(Credit: Ilkaydede via Getty Images)
North Korean hackers are expanding their remote IT job scams from the US to Europe.
Google security researchers attribute the shift to US efforts to crack down and warn companies about the dangers of mistakenly hiring a North Korean hacker. The US also has pretty strict processes to verify employment eligibility.
"These factors have instigated a global expansion of IT worker operations, with a notable focus on Europe," Google said in a blog post on Tuesday. For example, late last year, Google discovered a North Korean with "at least 12 personas across Europe and the United States."
“The IT worker actively sought employment with multiple organizations within Europe, particularly those within the defense industrial base and government sectors,” the company says. “This individual demonstrated a pattern of providing fabricated references, building a rapport with job recruiters, and utilizing additional personas they controlled to vouch for their credibility.”
In other cases, Google’s security researchers uncovered the suspected North Koreans looking for employment in Germany and Portugal while using login credentials for European job hiring sites. The North Koreans also secured work projects in the UK related to web development, blockchain technologies, and an AI web application.
(Credit: Google)A map from Google also shows the North Koreans are targeting other countries, including India, Australia, and Brazil. According to federal investigators, North Korea has been sponsoring the scheme to generate funds for government programs, including weapons development.
To secure the jobs, the North Koreans claimed to be from Italy, Japan, Malaysia, Singapore, Ukraine, the United States, and Vietnam. They use a combination of identities taken from real people and fabricated personas. The North Koreans also relied on job sites including Upwork and Freelancer, in addition to the messaging service Telegram.
Google’s investigation shows the North Koreans are adaptable. "Resources discovered contained fabricated personas, including resumes listing degrees from Belgrade University in Serbia and residences in Slovakia, as well as instructions for navigating European job sites,” the company said. “Additionally, contact information for a broker specializing in false passports was discovered, indicating a coordinated effort to acquire fraudulent identification documents.”
Companies often turn to freelance IT workers to cut costs or fill positions quickly, but the strategy can backfire if a North Korean hacker slips through the cracks. This can involve the North Korean stealing confidential data and then demanding the victim company pay a ransom.
Google notes that since late October 2024, the North Korean IT workers have “increased the volume of extortion attempts and gone after larger organizations.”
“The increase in extortion campaigns coincided with heightened United States law enforcement actions against DPRK IT workers, including disruptions and indictments. This suggests a potential link, where pressure on these workers may be driving them to adopt more aggressive measures to maintain their revenue stream,” Google adds.
As a result, companies should consider thoroughly vetting job candidates for remote job positions. Google noted the North Koreans have particularly targeted companies that let the workers use their own personal devices to conduct the work
“Unlike corporate laptops that can be monitored, personal devices operating under a BYOD (bring your own device) policy may lack traditional security and logging tools, making it difficult to track activities and identify potential threats,” Google says.