Recent analysis shows a significant increase in North Korean cyber threat activities across Europe, extending beyond their usual focus on the United States.
Today, Google’s Threat Intelligence Group reported that North Korean IT operatives have expanded their operations worldwide in recent months. This shift follows increased efforts by U.S. authorities to crack down on these actors. As awareness grows in the U.S., North Korean cyber teams are adapting their strategies, including broadening their global reach, refining extortion tactics, and using virtual infrastructure to strengthen their threat ecosystem.
According to the Group, by late 2024, a single North Korean IT operative used over a dozen false identities to conduct operations across Europe and the United States. Of particular concern, this individual targeted positions within European defense industries and government agencies. Tactics included using fake references and exploiting connections with hiring managers to further their deception. In a separate case, another operative conducted job searches in Germany and Portugal using login credentials from European job sites and financial management platforms.
In the UK, a wider range of projects involving North Korean IT workers has been observed, including web development, bot creation, content management system (CMS) development, and blockchain technology, according to Google’s Threat Intelligence Group. This breadth of activity highlights the diverse technical capabilities of these operatives, from traditional web design to advanced blockchain and AI applications.
To secure employment, these operatives have assumed false nationalities, claiming to be from countries including Italy, Japan, Malaysia, Singapore, Ukraine, the United States, and Vietnam. They often mix real and fake personal information to create convincing identities.
North Korean IT personnel operating in Europe have been recruited through various online platforms, such as Upwork, Telegram, and Freelancer. To hide the flow of funds, payments are processed via cryptocurrencies, TransferWise, and Payoneer.
The Google Threat Intelligence Group notes that the rise in North Korean cyberattacks coincides with increased U.S. enforcement efforts. This suggests that they may be ramping up their aggressive targeting of large corporations to sustain their cyber-extortion revenue streams.
Jamie Collier, a Lead Threat Intelligence Advisor in EMEA at Google Cloud, warned that over the past decade, North Korea has carried out a wide range of cyberattacks, including SWIFT system breaches, ransomware deployments, cryptocurrency heists, and supply chain compromises. This ongoing evolution reflects North Korea’s long-term strategy to fund its regime through cyber operations. Given their track record of success, it’s highly likely that North Korean IT operatives will continue to expand their global reach. The Asia-Pacific region is already in their sights. These attacks can be particularly damaging in areas with limited cyber threat awareness, making the Asia-Pacific region especially vulnerable.
