IT Workers From North Korea accessed Google’s Western Solana-Based Jobs

North Korean digital workers have expanded their scope beyond U.S. businesses, posing as remote designers and leaving a trail of hacked data and blackmail attempts.

According to a report released on Tuesday, Google’s Threat Intelligence Group ( GTIG ) discovered that IT professionals affiliated with the Democratic People’s Republic of Korea ( DPRK) have expanded their operations abroad and positioned themselves in crypto projects in Germany, Portugal, and Serbia.

Blockchain sites, AI internet applications, and the creation of Solana and Anchor/Rust smart contracts are among the obstacles facing projects.

One instance involved using Future to create a Nodexa key hosting platform. Among the others were the creation of AI-enhanced bitcoin devices using Electron and Tailwind CSS, as well as a cryptocurrency job market created using the MERN bundle and Solana.

According to GTIG director Jamie Collier,” they’ve created a global ecology of false personas to enhance operating agility,” in response to the report’s increased awareness of the danger within the United States.

According to the statement, some employees simultaneously used levels from Belgrade University, fake residency documents from Slovakia, and instructions on how to navigate European job sites.

Collier claimed that UK and U.S. mediators had been working with these stars to defy ID investigations and accept payment using TransferWise, Payoneer, and crypto, properly hiding the supply of resources that were returning to the North Korean regime.

According to a Wise spokesperson,” we take the responsibility of complying with all appropriate sanctions laws quite seriously,” adding that the company runs “numerous verification checks” and uses “over 250 data points to observe Wise transactions to find and identify possible misuse of our services. They added that Wise reports vulnerabilities to “authorised companies globally” and that” when we identify potential financial crime or any other use of our services, we take immediate actions to investigate the case, including suspensions or melting of the dealings and consumer accounts.”

According to GTIG, the North Korean regime is making money off of foreign IT experts, including those who are engaged in shady cyber-related activities, to fund its sanctioned weapons programs. U.S., Japanese, and South Korean envoys have previously accused them of using foreign IT experts to support its sanctioned weapons programs.

Collier warned that this puts organizations that employ DPRK IT employees at risk of espionage, data theft, and disruption.

Threats of extradition

As laid-off DPRK developers have begun blackmailing former employers with threats to leak source code and proprietary files, GTIG has seen a rise in extortion threats since October 2024.

According to GTIG, this rise in aggression coincides with “increased US law enforcement actions against DPRK IT workers, including disruptions and indictments.”

Two Chinese nationals were fined by the U.S. Treasury’s Office of Foreign Assets Control ( OFAC ) for using a UAE-based front company affiliated to the regime in Pyongyang to launder digital assets to finance the government of North Korea.

The Justice Department then indicted two North Korean nationals in January for running a false IT work scheme that ensnared at least 64 U.S. companies between 2018 and 2024.

Beyond Lazarus Group

According to Samczsun, a paradigm security researcher, the DPRK’s cyber strategy extends far beyond the State-backed Lazarus Group, which has been linked to some of the biggest crypto hacks in history.

A web of subgroups like TraderTraitor and AppleJeus, which specialize in social engineering, fake job offers, and supply chain attacks, is written by Samczsun, outlining an “every-growing threat against our industry.”

Hackers affiliated with Lazarus stole$ 1.4 billion from the crypto exchange Bybit in February, with the money later being funneled through coin mixers and DEX.

GTIG warned that many startups lack adequate monitoring tools to identify such threats because the crypto industry heavily relies on bring-your-own-device ( BYOD ) environments and remote talent.

And that’s precisely the purpose of North Korea’s use of” the rapid development of a global infrastructure and support network that allows their continued operations,” according to Collier.