North Korean IT workers are intensifying their fraudulent employment schemes, extending their reach beyond the United States to target organizations worldwide, with a particular focus on Europe. According to Google’s Threat Intelligence Group (GTIG), these workers are not only seeking jobs under false pretenses but are also escalating their tactics by extorting money from companies that discover and terminate them.

This shift in behavior may be linked to increased U.S. law enforcement efforts, including disruptions and indictments, which have disrupted their operations and pushed them to adopt more aggressive strategies to sustain their income. Previously, these workers might have tried to reapply using alternate personas and fabricated references, but growing awareness of their true identities has limited such opportunities.

The pivot to Europe and other economically advanced regions like Asia, Australia, and Latin America follows years of heightened scrutiny in the U.S., where efforts have focused on exposing front companies, punishing facilitators, and helping organizations detect these threats. In Europe, GTIG has tracked a surge in activity, including one worker managing 12 personas across the U.S. and Europe in late 2024, targeting defense and government sectors. Cases have emerged of North Korean tech workers using fake identities on job platforms in Germany, Portugal, and the UK, infiltrating industries like web development, blockchain, and content management. These workers often favor companies with "bring your own device" (BYOD) policies, exploiting the lack of monitoring on personal devices to evade detection and cover their tracks.

To execute their schemes, North Korean IT workers employ a sophisticated toolkit: fake identities blending real and fabricated details (e.g., Italian, Japanese, Ukrainian), cozying up to recruiters, and leveraging platforms like Upwork, Telegram, and Freelancer to secure gigs. They use payment services like TransferWise and Payoneer to obscure the flow of funds, while facilitators in Europe and the UK assist by providing fraudulent documents and aiding navigation of local job markets. This growing operation highlights their adaptability, exploiting lax security measures and global hiring platforms to sustain their illicit revenue streams, posing a persistent challenge to organizations worldwide.