North Korean Cyber Threats Targeting European Blockchain Projects
According to a recent report by Google Cloud, North Korean “IT workers” are ramping up their illicit cyber activities across Europe, particularly focusing on blockchain initiatives. The report highlights that various projects built on the popular Solana network, which includes applications and job boards, are increasingly becoming targets of these rising cyberattacks.
Operatives from the Democratic People’s Republic of Korea (DPRK) are employing sophisticated tactics to masquerade as legitimate remote workers. Their ultimate goal is to infiltrate companies, seize control of critical systems, and steal sensitive information, which is likely sold to generate revenue for the regime. This uptick in threats across Europe represents a strategic shift from their previous concentration on the United States, where DPRK-linked entities have been under significant scrutiny due to Department of Justice indictments and heightened hiring practices.
The report reveals an alarming case of one individual managing as many as 12 distinct fake identities across both the U.S. and European job markets. This worker skillfully sought employment by fabricating references, establishing rapport with recruiters, and utilizing additional controlled personas to bolster their credibility.
It’s crucial to note that these operatives are not lacking in technical expertise. They have been found engaging in various projects that include developing token hosting platforms utilizing Next.js, React, and CosmosSDK, as well as creating a comprehensive job marketplace based on Solana. Many of these blockchain-related endeavors involve the development of smart contracts using Anchor and Rust. Notably, one worker even ventured into artificial intelligence, crafting a web application that leveraged Electron, Next.js, and blockchain technologies.
One significant aspect contributing to this cyber threat is the prevalence of workplaces that allow employees to use their own devices. Google Cloud emphasized this concern, stating, “We believe that IT workers have identified BYOD (Bring Your Own Device) environments as potentially ripe for their schemes. As of January 2025, these workers are now conducting operations against their employers in these scenarios.”
The report underscores the global expansion and adaptability of DPRK entities, highlighting their extortion tactics and the use of virtualized infrastructure as key components of their operational strategies. DPRK-linked hacking groups are regarded as some of the most formidable threat actors within the cryptocurrency ecosystem, having stolen an estimated $1.3 billion from various projects in 2024 alone. They were also responsible for a staggering $1.5 billion hack on the crypto exchange Bybit in February.
