North Korean Hackers Shifting Focus to Europe, Google Warns Solana-Based Projects

North Korean Hackers Shift Focus to Europe, Targeting Solana-Based Crypto Projects: Google

North Korea’s cyber operatives are stepping up their game—and changing their territory. According to a report released Wednesday by Google Cloud, state-backed hackers are increasingly focusing on European blockchain projects, especially those tied to the Solana network.

The report paints a detailed picture of the Democratic People’s Republic of Korea’s (DPRK) latest strategy: using fake online identities to infiltrate crypto companies under the guise of legitimate remote developers. One operative was discovered managing 12 separate personas across Europe and the U.S., complete with falsified references and a network of other fake profiles to vouch for their credibility.

These actors aren’t amateurs either. DPRK-linked developers were seen working on complex Web3 applications using Next.js, React, CosmosSDK, and Rust. In one case, a Solana-based job platform was fully built and deployed by one of these operatives. Another was found developing an AI-powered app using Electron with blockchain integrations.

The tactics signal a notable shift away from the U.S., where recent government crackdowns and DOJ indictments have made operations riskier. Europe, in comparison, presents a softer target—especially for companies that allow bring-your-own-device (BYOD) setups, which Google flagged as particularly vulnerable.

Google Cloud warns these attacks are more than just espionage. They’re financially motivated, feeding the DPRK regime’s coffers. In 2024 alone, North Korean-linked hackers looted approximately $1.3 billion in crypto. In February 2025, they were behind a massive $1.5 billion exploit of Bybit.

“These operations are sophisticated, scalable, and increasingly global,” the report concludes. “The crypto industry must remain vigilant.”

About The Author

ctleditor

See author's posts