Full Report
Written by: Jamie Collier Since our September 2024 report outlining the Democratic People's Republic of Korea (DPRK) IT worker threat, the scope and scale of their operations has continued to expand. These individuals pose as legitimate remote workers to infiltrate companies and generate revenue for the regime. This places organizations that hire DPRK IT workers at risk of espionage, data theft, and disruption. In collaboration with partners, Google Threat Intelligence Group (GTIG) has identified an increase of active operations in Europe, confirming the threat's expansion beyond the United States. This growth is coupled with evolving tactics, such as intensified extortion campaigns and the move to conduct operations within corporate virtualized infrastructure. On The March: IT Workers Expand Globally with a Focus on Europe DPRK IT workers' activity across multiple countries now establishes them as a global threat. While the United States remains a key target, over the past months, DPRK IT workers have encountered challenges in seeking and maintaining employment in the country. This is likely due to increased awareness of the threat through public reporting, United States Department of Justice indictments, and right-to-work verification challenges. These factors have instigated a global expansion of IT worker operations, with a notable focus on Europe. Figure 1: List of countries impacted by DPRK IT Workers IT Worker Activity in Europe In late 2024, one DPRK IT worker operated at least 12 personas across Europe and the United States. The IT Worker actively sought employment with multiple organizations within Europe, particularly those within the defense industrial base and government sectors. This individual demonstrated a pattern of providing fabricated references, building a rapport with job recruiters, and utilizing additional personas they controlled to vouch for their credibility. Separately, additional investigations uncovered other IT worker personas seeking employment in Germany and Portugal, alongside login credentials for user accounts of European job websites and human capital management platforms. GTIG has also observed a diverse portfolio of projects in the United Kingdom undertaken by DPRK IT workers. These projects included web development, bot development, content management system (CMS) development, and blockchain technology, indicating a broad range of technical expertise, spanning traditional web development to advanced blockchain and AI applications. Specific projects identified include: Development of a Nodexa token hosting plan platform utilizing Next.js, React, CosmosSDK, and Golang, as well as the creation of a job marketplace using Next.js, Tailwind CSS, MongoDB, and Node.js. Further blockchain-related projects involved Solana and Anchor/Rust smart contract development, and a blockchain job marketplace built using the MERN stack and Solana. Contributions to existing websites by adding pages using Next.js and Tailwind CSS, Development of an AI web application leveraging Electron, Next.js, artificial intelligence, and blockchain technologies. In their efforts to secure these positions, DPRK IT workers employed deceptive tactics, falsely claiming nationalities from a diverse set of countries, including Italy, Japan, Malaysia, Singapore, Ukraine, the United States, and Vietnam. The identities utilized were a combination of real and fabricated personas. IT workers in Europe were recruited through various online platforms, including Upwork, Telegram, and Freelancer. Payment for their services was facilitated through cryptocurrency, the TransferWise service, and Payoneer, highlighting the use of methods that obfuscate the origin and destination of funds. Facilitators Support European Operations The facilitators used by IT workers to help them get jobs, defeat identity verification, and receive funds fraudulently have also been found in Europe. One incident involved a DPRK IT worker utilizing facilitators located in both the United States and the United Kingdom. Notably, a corporate laptop, ostensibly intended for use in New York, was found to be operational in London, indicating a complex logistical chain. An investigation into infrastructure utilized by a suspected facilitator also highlighted heightened interest in Europe. Resources discovered contained fabricated personas, including resumes listing degrees from Belgrade University in Serbia and residences in Slovakia, as well as instructions for navigating European job sites. Additionally, contact information for a broker specializing in false passports was discovered, indicating a coordinated effort to acquire fraudulent identification documents. One document provided specific guidance on seeking employment in Serbia, including the use of a Serbian time zone during communications. Extortion Heating Up Alongside global expansion, DPRK IT workers are also evolving their tactics. Based on data from multiple sources, GTIG assesses that since late October 2024, IT workers have increased the volume of extortion attempts and gone after larger organizations. In these incidents, recently fired IT workers threatened to release their former employers’ sensitive data or to provide it to a competitor. This data included proprietary data and source code for internal projects. The increase in extortion campaigns coincided with heightened United States law enforcement actions against DPRK IT workers, including disruptions and indictments. This suggests a potential link, where pressure on these workers may be driving them to adopt more aggressive measures to maintain their revenue stream. Previously, workers terminated from their places of employment might attempt to provide references for their other personas so that they could be rehired by the company. It is possible that the workers suspected they were terminated due to discovery of their true identities, which would preclude attempts to be rehired. The Virtual Workspace: BYOD Brings IT Worker Risks To avoid distributing corporate laptops, some companies operate a bring your own device (BYOD) policy, allowing employees to access company systems through virtual machines. Unlike corporate laptops that can be monitored, personal devices operating under a BYOD policy may lack traditional security and logging tools, making it difficult to track activities and identify potential threats. This absence of conventional security measures means that typical evidence trails linked to IT workers, such as those derived from corporate laptop shipping addresses and endpoint software inventories, are unavailable. All of this increases the risk of undetected malicious activity. GTIG believes that IT workers have identified BYOD environments as potentially ripe for their schemes, and in January 2025, IT workers are now conducting operations against their employers in these scenarios. Conclusion Global expansion, extortion tactics, and the utilization of virtualized infrastructure all highlight the adaptable strategies employed by DPRK IT workers. In response to heightened awareness of the threat within the United States, they've established a global ecosystem of fraudulent personas to enhance operational agility. Coupled with the discovery of facilitators in the UK, this suggests the rapid formation of a global infrastructure and support network that empowers their continued operations. For detailed mitigation and detection strategies, please visit our previous report on IT workers.
