North Korean IT workers are now infiltrating blockchain and crypto companies in the UK and Europe, posing a growing global threat, according to a new report from Google’s Threat Intelligence Group (GTIG). These operatives are using fake identities to secure remote tech roles, funneling earnings to the North Korean regime, and placing host companies at risk of espionage, data theft, and cyber disruption.

GTIG adviser Jamie Collier revealed that, under increased pressure in the United States, North Korea’s cyber operatives have shifted their focus to Europe and other regions. They’re building a network of fraudulent personas, applying to roles in web development and blockchain projects—including those using Solana and Anchor smart contracts. One North Korean tech worker reportedly used 12 different personas in Europe, with some resumes falsely listing academic credentials from Belgrade University and residences in Slovakia.

A number of compromised projects were identified, including one developing a blockchain job marketplace and another integrating AI and blockchain technologies. These individuals secure jobs using fake passports, forged resumes, and fabricated online profiles. GTIG investigations even found brokers selling fake documents and guides for navigating European job platforms.

Collier also warned that these North Korean agents have escalated tactics by extorting former employers. In some cases, recently fired workers threatened to leak proprietary data, including source code, unless compensated.

In January, the U.S. indicted two North Korean nationals tied to fraudulent schemes across 64 U.S. firms. Meanwhile, crypto founders have reported a surge in suspicious activity, including fake Zoom interviews intended to extract sensitive data.

The global blockchain sector is now facing an urgent cybersecurity wake-up call as these tactics grow more aggressive and far-reaching.