North Korea deploying fake IT workers and hackers to target UK firms, cryptocurrency, and defence data, spy chief warns

3 December 2024, 08:53

The NCSC also believes that UK firms are almost certainly being targeted by workers from North Korea "disguised as freelance third-country IT staff to generate revenue for the DPRK regime".
The NCSC also believes that UK firms are almost certainly being targeted by workers from North Korea "disguised as freelance third-country IT staff to generate revenue for the DPRK regime". Picture: Alamy
EJ Ward

By EJ Ward

The National Cyber Security Centre (NCSC) has issued a stark warning to UK businesses about the covert activities of North Korean workers posing as freelance IT professionals.

Listen to this article

Loading audio...

These operatives, disguised as contractors from third countries, are reportedly exploiting remote working opportunities to infiltrate companies, generate revenue for the North Korean regime, and, in some cases, compromise corporate security.

In his first major speech, Richard Horne, head of GCHQ's National Cyber Security Centre (NCSC), will say North Korean hackers were targeting cryptocurrency to raise revenue and attempting to steal defence data to improve Pyongyang's internal security and military capabilities.

The NCSC also believes that UK firms are almost certainly being targeted by workers from North Korea "disguised as freelance third-country IT staff to generate revenue for the DPRK regime".

The NCSC’s alert highlights a sophisticated strategy by the Democratic People’s Republic of Korea (DPRK) to evade international sanctions. By embedding IT workers under false identities in Western firms, the regime not only garners much-needed funds but also gains potential access to sensitive data.

This development is an escalation in the tactics employed by North Korea to bolster its economy and support its controversial military programmes.

Read more:UK must confront Russia's 'aggression and recklessness' and China’s sophisticated cyber threats, warns GCHQ chief

Read more: North Korea deepens alliance with Russia, trading troop support for advanced weapons technology to fuel nuclear programme

Cyber researchers at Mandiant uncovered this fake IT worker profile
Cyber researchers at Mandiant uncovered this fake IT worker profile. Picture: Mandiant

In a briefing, HM Treasury’s Office of Financial Sanctions Implementation (OFSI) underscored the seriousness of the issue. It is "almost certain" that UK companies are being targeted by these operatives, who use online freelance platforms to secure roles.

Often working through witting or unwitting enablers, these individuals obscure their true origins with fake credentials, aliases, and proxies.

Funds earned from these contracts are funnelled through complex laundering networks, sometimes involving cryptocurrencies, to evade detection.

The Treasury’s warning also emphasised the legal risks for UK firms. Employing or paying DPRK-linked workers could inadvertently breach financial sanctions, exposing businesses to civil penalties or even criminal charges.

While the primary motive has been financial, recent cases indicate a troubling shift. North Korean operatives have begun leveraging their access to launch cyberattacks.

In one high-profile incident, a UK-based firm unknowingly hired a North Korean contractor who later exfiltrated sensitive company data and issued a six-figure ransom demand in cryptocurrency.

“This is a serious escalation,” said Rafe Pilling, Director of Threat Intelligence at Secureworks. "No longer are they just after a steady pay check, they are looking for higher sums, more quickly, through data theft and extortion, from inside the company defences."

The arm of GCHQ warns North Korean hackers were targeting cryptocurrency to raise revenue and attempting to steal defence data to improve Pyongyang's internal security and military capabilities.
The arm of GCHQ warns North Korean hackers were targeting cryptocurrency to raise revenue and attempting to steal defence data to improve Pyongyang's internal security and military capabilities. Picture: Alamy

The activities of these IT workers are part of a broader strategy by North Korea to raise funds and enhance its cyber capabilities. The regime’s hacking groups, such as the notorious Lazarus Group, have already been implicated in high-profile cybercrimes, including cryptocurrency thefts and attempts to steal defence secrets.

The NCSC also flagged Iran’s developing cyber capabilities as a growing concern, though North Korea’s activities remain a primary focus due to their link to weapons proliferation and military advancements.

This issue is not isolated to the UK. Authorities in the US and South Korea have also reported similar infiltration attempts, with some Fortune 100 companies unwittingly hiring North Korean operatives.

More Latest News

See more More Latest News

"I ran, not to rip the joey away from its mother, but from fear she might attack me," Jones, who also uses the name Samantha Strable, posted on social media.

American influencer apologises after being threatened with deportation for snatching baby wombat from mum

The Forum Chinese Restaurant

Chinese restaurant chef uses CCTV to prove 'nonsense' reviews wrong

Soccer - International Friendly - Venezuela v Nigeria

England star John Fashanu arrested over 'five crimes' as he sues police for £100,000 compensation

NASA astronauts Nick Hague, right, Suni Williams, and Butch Wilmore. (NASA via AP)

'Stranded' NASA astronauts set to return from nine month space mission - but what health issues could they face?

Exclusive
Jordan Stephens, Rizzle Kicks star.

Rizzle Kicks star says children 'rely' on online communities for connection as he says 'boredom' to blame for rising crime

Britain's Prime Minister Keir Starmer holds a press conference in the Downing Street Briefing Room after hosting virtual meeting with international leaders to discuss support for Ukraine.

Military chiefs to meet in UK next week - as Starmer confirms Ukraine peace effort ‘moving into operational phase’

Smoke billows from the MV Solong cargo ship in the North Sea, off the Yorkshire coast in England, Tuesday, March 11, 2025. (Dan Kitwood/Pool Photo via AP)

Russian captain of Solong container ship remanded in custody following crash with US oil tanker

BRITAIN-UKRAINE-DIPLOMACY-POLITICS-DEFENCE

'Coalition of the willing': Starmer hosts Ukraine peace summit as PM urges Putin to 'come to the negotiating table'

Joanne Penney, 40.

Five charged and one arrested after fatal shooting of 'deeply loved' mother

Ozdemir Zia hit Edna McLean as he turned his double-decker near Woolwich Arsenal station, London.

Bus driver avoids jail after killing 83-year-old pensioner in 'momentary error'

Front facade of a pretty country cottage, Netherbury, Dorset, UK - John Gollop

Met Police suggest planting roses in your garden could deter would-be burglars

March 11, 2025, London, England, UK: Actor, director and writer NOEL CLARKE arrives at the Royal Courts of Justice for his libel case against The Guardian over articles on sexual misconduct allegations against him.

Actress said to have been groped by actor Noel Clarke tells court 'it is a lie'

Melbourne, Australia. 15th Mar, 2025. Lando Norris of McLaren celebrates taking pole position during Qualifying at Albert Park Circuit in Melbourne, Victoria, Saturday, March 15, 2025.

Lando Norris takes pole in Australia GP qualifying - as Lewis Hamilton trails in eighth on Ferrari debut

Merritt Island, Florida, USA. 14th Mar, 2025. A SpaceX Falcon 9 rocket carrying Crew-10 astronauts lifts off from Launch Complex 39A (LC-39) at NASA's Kennedy Space Center, Florida, on Mar. 14.

SpaceX rocket finally launches to bring two stranded NASA astronauts back to earth after nine months

The body of 23-year-old Martine Vik Magnussen was discovered in a basement in Great Portland Street, London, in 2008

On-the-run suspect urged to hand himself in 17 years on from murder and rape of student found dead in basement

Pint of Guinness in front of different ale and beer pumps, The Merchant's Arch Bar & Restaurant, Temple Bar, Dublin, Ireland

Guinness pint prices could soar to more than £6 due to Trump’s tariff war