illicit revenue and gather intelligence in support of its strategic initiatives, including the development of nuclear weapons and ballistic missiles. Although the scheme has been active since at least 2018, it only gained significant attention from law enforcement agencies starting in 2023.

The operation involves North Korean workers posing as freelancers to secure IT-related jobs with Western firms. To appear credible, they use fake personas—sometimes AI-generated—or adopt stolen identities, including those of U.S. citizens, to enhance their resumes and succeed in job interviews. By late 2024, the scheme evolved further, with some fraudulent workers resorting to extortion by demanding ransoms in exchange for not leaking stolen information.

This operation is believed to affect hundreds, if not thousands, of positions globally. While only a small percentage of these roles result in data exfiltration or extortion, the scale and sophistication of the scheme highlight the persistent threat it poses to organizations worldwide.

Mitigation

Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for threats from advanced cyber actors engaging in malicious activities, including North Korean state-sponsored actors. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these groups pose.

Field Effect MDR users are automatically notified when various types of malicious activities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect recommends scrutinizing job applications and resumes sent via email, messaging services such as WhatsApp, and social media. Take into consideration that the individuals contacting them could be fake and always make efforts to verify the recruiter’s and applicant’s identity and association with the company they claim to represent. Generally, if a job offer is too good to be true, it probably is.

Field Effect users are encouraged to submit suspicious emails, including job offers and inquiries, to Field Effect’s Suspicious Email Analysis Service (SEAS) to ensure they are benign before clicking links or opening an attachment.

Related Articles

• U.S. Treasury sanctions North Korea’s IT warriors
• North Korean hackers, posing as IT workers, extorting Western firms
• Lazarus targets aerospace and energy job seekers
• Cybersecurity company accidentally hires North Korean threat actor