rewrite this title North Korean IT Workers Infiltrated European Solana-Based Projects: Google – Decrypt

North Korean cyber operatives have expanded their reach beyond U.S. firms to target blockchain startups in the EU and UK, posing as remote developers and leaving a trail of compromised data and extortion attempts.

In a report released on Tuesday, Google’s Threat Intelligence Group (GTIG) revealed that IT workers linked to the Democratic People’s Republic of Korea (DPRK) have scaled up operations outside the U.S., embedding themselves in crypto projects across the UK, Germany, Portugal, and Serbia.

Compromised projects include blockchain marketplaces, AI web apps, and the development of Solana and Anchor/Rust smart contracts.

One case involved building a Nodexa token hosting platform using Next.js and CosmosSDK, while others included a blockchain job marketplace built using the MERN stack and Solana, and the development of AI-enhanced blockchain tools using Electron and Tailwind CSS.

“In response to heightened awareness of the threat within the United States, they’ve established a global ecosystem of fraudulent personas to enhance operational agility,” said GTIG adviser Jamie Collier in the report.

Some workers operated under 12 fake identities at once, using degrees from Belgrade University, false residency documents from Slovakia, and guidance for navigating European job platforms, the report noted.

Collier said that facilitators based in the UK and U.S. helped these actors bypass ID checks and receive payments via TransferWise, Payoneer, and crypto, effectively hiding the source of funds flowing back to the North Korean regime.

GTIG reports the workers are generating revenue for the North Korean regime, which U.S., Japanese, and South Korean envoys have previously accused of using overseas IT specialists, including those engaged in malicious cyber activity, to help fund its sanctioned weapons programs.

“This places organizations that hire DPRK IT workers at risk of espionage, data theft, and disruption,” Collier warned.

Extortion threats

Since October 2024, GTIG observed a surge in extortion threats as laid-off DPRK developers have begun blackmailing former employers with threats to leak source code and proprietary files.

This uptick in aggression, GTIG noted, coincides with “heightened United States law enforcement actions against DPRK IT workers, including disruptions and indictments.”

Last December, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) sanctioned two Chinese nationals for laundering digital assets to finance North Korea’s government, using a UAE-based front company tied to the regime in Pyongyang.

Then, in January, the Justice Department indicted two North Korean nationals for operating a fraudulent IT work scheme that infiltrated at least 64 U.S. companies between 2018 and 2024.

Beyond Lazarus Group

In March, Paradigm security researcher Samczsun warned that the DPRK’s cyber strategy goes far beyond the State-backed Lazarus Group, which has been linked to some of the largest crypto hacks in history.

“DPRK hackers are an ever-growing threat against our industry,” Samczsun wrote, outlining a web of subgroups like TraderTraitor and AppleJeus, which specialize in social engineering, fake job offers, and supply chain attacks.

In February, hackers tied to Lazarus stole $1.4 billion from crypto exchange Bybit, with the funds later funneled through coin mixers and  DEX.

As the crypto industry leans heavily on remote talent and bring-your-own-device (BYOD) environments, GTIG warned that many startups lack proper monitoring tools to detect such threats.

And that, Collier said, is exactly the point—with North Korea exploiting, “the rapid formation of a global infrastructure and support network that empowers their continued operations.”