Google: North Korean counterfeit engineer infiltration case expands to the UK, raising alarm bells for corporate cybersecurity risks.

Google Threat Intelligence Group (GTIG) revealed that North Korea’s fake IT engineer operations continue to expand, with infiltration extending from the United States to the United Kingdom and several European countries. They disguise themselves as legitimate remote engineers, infiltrating corporate systems, participating in high-tech projects, and stealing data, posing a significant threat to global information security and corporate secrets.

From the United States to Europe: Blockchain and AI projects become North Korea’s primary targets

Since the second half of 2024, GTIG has observed a significant acceleration of North Korean IT personnel penetrating the European market, particularly focusing on the UK, Germany, Portugal, and Central and Eastern Europe. They are applying for corporate positions by forging nationalities, educational backgrounds, and residency statuses, with one individual reportedly using 12 fake identities to infiltrate the defense industry and government projects.

North Korean IT workers turn to expand in non-U.S. regions

It is reported that common items in resumes include a degree from a Serbian university, an address in Slovakia, and guidance documents for operating European job search websites.

Exposing the Global Counterfeit Identity Network Behind Fake Developers

GTIG is concerned that these North Korean engineers are not acting alone, and there may be a transnational support system behind them assisting in identity forgery, passing reviews, and transferring funds.

The report reveals that a corporate laptop, originally intended for use in New York, was discovered to be activated in London, indicating that the disguise operation spans across Europe and America. The investigation also found that the laptop was used to provide fake passports, guide job application strategies, and even list the time zones that should be used in different countries to enhance identity disguise.

Recently, on-chain cybersecurity experts have discovered a new type of fraud scheme where North Korean hackers impersonate venture capital experts, (Venture Capital, VC). They exploit common audio issues during Zoom meetings to trick victims into downloading audio repair files that contain malicious software, which could lead to the theft of personal funds or sensitive information.

( Is there a problem with the conference call? Be careful, it might be North Korean hackers impersonating VC, throwing audio restoration link scams ).

The frequency of ransomware is increasing, and threats of data leaks are emerging one after another.

In the face of lawsuits and sanctions pressure from the United States, the frequency of ransomware attacks by North Korean IT personnel has continued to increase since October of last year. They are pressuring large companies, threatening to leak confidential data or sell it to competitors.

In the past, IT personnel have attempted to re-enter the workforce under different identities after being dismissed. Now, they directly use internal confidential documents and project data as leverage to maintain the country’s revenue sources.

( The joint statement from the United States, Japan, and South Korea warns: North Korean cryptocurrency hacking threats are escalating, and we need to jointly prevent them ).

GTIG has discovered that they have participated in multiple projects to date, including on-chain applications developed based on Solana and Rust, AI websites or apps based on Electron or Next.js, and even automated robots and content management systems:

Some projects involve sensitive technologies, and the payment of salaries is often in cryptocurrencies, making it more difficult to trace the sources and flows of funds.

Is convenience just casual? BYOD work environments become new vulnerabilities.

Additionally, GTIG specifically mentioned that due to some companies adopting the “Bring Your Own Device (BYOD)” policy, which allows employees to remotely access company systems through personal devices, it may lead to the failure of traditional cybersecurity monitoring and device identification.

North Korean technologists have identified the BYOD environment as an ideal target and began operating in such businesses in early 2025. The lack of complete monitoring, device tracking, and logging makes it easier for them to lurk and perform data theft and other malicious actions.

Global companies are sounding the alarm, calling for enhanced verification and cybersecurity monitoring.

The attack methods of North Korean hackers continue to evolve. A few months ago, the FBI and on-chain detective ZachXBT revealed that they were conducting carefully designed and hard-to-detect social engineering attacks against crypto projects and related companies, attempting to spread malware and steal the companies’ cryptocurrency assets.

( ZachXBT exposes North Korean hacker crime network, posing as a developer infiltration team to embezzle funds: monthly income of 500,000 USD )

In the face of such infiltration actions, companies must enhance their vigilance, strengthen background checks for applicants, verification processes, and cybersecurity protections, especially regarding remote personnel and outsourcing platforms:

North Korea has established a complete network for fake identity operations and a transnational support system, the flexibility and infiltration range of which have made it a significant security threat to the global technology industry.

This article Google: North Korean counterfeit engineer infiltration case expands to the UK, raising alarm for corporate cybersecurity risks. First appeared in Chain News ABMedia.