North Korean IT worker scam spreading to Europe after US law enforcement crackdown

North Korea’s IT worker scam has expanded widely into Europe after years of focusing on U.S. companies, according to new research.

Google’s Threat Intelligence Group said it identified increased operations in Europe by North Korean operatives as part of a larger evolution in the scam — which sees the Democratic People's Republic of Korea (DPRK) place workers in IT roles at multiple companies in order to earn hefty salaries and eventually extort organizations.

In a report on Tuesday, Google researchers said over the past few months North Korean workers have found difficulty gaining and maintaining employment in the U.S. following multiple law enforcement operations designed to disrupt laptop farms and financial networks used to operate the scam. 

“In late 2024, one DPRK IT worker operated at least 12 personas across Europe and the United States. The IT orker actively sought employment with multiple organizations within Europe, particularly those within the defense industrial base and government sectors,” Google’s Jamie Collier wrote. 

“This individual demonstrated a pattern of providing fabricated references, building a rapport with job recruiters, and using additional personas they controlled to vouch for their credibility.”

Additional investigations uncovered efforts by other IT workers to find jobs in Germany and Portugal as well as “a diverse portfolio of projects in the United Kingdom.”

In the United Kingdom, the IT workers are seeking jobs involving web development, bot development, content management system (CMS) development and blockchain technology.

In several cases, the North Korean workers pretended to be from Italy, Japan, Malaysia, Singapore, Ukraine, the United States and Vietnam — using both fake personas and stolen documents from real people. 

The IT workers were recruited in Europe through popular hiring platforms like Upwork and Freelancer, as well as social media sites like Telegram. 

Like the U.S. schemes, the European framework relies heavily on local facilitators who help them get jobs. They also host work laptops at local homes to make it seem like the North Koreans lived in the country where they purportedly worked. 

“One incident involved a DPRK IT worker using facilitators located in both the United States and the United Kingdom. Notably, a corporate laptop, ostensibly intended for use in New York, was found to be operational in London, indicating a complex logistical chain,” Collier explained.

Investigators found infrastructure used by one facilitator showing that the scammers were creating fake personas using resumes that listed degrees from Belgrade University in Serbia and residences in Slovakia.

Contact information for a person who creates fake passports was also found and other documents provided information on how to navigate European job sites and how to specifically obtain jobs in Serbia. 

In addition to a new focus on Europe, Google found that the IT workers are increasingly targeting large organizations and attempting to extort companies that discover they are North Korean.

If the company fires the worker, they will typically threaten their former employers with warnings that they will release sensitive stolen information — like source code and proprietary data — to competitors. 

This represented a shift in tactics, according to Google, which said the scammers previously might attempt to “provide references for their other personas so that they could be rehired by the company.” 

The FBI released an advisory in January confirming industry reports that as law enforcement scrutiny around the IT worker scheme has increased, more North Koreans are now attempting to extort companies.

The North Koreans have also been seen targeting companies that allow employees to bring their own devices, allowing them to circumvent one of the thorniest aspects of most employment schemes — the need for work laptops to be turned on during working hours and linked to other devices. 

The laptop farms allow it to look as though the North Koreans are working from the U.S. and Europe when many are working from China, Russia, Laos and other countries friendly to North Korea.

U.S. authorities have arrested multiple citizens accused of helping North Koreans perpetrate the scheme through its “DPRK RevGen: Domestic Enabler” Initiative. 

Prosecutors have said North Korean IT workers “could individually earn more than $300,000 a year in some cases, and teams of IT workers could collectively earn more than $3 million annually.” 

Several of those caught by U.S. State Department officials “are linked to the DPRK’s Munitions Industry Department, which oversees the development of the DPRK’s ballistic missiles, weapons production, and research and development programs,” according to indictments.

Many of the North Koreans have been able to gain employment at several Fortune 500 companies, including a “top-five major television network, a Silicon Valley technology company, an aerospace and defense company, an American car manufacturer, a luxury retail store, and a U.S.-hallmark media and entertainment company.”

“In response to heightened awareness of the threat within the United States, they've established a global ecosystem of fraudulent personas to enhance operational agility,” Collier said. “Coupled with the discovery of facilitators in the UK, this suggests the rapid formation of a global infrastructure and support network that empowers their continued operations.”