North Korean Hackers Expand Crypto Infiltration to UK & EU Startups

North Korean cyber operatives have broadened their attacks beyond U.S. firms, now infiltrating blockchain startups across the EU and UK by posing as remote developers—leaving behind compromised data and extortion attempts.

A Google Threat Intelligence Group (GTIG) report released Tuesday revealed that IT workers linked to North Korea's regime have embedded themselves in crypto projects across the UK, Germany, Portugal, and Serbia. These operatives have worked on blockchain marketplaces, AI-powered web apps, and Solana and Anchor/Rust smart contract development.

Among the compromised projects was a Nodexa token hosting platform built with Next.js and CosmosSDK, a blockchain job marketplace using MERN stack and Solana, and AI-driven blockchain tools developed with Electron and Tailwind CSS.

“In response to heightened awareness of the threat within the United States, they’ve established a global ecosystem of fraudulent personas to enhance operational agility,” GTIG adviser Jamie Collier stated in the report.

Some individuals used 12 fake identities at once, presenting fraudulent degrees from Belgrade University, fake Slovakian residency documents, and receiving guidance on European job platforms. Facilitators in the UK and U.S. helped them bypass ID verification checks and receive payments via TransferWise, Payoneer, and crypto, allowing funds to flow back to North Korea.

GTIG confirmed that revenue from these IT operations is financing North Korea’s government, which U.S., Japanese, and South Korean envoys have previously accused of using overseas IT specialists—including those engaged in cyberattacks—to fund sanctioned weapons programs.

“This places organizations that hire DPRK IT workers at risk of espionage, data theft, and disruption,” Collier warned.

Rising Extortion Threats

Since October 2024, GTIG has seen an increase in extortion threats, as laid-off North Korean developers have begun blackmailing former employers, threatening to leak source code and proprietary data.

This rise in cyber aggression coincides with “heightened United States law enforcement actions against DPRK IT workers, including disruptions and indictments,” the report noted.

In December 2024, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) sanctioned two Chinese nationals for laundering digital assets to finance North Korea’s government, using a UAE-based front company tied to Pyongyang.

In January 2025, the Justice Department indicted two North Korean nationals for orchestrating a fraudulent IT work scheme that infiltrated 64 U.S. companies between 2018 and 2024.

In March 2025, Paradigm security researcher Samczsun warned that North Korea’s cyber tactics extend well beyond the Lazarus Group, which has been linked to some of the largest crypto hacks in history.

“DPRK hackers are an ever-growing threat against our industry,” Samczsun wrote, highlighting subgroups such as TraderTraitor and AppleJeus, which specialize in social engineering, fake job offers, and supply chain attacks.

In February 2025, hackers linked to Lazarus stole $1.4 billion from crypto exchange Bybit, later laundering the funds through coin mixers and decentralized exchanges (DEXs).

As the crypto industry increasingly relies on remote talent and bring-your-own-device (BYOD) environments, GTIG warned that many startups lack proper monitoring tools to detect these threats.

And that, Collier stated, is “exactly the point—with North Korea exploiting the rapid formation of a global infrastructure and support network that empowers their continued operations.”