A growing number of North Korean IT workers are posing as remote freelancers from other countries in an effort to gain access to companies in Europe, raising concerns about potential espionage, data theft, and operational disruption.

According to Google’s Threat Intelligence Group (GTIG), these workers—who refer to themselves as “warriors”—are securing remote roles with foreign organisations to generate revenue for the Democratic People’s Republic of Korea (DPRK). The activity, previously concentrated in the United States, is now increasingly being observed in European countries such as Germany, the United Kingdom, and Portugal.

Since GTIG’s last report on DPRK IT worker activity, recent crackdowns in the US have made it more difficult for these individuals to secure and maintain employment there. According to a blog post by Jamie Collier, lead adviser for Europe at Google’s Threat Intelligence Group, GTIG has observed a rise in operations globally, with particular growth in Europe over the past few months. Countries targeted include Germany, the UK, and Portugal.

The workers often misrepresent their nationalities, claiming to be from countries such as Italy, Japan, Malaysia, Singapore, Ukraine, the United States, and Vietnam. They find jobs through freelance platforms like Upwork and Freelancer, as well as communication channels such as Telegram. Payments are typically made in cryptocurrency or through digital payment platforms including Wise and Payoneer.

Upwork provided a statement following publication, clarifying it did not receive the initial request for comment. The company said:

“Fraud prevention and compliance with US and international sanctions are critical priorities for Upwork. The tactics outlined in this report represent a challenge that affects the entire online work industry, and Upwork is at the forefront of combating these threats. Any attempt to use a false identity, misrepresent location, or take advantage of Upwork customers is a strict violation of our terms of use, and we take aggressive action to detect, block, and remove bad actors from our platform.

Upwork has long invested in industry-leading security and identity verification measures, deploying advanced technology alongside a dedicated team of global professionals across legal, investigations, intelligence, identity risk management, compliance, anti-money laundering, and machine learning detection. These experts work relentlessly to prevent fraudulent activity before it reaches our customers, and quickly respond to new methodologies and trends.

As fraud tactics evolve, Upwork continuously enhances its proactive screening for attempts to bypass geographic restrictions, monitoring for signs of misrepresentation both before and after contracts begin. Our sophisticated detection tools, paired with strong partnerships with law enforcement and regulatory bodies, enable us to take swift and decisive action when fraudulent behaviour is identified.

While no online platform is immune to fraud, Upwork is setting the standard for trust and safety in the industry. We will continue to invest in cutting-edge fraud prevention measures and vendor solutions, collaborate with industry stakeholders, and innovate to protect our customers and uphold the integrity of our marketplace.”

Freelancer, Telegram, Wise, and Payoneer did not respond to requests for comment.

GTIG reports that since October, there has been an uptick in cases where previously terminated workers attempt to extort their former employers by threatening to leak sensitive company information to competitors. Collier suggested that mounting pressure on these workers may be pushing them toward more aggressive tactics to maintain income.

One case in late 2024 involved a North Korean individual operating under at least 12 separate identities while applying to organisations in the defence and public sectors, reportedly using false references. In the UK, North Korean IT workers have been linked to work ranging from standard web development to more advanced projects in blockchain and artificial intelligence.

Google’s research points to risks associated with bring-your-own-device (BYOD) policies, where employees use personal devices to access internal systems. These setups often lack proper security oversight, making it more difficult to detect unauthorised access.

Authorities in the US and UK have issued multiple warnings about these activities. The FBI has advised firms to improve identity verification practices, while the US Treasury in January sanctioned two individuals and four entities accused of generating revenue for the North Korean government. Officials allege the regime withholds up to 90% of wages earned by these workers.

In a separate legal action, a US federal court in Missouri indicted 14 North Korean nationals in December for allegedly participating in an employment scheme that generated US$88 million over six years. Some of these individuals were reportedly employed by US firms for extended periods, earning hundreds of thousands of dollars without detection.

