Ddos 
A recent report by Google Threat Intelligence Group (GTIG) reveals that the threat posed by Democratic People’s Republic of Korea (DPRK) IT workers is expanding globally. These individuals are posing as legitimate remote workers to infiltrate companies and generate revenue for the DPRK regime.
Initially, the United States was a primary target. However, DPRK IT workers are now operating across multiple countries, establishing themselves as a global threat. The report suggests that increased awareness of the threat, U.S. Department of Justice indictments, and challenges with right-to-work verification in the United States have contributed to this shift. “This is likely due to increased awareness of the threat through public reporting, United States Department of Justice indictments, and right-to-work verification challenges,” the report explains. This has led to a notable focus on Europe.
In late 2024, one DPRK IT worker was found to be operating at least 12 personas across Europe and the United States, targeting organizations within the defense industrial base and government sectors. GTIG investigations have also uncovered IT worker personas seeking employment in Germany and Portugal.
DPRK IT workers have demonstrated a broad range of technical skills in their European operations, including web development, bot development, CMS development, and blockchain technology.
To secure employment, DPRK IT workers employ deceptive tactics, falsely claiming nationalities from various countries. They are recruited through online platforms like Upwork, Telegram, and Freelancer, and payments are facilitated through cryptocurrency, TransferWise, and Payoneer to obfuscate the origin and destination of funds.
Facilitators play a crucial role in supporting these operations by helping IT workers obtain jobs, bypass identity verification, and receive funds. “The facilitators used by IT workers to help them get jobs, defeat identity verification, and receive funds fraudulently have also been found in Europe,” the report highlights. Investigations have revealed facilitators in both the United States and the United Kingdom, with evidence of a complex logistical chain, including a corporate laptop intended for use in New York being operational in London.
DPRK IT workers are also evolving their tactics beyond simply generating revenue through employment. GTIG data indicates an increase in extortion attempts since late October 2024, with larger organizations being targeted. “In these incidents, recently fired IT workers threatened to release their former employers’ sensitive data or to provide it to a competitor,” the report states. This shift towards more aggressive measures may be linked to increased U.S. law enforcement actions against DPRK IT workers. “This suggests a potential link, where pressure on these workers may be driving them to adopt more aggressive measures to maintain their revenue stream,” the report explains.
Furthermore, DPRK IT workers are exploiting the vulnerabilities of Bring Your Own Device (BYOD) environments. BYOD policies, while cost-effective, can lack traditional security and logging tools, making it harder to detect malicious activity. “GTIG believes that IT workers have identified BYOD environments as potentially ripe for their schemes, and in January 2025, IT workers are now conducting operations against their employers in these scenarios,” the report concludes.
Related Posts:
About The Author
