Update: North Korean IT Warriors Push to Infiltrate European Firms

North Korean IT workers are increasingly posing as remote freelancers from other countries to infiltrate companies in Europe, putting organizations at risk of espionage, data theft and disruption.

The workers, who refer to themselves as “warriors,” secure roles at companies to generate revenue for the Democratic People’s Republic of Korea, according to research by Google Threat Intelligence Group.

Google researchers worked with partners to identify an increase in active operations outside of the US by these so-called IT warriors over the past six months. Countries targeted include Germany, the UK and Portugal, according to , lead adviser for Europe at the Google unit.

North Korean IT workers have historically focused on infiltrating companies in the US. While American jobs remain a major target, an increased awareness of the threat, along with sanctions and indictments from the Department of Justice, have pushed operations to other countries, particularly in Europe.

The workers falsely claim to be from countries including Italy, Japan, Malaysia, Singapore, Ukraine, the US and Vietnam to secure jobs. They’re recruited through platforms including Upwork Inc., Freelancer and Telegram and paid with cryptocurrency, or via digital payment platforms including Wise Plc and Payoneer Global Inc., according to the Google report.

A spokesperson for Wise said the company carries out numerous verification checks on customers and monitors transactions for misuse of its services. When it identifies potential financial crime it investigates and, where necessary, deactivates accounts.

Payoneer uses a range of checks to combat fraud and financial crime and works closely with regulators and law enforcement, a spokesperson said.

Upwork said it was an industrywide problem and that the company takes “aggressive action to detect, block and remove bad actors.”

Freelancer and Telegram did not immediately respond to requests for comment.

Since late October, there has been a rise in recently fired North Korean workers seeking to extort companies, threatening to release sensitive data to a competitor. Collier wrote that the increased pressure from the US may be driving these IT workers to “adopt more aggressive measures to maintain their revenue stream.”

In late 2024, one such worker operating at least 12 personas sought employment with several organizations in the defense and government sectors, providing fake references. In the UK, North Korean IT workers have been involved in projects spanning traditional web development to advanced blockchain and AI applications, according to the research.

Google said the trend highlights the risks of bring-your-own-device policies, where companies allow workers to use their own laptops to access internal systems. These devices often lack corporate monitoring and security tools, making it harder to identify possible threats.

The FBI has issued multiple warnings about North Korea’s IT workers , and urged companies to improve their identity verification processes. In January, the two individuals and four entities for “generating illicit revenue” for the North Korean government, which it said withholds as much as 90% of wages earned by these IT workers.

In December, a federal court in Missouri for their alleged involvement in an IT employment scheme that generated $88 million over six years. In some cases, US employers unwittingly employed North Korean IT workers for years, paying them hundreds of thousands of dollars.

The UK has also issued warnings about North Korean IT workers. In September, the Office of Financial Sanctions Implementation to carry out more rigorous identity checks, video interviews and to avoid payments in cryptocurrency.

Photo credit: Daniel Acker/Bloomberg

Related: