North Korean IT Operatives Targeting European Blockchain Projects, Google Cloud Warns
A new report from Google Cloud has revealed an alarming uptick in cyber activity by North Korean IT workers, with Europe now emerging as a prime target—particularly blockchain projects built on the Solana network.
According to the report released Wednesday, these operatives—linked to the Democratic People’s Republic of Korea (DPRK)—are posing as legitimate remote developers to infiltrate tech firms, seize control of critical infrastructure, and exfiltrate sensitive data. The stolen information is believed to be monetized to fund the North Korean regime.
While U.S.-based companies have long been the primary target, mounting legal pressure, including recent DOJ indictments and tighter employment vetting, has led DPRK-linked actors to shift their focus to Europe.
The report highlighted one particularly sophisticated case, where a single individual operated 12 fake identities across the U.S. and Europe. These personas were supported by fabricated references and coordinated social engineering campaigns, with fake colleagues used to validate their credibility to recruiters and hiring managers.
These workers aren’t lacking in technical skill either. Google Cloud found them contributing to a wide array of projects, including Solana-based job boards, token-hosting platforms built with Next.js, React, Golang, and CosmosSDK, and even smart contracts written in Anchor and Rust. One operative reportedly built an AI-enabled web app using Electron and integrated blockchain technology.
A major vulnerability appears to be companies that allow employees to use their own devices—a practice known as BYOD (bring your own device).
“DPRK IT workers have identified BYOD environments as high-opportunity targets,” Google Cloud stated, noting that since January 2025, there’s been a surge in internal operations exploiting such setups.
The report underscores how these actors are evolving, with broader geographic reach, advanced extortion tactics, and the use of virtual infrastructure to mask operations.
North Korean cybercrime remains one of the biggest threats to the crypto industry. In 2024 alone, DPRK-linked groups stole an estimated $1.3 billion, including a massive $1.5 billion breach of crypto exchange Bybit in February.
