North Korean cyber operatives have begun targeting crypto startups in the EU and UK by posing as developers.
Identifying the Threat
According to a report by the Google Threat Intelligence Group (GTIG) released Tuesday, IT workers linked to North Korea’s regime have infiltrated crypto projects in the UK, Germany, Portugal, and Serbia. These operatives have worked on blockchain marketplaces, AI-powered web apps, and Solana and Anchor/Rust smart contract development. Compromised projects included a Nodexa token hosting platform built with Next.js and CosmosSDK and a blockchain job marketplace using MERN stack and Solana. AI-driven blockchain tools were developed using Electron and Tailwind CSS.
Rising Extortion Threats
Since October 2024, GTIG has noted an increase in extortion threats by North Korean developers, threatening to leak source code and proprietary data. This rise coincides with heightened US law enforcement actions against DPRK IT workers.
Consequences and Warnings
In December 2024, the US Treasury’s Office of Foreign Assets Control sanctioned two Chinese nationals for laundering digital assets to finance North Korea’s government. In January 2025, the Justice Department indicted two North Korean nationals for orchestrating a fraudulent IT work scheme. In February 2025, hackers linked to Lazarus stole $1.4 billion from crypto exchange Bybit. Jamie Collier warns that many startups lack proper monitoring tools to detect these threats.
The global infrastructure and support network allow North Korea to continue these cyber attacks, posing a significant threat to the crypto industry.
