North Korean IT Professionals Expand Operations in Europe Amid Increased Sanctions from the US

North Korean IT professionals have diversified their operations beyond the United States following increased punitive measures from Washington. As a result, more of these individuals are now finding employment with companies across Europe.

These North Korean experts conceal their true identities, impersonating workers from various countries to fraudulently secure freelance positions at firms worldwide, thereby generating income for the ruling regime in North Korea. The media has dubbed these individuals «IT warriors.»

Researchers from the Google Threat Intelligence Group (GTIC) report that North Korean specialists have now targeted companies in Germany, Portugal, and the UK. Several of these «IT warriors» have faced charges in the United States.

Jamie Collier, a lead threat intelligence consultant at GTIG, stated that North Korean IT specialists have employed deceptive tactics to establish themselves in roles by falsely claiming citizenship from countries such as Italy, Japan, Malaysia, Singapore, Ukraine, the US, and Vietnam. According to the expert, the perpetrators used a mix of real and fabricated identities.

These «IT warriors» were recruited through various online platforms, including Upwork, Telegram, and Freelancer. Their services were paid for in cryptocurrency through channels like TransferWise and Payoneer, indicating a strategy to obscure the origin and destination of the funds, Collier adds.

North Korean IT specialists have been associated with numerous projects in the UK, ranging from artificial intelligence and blockchain technologies to website development, bots, and content management systems.

One North Korean specialist targeted several European organizations in the defense and government sectors, using fake references and identities to facilitate deception of recruiters and secure employment.

Michael Barnhart, a senior analyst at Mandiant (a Google subsidiary), noted that North Korean IT professionals are increasingly infiltrating large organizations to steal sensitive information and extort money from employers.

The GTIG report was released following multiple warnings from the FBI concerning thousands of North Korean IT specialists seeking jobs within American companies. According to the bureau, approximately 90% of the revenue generated from such activities is retained by the North Korean government, bringing in hundreds of millions of dollars annually to fund weapons programs.

In the spring of the previous year, the US Department of Justice uncovered that for three years, Arizona resident Christina Chapman assisted North Korean IT specialists in obtaining «illegal remote jobs» by using both fake and real identities of US citizens. Through her activities, Chapman laundered approximately $6.8 million, with over 300 American companies falling victim to the scheme.

In the summer of 2024, the American company KnowBe4 inadvertently hired a hacker from North Korea, who successfully passed an interview by creating a resume photo from stock imagery edited with neural networks.

After being discovered and dismissed, some of the North Korean IT workers resorted to using insider information to extort money from former employers, threatening to leak confidential data stolen from company systems.

In January 2025, the US Justice Department indicted two North Korean nationals and three intermediaries for their involvement in a long-running fraudulent remote employment scheme within the IT sector.

The Office of Foreign Assets Control, part of the US Treasury Department, imposed sanctions on North Korean shell companies linked to the country’s Ministry of National Defense, accused of profiting from illicit remote work schemes in the IT field.

The US State Department is offering millions of dollars for information that could help curtail the fraudulent activities of these «IT warriors.»