{ "id": "7017e722-09e6-4c1a-9929-e83855004fa3", "created_at": "2026-04-06T00:18:14.108477Z", "updated_at": "2026-04-10T13:12:48.702061Z", "deleted_at": null, "sha1_hash": "ec7a242e5c0e96342dcb89c6b9ede1ebec5df0ff", "title": "DPRK IT Workers Expanding in Scope and Scale", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 381552, "plain_text": "DPRK IT Workers Expanding in Scope and Scale\r\nBy Google Threat Intelligence Group\r\nPublished: 2025-04-01 · Archived: 2026-04-05 19:43:21 UTC\r\nWritten by: Jamie Collier\r\nSince our September 2024 report outlining the Democratic People's Republic of Korea (DPRK) IT worker threat,\r\nthe scope and scale of their operations has continued to expand. These individuals pose as legitimate remote\r\nworkers to infiltrate companies and generate revenue for the regime. This places organizations that hire DPRK IT\r\nworkers at risk of espionage, data theft, and disruption.\r\nIn collaboration with partners, Google Threat Intelligence Group (GTIG) has identified an increase of active\r\noperations in Europe, confirming the threat's expansion beyond the United States. This growth is coupled with\r\nevolving tactics, such as intensified extortion campaigns and the move to conduct operations within corporate\r\nvirtualized infrastructure. \r\nOn The March: IT Workers Expand Globally with a Focus on Europe\r\nDPRK IT workers' activity across multiple countries now establishes them as a global threat. While the United\r\nStates remains a key target, over the past months, DPRK IT workers have encountered challenges in seeking and\r\nmaintaining employment in the country. This is likely due to increased awareness of the threat through public\r\nreporting, United States Department of Justice indictments, and right-to-work verification challenges. These\r\nfactors have instigated a global expansion of IT worker operations, with a notable focus on Europe.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/dprk-it-workers-expanding-scope-scale\r\nPage 1 of 4\n\nFigure 1: List of countries impacted by DPRK IT workers\r\nIT Worker Activity in Europe \r\nIn late 2024, one DPRK IT worker operated at least 12 personas across Europe and the United States. The IT\r\nWorker actively sought employment with multiple organizations within Europe, particularly those within the\r\ndefense industrial base and government sectors. This individual demonstrated a pattern of providing fabricated\r\nreferences, building a rapport with job recruiters, and using additional personas they controlled to vouch for their\r\ncredibility.\r\nSeparately, additional investigations uncovered other IT worker personas seeking employment in Germany and\r\nPortugal, alongside login credentials for user accounts of European job websites and human capital management\r\nplatforms.\r\nGTIG has also observed a diverse portfolio of projects in the United Kingdom undertaken by DPRK IT workers.\r\nThese projects included web development, bot development, content management system (CMS) development,\r\nand blockchain technology, indicating a broad range of technical expertise, spanning traditional web development\r\nto advanced blockchain and AI applications. \r\nSpecific projects identified include:\r\nDevelopment of a Nodexa token hosting plan platform using Next.js, React, CosmosSDK, and Golang, as\r\nwell as the creation of a job marketplace using Next.js, Tailwind CSS, MongoDB, and Node.js. \r\nFurther blockchain-related projects involved Solana and Anchor/Rust smart contract development, and a\r\nblockchain job marketplace built using the MERN stack and Solana. \r\nContributions to existing websites by adding pages using Next.js and Tailwind CSS, \r\nDevelopment of an artificial intelligence (AI) web application leveraging Electron, Next.js, AI, and\r\nblockchain technologies. \r\nIn their efforts to secure these positions, DPRK IT workers employed deceptive tactics, falsely claiming\r\nnationalities from a diverse set of countries, including Italy, Japan, Malaysia, Singapore, Ukraine, the United\r\nStates, and Vietnam. The identities used were a combination of real and fabricated personas. \r\nIT workers in Europe were recruited through various online platforms, including Upwork, Telegram, and\r\nFreelancer. Payment for their services was facilitated through cryptocurrency, the TransferWise service, and\r\nPayoneer, highlighting the use of methods that obfuscate the origin and destination of funds.