The workers, who refer to themselves as “warriors”, secure roles at companies to generate revenue for the Democratic People’s Republic of Korea, according to research by Google Threat Intelligence Group.

Google researchers worked with partners to identify an increase in active operations outside of the US by these so-called IT warriors over the past six months. Countries targeted include Germany, the UK and Portugal, according to a blog post by Jamie Collier, lead adviser for Europe at the Google unit. 

North Korean IT workers have historically focused on infiltrating companies in the US. While American jobs remain a major target, an increased awareness of the threat, along with sanctions and indictments from the US Department of Justice, have pushed operations to other countries, particularly in Europe.

The workers falsely claim to be from countries including Italy, Japan, Malaysia, Singapore, Ukraine, the US, and Vietnam to secure jobs. They’re recruited through platforms including Upwork Inc, Freelancer and Telegram, and paid with cryptocurrency, or via digital payment platforms including Wise Plc and Payoneer Global Inc, according to the Google report. 

A spokesperson for Wise said the company carries out numerous verification checks on customers and monitors transactions for misuse of its services. When it identifies potential financial crime, it investigates and where necessary, deactivates accounts. 

Payoneer uses a range of checks to combat fraud and financial crime, and works closely with regulators and law enforcement, a spokesperson said. 

Upwork said it was an industrywide problem, and that the company takes “aggressive action to detect, block and remove bad actors.”

Freelancer and Telegram did not immediately respond to requests for comment.

Since late October, there has been a rise in recently fired North Korean workers seeking to extort companies, threatening to release sensitive data to a competitor. Collier wrote that the increased pressure from the US may be driving these IT workers to “adopt more aggressive measures to maintain their revenue stream”.

In late 2024, one such worker operating at least 12 personas sought employment with several organisations in the defence and government sectors, providing fake references. In the UK, North Korean IT workers have been involved in projects spanning traditional web development to advanced blockchain and artificial intelligence (AI) applications, according to the research.

Google said the trend highlights the risks of bring-your-own-device policies, where companies allow workers to use their own laptops to access internal systems. These devices often lack corporate monitoring and security tools, making it harder to identify possible threats.

The FBI has issued multiple warnings about North Korea’s IT workers defrauding US businesses, and urged companies to improve their identity verification processes. In January, the US Treasury sanctioned two individuals and four entities for “generating illicit revenue” for the North Korean government, which it said withholds as much as 90% of wages earned by these IT workers. 

In December, a federal court in Missouri indicted 14 North Korean nationals for their alleged involvement in an IT employment scheme that generated US$88 million (RM392.48 million) over six years. In some cases, US employers unwittingly employed North Korean IT workers for years, paying them hundreds of thousands of dollars. 

The UK has also issued warnings about North Korean IT workers. In September, the Office of Financial Sanctions Implementation advised companies to carry out more rigorous identity checks and video interviews, as well as to avoid payments in cryptocurrency. 

Uploaded by Liza Shireen Koshy