North Korean Hackers Expand Fake IT Worker Scheme to European Companies
Cybersecurity experts are raising alarms as North Korean hackers, previously active in the United States, are now reportedly infiltrating companies across Europe by posing as remote IT workers. This sophisticated scheme, which involves identity theft and artificial intelligence tools, is designed to generate revenue for the Democratic People's Republic of Korea while compromising corporate security systems.
From US Incidents to European Expansion
The issue first gained significant attention in the United States following an incident at Amazon. The company's chief security officer, Stephen Schmidt, revealed that keystroke data analysis indicated a contractor hired as an IT worker was likely operating from overseas rather than within the US. The delay in command signals reaching Amazon's Seattle systems suggested the individual was "half a world away," highlighting concerns that such remote positions are being used to fund North Korean activities.
According to a Financial Times report, cybersecurity researchers have now identified signs of this practice spreading to Europe. Jamie Collier from the Google Threat Intelligence Group told the publication that investigators have detected evidence of the scheme emerging in the region, including the establishment of "laptop farms" in the United Kingdom to support these operations.
Scale and Financial Impact
Figures from the US Department of Justice illustrate the substantial scale of this infiltration campaign. Between 2020 and 2024, North Korean operatives successfully penetrated more than 300 US companies, generating at least $6.8 million in revenue for the regime. With the scheme now targeting European firms, cybersecurity experts warn that the financial and security implications could be equally significant across the Atlantic.
How the Scheme Operates
The fraudulent operation typically begins with identity theft. Hackers may take control of inactive LinkedIn accounts or pay existing account holders for access. They then create false CVs and fabricated identity documents while coordinating with other operatives to provide endorsements on professional platforms.
AI tools play a crucial role in enhancing the credibility of these fake applicants. According to Alex Laurie of Ping Identity, "By using large language models, operatives can generate culturally appropriate names and matching email address formats, ensuring that their communications do not trigger linguistic or cultural 'red flags' that previously spotted such scams."
During remote job interviews, these operatives utilize digital avatars, masks, and deepfake filters to appear legitimate. After companies strengthened their online recruitment checks, some North Korean groups began paying facilitators to attend interviews on their behalf.
Corporate Response and Detection Challenges
Jamie Collier highlighted the vulnerability in corporate systems, stating, "Recruitment has not naturally been seen as a security issue, so it's an area of weakness in companies' systems and these operatives are targeting that vulnerability." He recounted an instance where a client responded to news that one of their workers was actually a North Korean operative by asking, "Are you 100 percent sure, because he's one of our best employees?"
Once hired, the scheme often involves intercepting laptops sent by employers to new hires. Operatives then access these machines remotely and use large language models or chatbot tools to perform assigned tasks, sometimes while holding multiple jobs simultaneously.
Rafe Pilling from Sophos described the operation as state-backed activity, noting, "A mini army of North Koreans has been targeting high-salary, fully remote tech jobs. Framing themselves as talent with around seven to 10 years' experience, getting jobs, drawing a salary—rinse and repeat."
Industry-Wide Impact and Preventive Measures
Stephen Schmidt revealed in a January LinkedIn post that Amazon had prevented more than 1,800 suspected North Korean operatives from obtaining jobs since April 2024. He emphasized that these attempts were increasingly targeting AI and machine learning roles, adding, "This isn't Amazon-specific—this is likely happening at scale across the industry."
Cybersecurity company KnowBe4 has also experienced such an incident, where an individual posing as a worker gained access to the company's systems and attempted to install malware. Fortunately, the activity was detected before it could be completed.
Alex Laurie warned that "The future of UK national security will be determined by the ability of its corporate sector to authenticate its workforce in the face of persistent, AI-enhanced adversarial impact," highlighting the broader implications for national security beyond corporate concerns.
