North Korea deploying fake IT workers and hackers to target UK firms, cryptocurrency, and defence data, spy chief warns

3 December 2024, 08:53

The NCSC also believes that UK firms are almost certainly being targeted by workers from North Korea "disguised as freelance third-country IT staff to generate revenue for the DPRK regime".
The NCSC also believes that UK firms are almost certainly being targeted by workers from North Korea "disguised as freelance third-country IT staff to generate revenue for the DPRK regime". Picture: Alamy
EJ Ward

By EJ Ward

The National Cyber Security Centre (NCSC) has issued a stark warning to UK businesses about the covert activities of North Korean workers posing as freelance IT professionals.

Listen to this article

Loading audio...

These operatives, disguised as contractors from third countries, are reportedly exploiting remote working opportunities to infiltrate companies, generate revenue for the North Korean regime, and, in some cases, compromise corporate security.

In his first major speech, Richard Horne, head of GCHQ's National Cyber Security Centre (NCSC), will say North Korean hackers were targeting cryptocurrency to raise revenue and attempting to steal defence data to improve Pyongyang's internal security and military capabilities.

The NCSC also believes that UK firms are almost certainly being targeted by workers from North Korea "disguised as freelance third-country IT staff to generate revenue for the DPRK regime".

The NCSC’s alert highlights a sophisticated strategy by the Democratic People’s Republic of Korea (DPRK) to evade international sanctions. By embedding IT workers under false identities in Western firms, the regime not only garners much-needed funds but also gains potential access to sensitive data.

This development is an escalation in the tactics employed by North Korea to bolster its economy and support its controversial military programmes.

Read more:UK must confront Russia's 'aggression and recklessness' and China’s sophisticated cyber threats, warns GCHQ chief

Read more: North Korea deepens alliance with Russia, trading troop support for advanced weapons technology to fuel nuclear programme

Cyber researchers at Mandiant uncovered this fake IT worker profile
Cyber researchers at Mandiant uncovered this fake IT worker profile. Picture: Mandiant

In a briefing, HM Treasury’s Office of Financial Sanctions Implementation (OFSI) underscored the seriousness of the issue. It is "almost certain" that UK companies are being targeted by these operatives, who use online freelance platforms to secure roles.

Often working through witting or unwitting enablers, these individuals obscure their true origins with fake credentials, aliases, and proxies.

Funds earned from these contracts are funnelled through complex laundering networks, sometimes involving cryptocurrencies, to evade detection.

The Treasury’s warning also emphasised the legal risks for UK firms. Employing or paying DPRK-linked workers could inadvertently breach financial sanctions, exposing businesses to civil penalties or even criminal charges.

While the primary motive has been financial, recent cases indicate a troubling shift. North Korean operatives have begun leveraging their access to launch cyberattacks.

In one high-profile incident, a UK-based firm unknowingly hired a North Korean contractor who later exfiltrated sensitive company data and issued a six-figure ransom demand in cryptocurrency.

“This is a serious escalation,” said Rafe Pilling, Director of Threat Intelligence at Secureworks. "No longer are they just after a steady pay check, they are looking for higher sums, more quickly, through data theft and extortion, from inside the company defences."

The arm of GCHQ warns North Korean hackers were targeting cryptocurrency to raise revenue and attempting to steal defence data to improve Pyongyang's internal security and military capabilities.
The arm of GCHQ warns North Korean hackers were targeting cryptocurrency to raise revenue and attempting to steal defence data to improve Pyongyang's internal security and military capabilities. Picture: Alamy

The activities of these IT workers are part of a broader strategy by North Korea to raise funds and enhance its cyber capabilities. The regime’s hacking groups, such as the notorious Lazarus Group, have already been implicated in high-profile cybercrimes, including cryptocurrency thefts and attempts to steal defence secrets.

The NCSC also flagged Iran’s developing cyber capabilities as a growing concern, though North Korea’s activities remain a primary focus due to their link to weapons proliferation and military advancements.

This issue is not isolated to the UK. Authorities in the US and South Korea have also reported similar infiltration attempts, with some Fortune 100 companies unwittingly hiring North Korean operatives.

More Latest News

See more More Latest News

Molly Russell took her own life in 2017.

Meta and Pinterest 'make secret donation to Molly Russell charity'

Elton John

Sir Elton John says he 'can't read, watch TV or see his boys play rugby' as he opens up about health battle

Exclusive
Corby steelworks pictured in 1981

Families in former industrial town call for probe into rare child cancer after botched clean-up of steelworks

The stabbing happened on Ramsden Street in Huddersfield.

Man, 20, charged with murder after 16-year-old boy stabbed to death in Huddersfield

Donald Trump's 10% tariff on UK products has officially come into force

Trump tariffs come into force as global stock markets plunge deeper into the red

File photo dated 19-05-2024 of Manchester City's Kevin De Bruyne lifting the Premier League trophy with team-mates.

Kevin De Bruyne to leave Manchester City, as Pep Guardiola calls him 'one of greatest midfielders to play in England'

Stock markets plummeted on Friday

Starmer 'pushing for Trump royal visit this year' as UK bids for US trade deal - after tariffs spark turmoil in markets

Tom Howard

British tourist killed after being struck by boulder on trek through Himalayas

In this photo provided by the Ukrainian Emergency Service, a car burns following a Russian missile attack that killed more than a dozen people, including children, in Kryvyi Rih, Ukraine, Friday, April 4, 2025. (Ukrainian Emergency Service via AP)

Russia kills 16 people including three children in missile strike on Zelenskyy's home town, with dozens wounded

Travel influencer Mykhailo Viktorovych Polyakov, 24, made an illegal visit to North Sentinel Island

Tourist who left Coke for world's most isolated tribe 'could have wiped them all out' - and police 'can't go collect can'

Club house covered in red paint as members of group Palestine action caused damage to the Trump owned site of Trump Turnberry Golf Club in Scotland.

Police arrest man, 33, and woman, 55, after Donald Trump's Scottish golf course vandalised with red paint

Man, 23, who gouged out pensioner's eyes before beating him to death with his own walking stick locked up indefinitely

Man, 23, who gouged pensioner's eyes out before beating him to death with his own walking stick locked up indefinitely

The FTSE 100 plummeted on Friday

UK stock market plunges amid Trump tariff chaos as FTSE 100 suffers worst trading losses in five years

The scene at Beckenham Place Park

London park evacuated as police search for teenage boy who went missing while swimming in lake

Tommy Robinson pictured last year

Tommy Robinson in bid for freedom with appeal against contempt of court jail sentence after libelling teen refugee

Layla Allen died at the scene

'Cherished beyond words': Family pay tribute to 'shining light' 13-year-old killed in Merseyside house fire