The Stewardship Report

The Stewardship Report

Connecting The World

    spot_imgspot_img

    Top 5 This Week

    spot_img

    Related Posts

    Danger Around Globe: North Korea’s IT Infiltration Threat Grows

    Science & TechnologyWORLDAsia - East
    Jim Luce
    Author: Jim Luce
    4 min.read
    List of countries impacted by North Korea (Democratic People's Republic of Korea) IT worker threat. Image credit: Google Threat Intelligence Group.

    Deceptive Coders Fund Regime’s Ambitions

    New York, N.Y. — The Democratic People’s Republic of Korea (DPRK) — North Korea — has intensified its covert operations, embedding IT workers under false identities in companies worldwide to funnel salaries to the regime and, increasingly, to extort employers.

    Initially concentrated in the United States, this scheme has expanded to Europe, targeting industries from cryptocurrency to defense. A recent report from Mandiant, published in April 2025, highlights the growing sophistication and global reach of these operations, posing significant risks of espionage, data theft, and financial disruption.

    A Case of Deception at Iqlusion

    In 2021, Iqlusion, a U.S.-based cryptocurrency startup, hired two remote developers, “Jun Kai” and “Sarawut Sanit,” believing they were based in Singapore. “I talked to them almost every day for a year. They did the work. And I was, frankly, pretty pleased,” said Zaki Manian, Iqlusion’s co-founder, in an interview with Coindesk.

    The developers performed competently, contributing to the company’s projects without raising suspicion. Months after their departure, the FBI contacted Manian, revealing that the cryptocurrency wallets used for their salary payments were linked to the North Korean regime. Iqlusion had unwittingly employed operatives who funneled their earnings to Pyongyang, a tactic used to bypass international sanctions.

    North Korean leader Kim Jong-un has a range of options in his toolkit for coercive diplomacy, beyond the nuclear and missile programs, to advance his objectives.

    This incident is not isolated. Since the United Nations Security Council first reported such activities in 2019, hundreds of companies, primarily in the U.S., have fallen victim to similar schemes.

    DPRK IT workers, often operating under the direction of the Reconnaissance General Bureau, use fabricated personas, claiming nationalities from countries like Italy, Japan, Malaysia, or Vietnam, to secure remote positions. Payments are typically routed through cryptocurrency platforms, TransferWise, or Payoneer, obscuring the funds’ ultimate destination.

    Europe’s Rising Vulnerability

    While the U.S. remains a primary target, DPRK IT workers have increasingly focused on Europe, driven by heightened scrutiny and stricter hiring regulations in the U.S.

    Google Threat Intelligence Group (GTIG), in an April 2025 report, noted a surge in operations across European nations, particularly targeting the defense and government sectors.

    Google Threat Intelligence Group logo.

    One DPRK operative was found managing 12 distinct personas, seeking employment in Germany, Portugal, and the United Kingdom. These workers leveraged platforms like Upwork, Telegram, and Freelancer to secure contracts, often providing fabricated references to build credibility.

    In the U.K., DPRK IT workers have engaged in diverse projects, from web development using Next.js and Tailwind CSS to advanced blockchain applications involving Solana and CosmosSDK.

    One notable project included an AI-driven web application combining Electron, Next.js, and blockchain technologies. These efforts demonstrate not only technical proficiency but also an ability to adapt to cutting-edge fields, making their infiltration harder to detect.

    Evolving Tactics: Extortion and Virtual Workspaces

    Beyond siphoning salaries, DPRK IT workers have escalated their tactics to include extortion.

    Since October 2024, GTIG has observed an increase in threats from terminated workers to leak sensitive data or sell proprietary code to competitors.

    This shift coincides with intensified U.S. law enforcement actions, including Department of Justice indictments, which may be pushing operatives to adopt more aggressive measures to maintain revenue streams.

    “The pressure from disruptions and indictments seems to be driving these actors to bolder tactics,” noted Jamie Collier, a GTIG analyst.

    The adoption of bring-your-own-device (BYOD) policies by some companies has further complicated detection.

    Unlike corporate-issued laptops, personal devices often lack robust security monitoring, enabling DPRK operatives to operate undetected within virtualized infrastructures.

    In January 2025, GTIG identified instances of DPRK workers exploiting BYOD environments to access sensitive systems, increasing the risk of data breaches and espionage.

    Facilitators and Global Networks

    The success of these operations relies on a network of facilitators who assist DPRK workers in evading identity verification and securing fraudulent payments.

    Investigations have uncovered facilitators in the U.S. and U.K., with one case involving a corporate laptop intended for New York being used in London.

    Other findings include fabricated resumes claiming degrees from Belgrade University in Serbia and instructions for navigating European job platforms.

    Brokers specializing in fake passports further enable these schemes, providing DPRK operatives with credible documentation to infiltrate companies.

    The U.N. 2019 report highlighted how DPRK financial institutions maintain over 30 overseas representatives to facilitate illicit transactions, including those tied to IT worker schemes.

    These networks, often linked to entities like the Korea Mining Development Trading Corporation, help Pyongyang bypass sanctions and fund its weapons of mass destruction programs, with cyber operations generating up to $2 billion to date.

    Mitigating the Threat

    Companies must adopt stringent vetting processes to counter this threat. Verifying identities through in-person interviews or trusted third-party services can reduce the risk of hiring fraudulent candidates. Additionally, organizations should enhance monitoring of remote workers, particularly those in BYOD environments, to detect suspicious activity.

    Mandiant and GTIG recommend regular audits of payment channels, especially cryptocurrency transactions, to identify links to sanctioned entities.

    As DPRK IT workers expand their operations, global cooperation is critical. Governments and private sectors must share intelligence to disrupt facilitator networks and strengthen sanctions enforcement.

    The U.N. report underscores the need for robust implementation of financial sanctions to limit Pyongyang’s access to global financial systems.

    Summary for audio recording

    North Korea’s IT infiltration scheme, funneling salaries to the regime through fake identities, has expanded from the U.S. to Europe. Operatives target industries like cryptocurrency and defense, using advanced tactics like extortion and exploiting virtual workspaces. Facilitators in multiple countries aid these efforts, evading sanctions and funding Pyongyang’s weapons programs. Companies must strengthen vetting and monitoring to counter this growing global threat.

    #NorthKorea #CyberThreat #ITInfiltration #GlobalSecurity

    Tags: North Korea, IT workers, cybercrime, sanctions evasion

    Previous article
    Stacey Abrams Strongly Condemns Trump’s Authoritarian Actions
    Jim Luce
    Jim Lucehttps://stewardshipreport.org/
    Raising, Supporting & Educating Young Global Leaders through Orphans International Worldwide (www.orphansinternational.org), the J. Luce Foundation (www.lucefoundation.org), and The Stewardship Report (www.stewardshipreport.org). Jim is also founder and president of the New York Global Leaders Lions Club.

    Popular Articles