\r\nFacilitators Support European Operations \r\nThe facilitators used by IT workers to help them get jobs, defeat identity verification, and receive funds\r\nfraudulently have also been found in Europe. One incident involved a DPRK IT worker using facilitators located\r\nin both the United States and the United Kingdom. Notably, a corporate laptop, ostensibly intended for use in New\r\nYork, was found to be operational in London, indicating a complex logistical chain. \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/dprk-it-workers-expanding-scope-scale\r\nPage 2 of 4\n\nAn investigation into infrastructure used by a suspected facilitator also highlighted heightened interest in Europe.\r\nResources discovered contained fabricated personas, including resumes listing degrees from Belgrade University\r\nin Serbia and residences in Slovakia, as well as instructions for navigating European job sites. Additionally,\r\ncontact information for a broker specializing in false passports was discovered, indicating a coordinated effort to\r\nacquire fraudulent identification documents. One document provided specific guidance on seeking employment in\r\nSerbia, including the use of a Serbian time zone during communications. \r\nExtortion Heating Up\r\nAlongside global expansion, DPRK IT workers are also evolving their tactics. Based on data from multiple\r\nsources, GTIG assesses that since late October 2024, IT workers have increased the volume of extortion attempts\r\nand gone after larger organizations. \r\nIn these incidents, recently fired IT workers threatened to release their former employers’ sensitive data or to\r\nprovide it to a competitor. This data included proprietary data and source code for internal projects. \r\nThe increase in extortion campaigns coincided with heightened United States law enforcement actions against\r\nDPRK IT workers, including disruptions and indictments. This suggests a potential link, where pressure on these\r\nworkers may be driving them to adopt more aggressive measures to maintain their revenue stream. \r\nPreviously, workers terminated from their places of employment might attempt to provide references for their\r\nother personas so that they could be rehired by the company. It is possible that the workers suspected they were\r\nterminated due to discovery of their true identities, which would preclude attempts to be rehired.\r\nThe Virtual Workspace: BYOD Brings IT Worker Risks \r\nTo avoid distributing corporate laptops, some companies operate a bring your own device (BYOD) policy,\r\nallowing employees to access company systems through virtual machines. Unlike corporate laptops that can be\r\nmonitored, personal devices operating under a BYOD policy may lack traditional security and logging tools,\r\nmaking it difficult to track activities and identify potential threats. This absence of conventional security measures\r\nmeans that typical evidence trails linked to IT workers, such as those derived from corporate laptop shipping\r\naddresses and endpoint software inventories, are unavailable. All of this increases the risk of undetected malicious\r\nactivity.\r\nGTIG believes that IT workers have identified BYOD environments as potentially ripe for their schemes, and in\r\nJanuary 2025, IT workers are now conducting operations against their employers in these scenarios. \r\nConclusion \r\nGlobal expansion, extortion tactics, and the use of virtualized infrastructure all highlight the adaptable strategies\r\nemployed by DPRK IT workers. In response to heightened awareness of the threat within the United States,\r\nthey've established a global ecosystem of fraudulent personas to enhance operational agility. Coupled with the\r\ndiscovery of facilitators in the UK, this suggests the rapid formation of a global infrastructure and support network\r\nthat empowers their continued operations.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/dprk-it-workers-expanding-scope-scale\r\nPage 3 of 4\n\nFor detailed mitigation and detection strategies, please read our previous report on DPRK IT workers. For even\r\nmore details, read our IT worker Transform post.\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/dprk-it-workers-expanding-scope-scale\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/dprk-it-workers-expanding-scope-scale\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/dprk-it-workers-expanding-scope-scale" ], "report_names": [ "dprk-it-workers-expanding-scope-scale" ], "threat_actors": [ { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434694, "ts_updated_at": 1775826768, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ec7a242e5c0e96342dcb89c6b9ede1ebec5df0ff.pdf", "text": "https://archive.orkl.eu/ec7a242e5c0e96342dcb89c6b9ede1ebec5df0ff.txt", "img": "https://archive.orkl.eu/ec7a242e5c0e96342dcb89c6b9ede1ebec5df0ff.jpg" } }