Analysis Summary
# Threat Actor: Democratic People's Republic of Korea (DPRK) IT Workers
## Attribution & Identity
The threat actor is comprised of IT workers operating on behalf of the Democratic People's Republic of Korea (DPRK) regime to generate illicit revenue. They operate under numerous aliases, claiming nationalities such as Italy, Japan, Malaysia, Singapore, Ukraine, the United States, and Vietnam. These workers utilize fabricated references and build rapport with recruiters to secure employment. Associated entities include facilitators discovered in the US and UK who aid in job placement, identity verification bypass, and fund transfer.
## Activity Summary
DPRK IT workers are expanding their global footprint, moving beyond the United States with a notable increase in operations across Europe. They seek employment to conduct espionage, data theft, and disruption for regime revenue.
**Recent Activities:**
* **Geographic Expansion:** Confirmed increase in active operations within Europe (e.g., Germany, Portugal, UK), shifting focus due to increased scrutiny in the US.
* **Technical Projects:** Undertaking diverse projects including web development, bot development, CMS development, and complex blockchain/AI applications (e.g., developing a Nodexa token hosting plan platform, Solana/Anchor/Rust smart contract development, MERN stack job marketplace).
* **Extortion Campaigns:** Since late October 2024, there has been an increase in volume and targets for extortion. Recently terminated workers threaten to release sensitive employer data or provide it to competitors.
* **Infrastructure Exploitation:** Increasingly targeting corporate systems via Bring Your Own Device (BYOD) policies, operating within virtual machines where traditional corporate monitoring tools are absent.
## Tactics, Techniques & Procedures
- Securing employment using highly deceptive, multi-persona strategies.
- Fabricating professional references and leveraging controlled personas to vouch for credibility.
- Utilizing platforms like Upwork, Telegram, and Freelancer for securing work.
- Bypassing employment verification and residency checks by claiming diverse nationalities.
- Conducting malicious operations within virtualized infrastructure (VMs) under BYOD policies where security monitoring is difficult.
- Employing extortion tactics against former employers following termination.
- Utilizing facilitators to create fraudulent identity documents (e.g., guidance on obtaining false passports, fabricating resumes linked to European universities).
## Targeting
- **Sectors:** Defense industrial base, government sectors, and general organizations employing remote IT workers.
- **Geography:** Global, with primary focus areas including the United States and Europe (notably Germany, Portugal, United Kingdom).
- **Victims:** Organizations hiring remote IT staff who inadvertently provide access to sensitive data and infrastructure.
## Tools & Infrastructure
- **Malware families used:** Not explicitly detailed, but activities suggest standard development tools used for malicious purposes.
- **Infrastructure (C2, domains, IPs - defang URLs):**
- Payment methods: Cryptocurrency, TransferWise, and Payoneer.
- Job/recruitment channels: Upwork, Telegram, Freelancer.
- Development Tools/Frameworks observed: Next.js, React, CosmosSDK, Golang, Tailwind CSS, MongoDB, Node.js, Solana, Anchor/Rust (for smart contracts), Electron (for AI web app).
- Logistical support infrastructure includes known facilitators and documentation providing guidance on Serbian employment/time zones.
## Implications
The DPRK IT worker threat is globalizing rapidly, leveraging sophisticated deception to embed within sensitive networks, particularly in Europe. The shift toward exploiting BYOD environments and the escalation to aggressive extortion campaigns indicate an actor adapting quickly under pressure, posing significant risks of data exposure, espionage, and disruption to targeted organizations worldwide.
## Mitigations
- Enhance vetting processes to counter fabricated references and identities.
- Increase scrutiny of remote workers, especially those operating under BYOD policies where traditional endpoint security visibility is degraded.
- Implement robust monitoring and logging within virtualized or non-corporate environments used for accessing sensitive company resources.
- Establish definitive procedures for terminating suspected DPRK workers that include immediate revocation of access and potential legal action to deter extortion attempts.