North Korea’s scamming, thieving, and AI-abusing fake IT workers are increasingly targeting European employers.

The hermit kingdom (DPRK) runs a corps of operatives who apply for remote tech jobs and, if they get them, funnel their salaries to Kim Jong Un’s coffers. Some also run malware on company computers, steal their employers’ data, then demand ransom payments. Many just do a bad job – sometimes for several employers at a time – so they can be paid multiple salaries.

The workers submit impressive CVs and, if they score an interview, try to disguise their accents and appearance. Claiming their webcam is broken, and therefore being unable to appear in interviews, is a favourite tactic. So is using generative AI to create portraits, or even answers in interviews.

[1]

Sometimes the fake workers slip up after they get a job, by asking that company laptops be sent to an address that doesn’t match the one used in their applications. That can be a sign they’ve recruited a local facilitator who will keep the laptop connected to the grid and the net. The North Koreans then use VPNs to connect to the employer-provided laptops, and make sure they work – or appear to be working – the appropriate local hours. Facilitators also help to shift salaries to Pyongyang.

I'm a security expert, and I almost fell for a North Korea-style deepfake job applicant …Twice [2]READ MORE

The scam is sophisticated: Even infosec businesses have [3]interviewed and [4]hired North Korean techies.

A Tuesday [5]post penned by Jamie Collier, lead adviser at Google’s Threat Intelligence Group, reports “an increase of active operations in Europe” by such workers.

[6]

[7]

“DPRK IT workers' activity across multiple countries now establishes them as a global threat,” the post states. “While the United States remains a key target, over the past months, DPRK IT workers have encountered challenges in seeking and maintaining employment in the country. This is likely due to increased awareness of the threat through public reporting, United States Department of Justice indictments, and right-to-work verification challenges,” the post states.

“These factors have instigated a global expansion of IT worker operations, with a notable focus on Europe,” Collier added.

[8]FBI officially fingers North Korea for $1.5B Bybit crypto-burglary

[9]North Korea targets crypto developers via NPM supply chain attack

[10]North Koreans clone open source projects to plant backdoors, steal credentials

[11]North Korean dev who renamed himself 'Bane' accused of IT worker fraud caper

Google, and un-named partners, have spotted North Korean IT workers “seeking employment in Germany and Portugal" and also found "login credentials for user accounts of European job websites and human capital management platforms.”

Investigators also found “fabricated personas, including resumes listing degrees from Belgrade University in Serbia and residences in Slovakia, as well as instructions for navigating European job sites.”

[12]

“One document provided specific guidance on seeking employment in Serbia, including the use of a Serbian time zone during communications.

Info on how to acquire false passports was also found. presumably so the fake techies can provide credentials that allow them to establish a right to work or open bank accounts.

The North Korean operatives sought work on platforms including Upwork, Telegram, and Freelancer. Some sought payment in cryptocurrency, or through services like TransferWise and Payoneer.

[13]

Google also thinks its found evidence of sophisticated facilitators in the UK.

“One incident involved a DPRK IT worker using facilitators located in both the United States and the United Kingdom. Notably, a corporate laptop, ostensibly intended for use in New York, was found to be operational in London, indicating a complex logistical chain,” Collier wrote.

The Googler thinks the fake workers are now targeting companies that operate a Bring Your Own Device (BOYD) policy, because if they can use their own hardware it’s unlikely corporate management tools can touch it. BYOD also means employers don’t need to send workers a laptop, so there’s no postal address that investigators can use to start probing a worker if things go pear-shaped.

Google thinks investigations will be needed, because it’s also seen North Korean fakers increasingly targeting larger employers and more often attempting extortion.

“In these incidents, recently fired IT workers threatened to release their former employers’ sensitive data or to provide it to a competitor. This data included proprietary data and source code for internal projects,” Collier wrote, before suggesting the increase in extortion attempts may be linked to increased US action against fake workers that make them desperate to maintain their ill-gotten revenues.

Avoiding this scam isn’t easy, because the perps are sophisticated, but the FBI has issued [14]guidance about how to spot fake North Korean techies. Telltale signs include evading in-person meetings, changing preferred payment methods on freelance work platforms, and online profiles that don’t include an image. ®

Get our [15]Tech Resources



[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z-0KwGpvd-6awguK-FaICwAAAlI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[2] https://www.theregister.com/2025/02/11/it_worker_scam/

[3] https://www.theregister.com/2025/02/11/it_worker_scam/

[4] https://www.theregister.com/2024/10/18/ransom_fake_it_worker_scam/

[5] https://cloud.google.com/blog/topics/threat-intelligence/dprk-it-workers-expanding-scope-scale/

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z-0KwGpvd-6awguK-FaICwAAAlI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z-0KwGpvd-6awguK-FaICwAAAlI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[8] https://www.theregister.com/2025/02/27/fbi_bybit_korea/

[9] https://www.theregister.com/2025/02/13/north_korea_npm_crypto/

[10] https://www.theregister.com/2025/01/29/lazarus_groups_supply_chain_attack/

[11] https://www.theregister.com/2025/01/24/north_korean_devs_and_their/

[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z-0KwGpvd-6awguK-FaICwAAAlI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z-0KwGpvd-6awguK-FaICwAAAlI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[14] https://www.theregister.com/2023/10/19/north_korea_fake_freelance_avoidance/

[15] https://whitepapers.theregister.com/