North Korea tech workers found among staff at UK blockchain projects
Fraudulent tech workers with ties to North Korea are expanding their infiltration operations to blockchain firms outside the US after increased scrutiny from authorities, with some having worked their way into UK crypto...
Archive context
Older archive item. Useful for background and entity history, but not a fresh market-moving signal.
Fraudulent tech workers with ties to North Korea are expanding their infiltration operations to blockchain firms outside the US after increased scrutiny from authorities, with some having worked their way into UK crypto projects, Google says.
Google Threat Intelligence Group (GTIG) adviser Jamie Collier said in an April 2 report that while the US is still a key target, increased awareness and right-to-work verification challenges have forced North Korean IT workers to find roles at non-US companies.
“In response to heightened awareness of the threat within the United States, they’ve established a global ecosystem of fraudulent personas to enhance operational agility,” Collier said.
“Coupled with the discovery of facilitators in the UK, this suggests the rapid formation of a global infrastructure and support network that empowers their continued operations,” he added.
Google's Threat Intelligence Group says North Korea's tech workers expanded their reach amid a US crackdown. Source: Google
The North Korea-linked workers are infiltrating projects spanning traditional web development and advanced blockchain applications, such as projects involving Solana and Anchor smart contract development, according to Collier.
Another project building a blockchain job marketplace and an artificial intelligence web application leveraging blockchain technologies was also found to have North Korean workers.
“These individuals pose as legitimate remote workers to infiltrate companies and generate revenue for the regime,” Collier said.
“This places organizations that hire DPRK [Democratic People's Republic of Korea] IT workers at risk of espionage, data theft, and disruption.”North Korea looking to Europe for tech jobsAlong with the UK, Collier says the GTIG identified a notable focus on Europe, with one worker using at least 12 personas across Europe and others using resumes listing degrees from Belgrade University in Serbia and residences in Slovakia.
Separate GTIG investigations found personas seeking employment in Germany and Portugal, login credentials for user accounts of European job websites, instructions for navigating European job sites, and a broker specializing in false passports.
At the same time, since late October, the North Korean workers have increased the volume of extortion attempts and gone after larger organizations, which the GTIG speculates is the workers feeling pressure to maintain revenue streams amid a crackdown in the US.
“In these incidents, recently fired IT workers threatened to release their former employers’ sensitive data or to provide it to a competitor. This data included proprietary data and source code for internal projects,” Collier said.
Related: North Korean crypto attacks rising in sophistication, actors — Paradigm
In January, the US Justice Department indicted two North Korean nationals for their involvement in a fraudulent IT work scheme involving at least 64 US companies from April 2018 to August 2024.
The US Treasury Department’s Office of Foreign Assets Control also sanctioned companies it accused of being fronts for North Korea that generated revenue via remote IT work schemes.
Crypto founders have also been reporting an increase in activity from North Korean hackers, with at least three founders reporting on March 13 that they foiled attempts to steal sensitive data through fake Zoom calls.
Having audio issues on your Zoom call? That's not a VC, it's North Korean hackers.
Fortunately, this founder realized what was going on.
The call starts with a few "VCs" on the call. They send messages in the chat saying they can't hear your audio, or suggesting there's an… pic.twitter.com/ZnW8Mtof4F
In August, blockchain investigator ZachXBT claimed to have uncovered a sophisticated network of North Korean developers earning $500,000 a month working for “established” crypto projects.
Magazine: Lazarus Group’s favorite exploit revealed — Crypto hacks analysis
Why this matters
This blockchain story adds another data point to the current market tape and is useful when read alongside nearby source coverage.
Original source
Read on CointelegraphRelated market context
ConsenSys inadvertently hired North Korean operative who accessed MetaMask’s core code
ConsenSys inadvertently hired a North Korean operative as a developer consultant who accessed MetaMask's core code before being de...
South Korea’s stock market is officially more volatile than BTC
BTC is less volatile than South Korea’s stock market. Since the start of June, South Korea’s benchmark KOSPI has swung an average...
AI frenzy losing steam leaves bitcoin less volatile than South Korean stocks
Your day-ahead look for July 17, 2026
Bitcoin Falls Below $63,000 As Tech-Led Risk-Off Mood Hits Crypto
Bitcoin slipped below $63,000 as the wider risk trade came under pressure, with weakness in technology stocks spilling into crypto...
Bitcoin Price Falls Under $63,000 on U.S.-Iran Strikes and Trump’s China Charge, but Onchain Data Points to Buyers
Bitcoin Magazine Bitcoin Price Falls Under $63,000 on U.S.-Iran Strikes and Trump’s China Charge, but Onchain Data Points to Buyer...
Solana Foundation and Google Cloud co-host AI hackathon in Korea to build autonomous payment agents
Solana Foundation and Google Cloud co-host a Korean hackathon for AI agents making autonomous stablecoin payments, building on the...