The UK’s Office of Financial Sanctions Implementation has also responded. In September, it recommended employers implement stricter identity checks, including video interviews, and advised against using cryptocurrency for payments.

Collier noted that North Korea has a long history of engaging in cyber operations to fund its regime. “A decade of diverse cyberattacks (encompassing SWIFT targeting, ransomware, cryptocurrency theft, and supply chain compromise), precedes North Korea’s latest surge,” he wrote.

“This relentless innovation demonstrates a longstanding commitment to fund the regime through cyber operations. Given DPRK IT workers’ operational success, North Korea will likely broaden its global reach. With APAC already impacted by these operations, this problem is set to escalate. These campaigns thrive on ignorance and will likely enjoy particular success in areas of APAC with less awareness of the threat.”

The post Google warns of North Korean freelancers targeting European firms appeared first on TechWire Asia.

• Strava closes the account of a runner who posted their activity in North Korea.
• Running in virtualised North Korea enough to earn enforced account closure.
• Strict T&Cs enforced beyond the letter of the law.

Users of the popular fitness-tracking app, Strava, need to be careful of where they exercise, and even where they pretend to exercise.

According to DC Rainmaker, a site that catalogues the owner’s runs, bike rides, and swims, one fitness fanatic has fallen foul of Strava’s Terms & Conditions. A keen ultra-marathon runner and YouTube channel owner had their Strava account locked by the company after posting details of a run she went on while visiting North Korea.

The individual affected lives outside North Korea, but is studying the country as part of her PhD thesis. During a recent visit to the country, she went for a run, and uploaded the activity once back in a country where there is access to the public internet, something that’s off-limits to the native North Korean populace.

After uploading the workout, she received a message from Strava stating her account had been terminated for violating the app’s T&Cs. According to a statement sent to DC Rainmaker from Strava, “In accordance with mandatory US sanctions and export controls, which prohibit the offering of online services to North Korea, Strava does not allow users to post activities occurring [in North Korea].”

In a later statement, the company added, “Strava’s controls are based on feedback from the US Department of the Treasury’s Office of Foreign Assets Control, and we take a broad, zero-tolerance approach.”

The steps taken by Strava are a stricter interpretation of the US Department of the Treasury’s rules than those of other technology companies: Google’s YouTube and various social media feeds show thousands of clips, images, and comments made in and concerned with North Korea.

The rigidity of Strava’s policies (and the automated nature of its algorithmic source-checking) is exemplified by another incident, in which a Strava user went running on a treadmill but merely used North Korea as a virtual environment. They too received a ban from the platform – one that was overturned quickly after the individual’s objection.

The code of conduct that users seem to be in violation of are the parts of US rules around the prevention of exports to North Korea. In the ultra-marathoner’s case, that’s a draconian interpretation of the use of a service not remotely associated with trade with the pariah state.

It’s worth noting that the run was recorded via a Garmin (not Strava) smartwatch. Although smartwatches are officially not allowed inside North Korea, the authorities there are known to turn a blind eye to their use – it is allegedly the presence of geo-location data gathering that is frowned on – and similarly-equipped smartphones are permitted in the country when in the possession of visitors.

Tourism in North Korea is strictly controlled and visitors are carefully shepherded during their state-sanctioned stays. Presumably, going out on a run while enjoying the local scenery is something that’s approved of by the country’s authorities, but termed unacceptable behaviour by the US-based Strava.

Strava has had its fair share of controversy in the past, having given away the location of secret US Army bases and let users see the routes taken by Israeli military personnel when out running. Its erring on the side of caution in the form of rigorous implementation of self-penned Terms & Conditions is, therefore, perhaps understandable, especially in the current political climate in the US, where big tech companies have been quick to side with the ruling executive‘s ideology.

(Image source: “running” by renoleon is licensed under CC BY-NC-ND 2.0.)

The post Strava bans accounts featuring North Korean exercise appeared first on TechWire Asia.