A growing number of North Korean IT workers are disguising themselves as remote tech professionals to gain employment with companies across Europe. By hiding their true identities and claiming to live in countries like China or Russia. They’ve managed to secure freelance roles with unsuspecting organizations. Their earnings, however, are not personal income. Much of the money is funneled back to the DPRK regime, supporting state-sponsored programs including nuclear weapons development.
New research from Google’s Threat Intelligence Group (GTIG) reveals that these operatives are targeting companies in Germany, Portugal, the UK, and other European nations. Often using elaborate schemes involving fake identities, fabricated job references, and multiple fake personas. They build credibility with recruiters and hiring managers to land roles in areas like web development, bot development, CMS platforms, and blockchain.
Although North Korean actors previously focused on the U.S., shifting dynamics are making that more difficult. Tighter employment verification processes, increased employer awareness, and other compliance requirements have made U.S.-based roles harder to access. As a result, these individuals are turning their attention to Europe. Where cybersecurity defenses and vetting practices may still be catching up.
In many cases, the roles these individuals are landing are not junior positions. With polished portfolios and falsified credentials, some have managed to secure six-figure salaries. Often enlisting help from foreign nationals to support their deception. Authorities recently charged several individuals — including two North Koreans, two Americans, and a Mexican national. In a scheme that saw DPRK nationals land jobs with over 60 U.S. companies under false pretenses. In another case, a Tennessee resident was indicted in 2024 for providing laptops and remote access tools to North Korean and Chinese nationals to help them connect to U.S. and UK corporate networks.
The methods continue to evolve. Investigators have uncovered DPRK operatives setting up GitHub developer accounts to appear as legitimate freelance contributors. These personas were used to apply for tech jobs abroad, with proceeds reportedly helping fund Pyongyang’s weapons programs. While earning foreign currency remains a major motive, cybersecurity experts warn that the risks extend far beyond financial fraud.
According to Casey Ellis, founder of Bugcrowd, this entire operation is as much about maintaining the regime’s survival as it is about cyber-espionage. As sanctions have cut off traditional income sources. North Korea has shifted to cyber-enabled revenue streams, deploying skilled workers into foreign organizations to extract funds and access. Ellis stresses that the danger isn’t limited to payroll fraud. These operatives could gain access to sensitive networks, steal intellectual property, plant backdoors, or quietly gather intelligence for future cyber operations.
Security researchers are now urging European organizations to take the threat seriously. The pivot away from the U.S. may suggest that American countermeasures are finally proving effective. But it also means European firms could be perceived as softer, more accessible targets. Jason Soroko, senior fellow at Sectigo, believes this shift reflects growing success in U.S. defenses. Still, he warns that Europe may lack similar levels of scrutiny and needs to act fast to close the gap.
Companies hiring remote tech workers are advised to tighten verification protocols. That includes cross-checking references and work history, conducting real technical interviews to validate skills, and watching for signs of identity manipulation, including voice and video deepfakes during virtual interviews. Organizations should also monitor login behaviors and device fingerprints to catch anomalies in location or access patterns.
If suspicions arise, experts stress the importance of reporting cases immediately to national cybersecurity agencies or law enforcement. Prevention remains the most effective line of defense, but swift detection and response are just as critical.
The threat from North Korean IT workers may appear subtle on the surface — after all, they’re applying for jobs and doing the work — but the consequences of their access can be devastating. Whether it’s financial support for weapons programs, unauthorized access to sensitive systems, or strategic cyber-espionage, the impact is real. As they shift their sights to European targets, businesses must not underestimate the sophistication of these efforts or the long-term risks they pose.
