Serbian citizens have emerged among the primary victims of a sophisticated North Korean cyber operation that used stolen identities to infiltrate Western companies, secure high-paying technology jobs, and generate millions of dollars for the regime in Pyongyang, according to an international sanctions monitoring report.
The findings, published by the Multilateral Sanctions Monitoring Team (MSMT), reveal that North Korean operatives spent years creating fraudulent online identities using personal information belonging to Serbian citizens. These fake profiles were then used to obtain remote employment and freelance contracts with companies across Europe and North America.
Investigators say the operation was part of a broader effort by North Korea to circumvent international sanctions by secretly placing IT workers inside foreign companies and directing their earnings back to the country.
Serbian Identities Used to Build Credibility
According to the report, Serbian identities were particularly valuable because Serbia has built a strong reputation in the global technology industry over the past decade. Serbian software engineers and IT professionals are highly sought after by international employers, making Serbian passports, names, and online profiles ideal tools for cyber operatives seeking to avoid suspicion.
Experts believe North Korean agents deliberately targeted Serbian citizens because their identities provided immediate credibility when applying for remote jobs in software development, programming, cybersecurity, and other technology-related fields.
One documented case involved Serbian citizen Marko Zrinjanin, whose identity was allegedly stolen and used without his knowledge. Investigators found that a fake profile created in his name secured contracts with several companies and generated more than $43,000 in income over a number of years.
The real individual reportedly had no knowledge that his personal information was being used in an international cyber scheme linked to North Korea.
A Global Network of Deception
The report states that North Korean operatives created dozens of fake professional profiles on international freelancing and employment platforms. Using stolen identities, they advertised advanced technical skills, claimed years of professional experience, and presented themselves as qualified software developers available for hire.
In many cases, employers believed they were hiring legitimate professionals from Serbia and other European countries. Instead, investigators say, the work was being carried out by North Korean nationals operating from abroad.
The operation allegedly relied on sophisticated methods to conceal the true identities of the workers, including the use of virtual private networks (VPNs), forged documents, shell companies, cryptocurrency transactions, and international payment services.
Links to North Korea’s Sanctioned Technology Sector
Investigators linked the operation to North Korean nationals associated with the Korea Mangyongdae Computer Technology Corporation (KMCTC), a company that has been sanctioned for its role in supporting North Korea’s strategic programs.
The organization is believed to operate through networks based in China and other countries, allowing North Korean IT workers to access foreign markets while hiding their connections to the regime.
According to international authorities, these operations have become one of North Korea’s most important sources of foreign currency as international sanctions continue to limit traditional trade and financial activity.
Hundreds of Millions of Dollars Generated
The MSMT estimates that North Korea’s overseas IT operations generated between $350 million and $800 million during 2024 alone.
Investigators say the money was moved through a complex network of bank accounts, cryptocurrency wallets, shell companies, and international payment platforms designed to obscure the origin of the funds.
The revenue is believed to have contributed to North Korea’s efforts to bypass international sanctions and support various state programs.
Growing Concerns Over Cybersecurity
Cybersecurity experts warn that the case highlights how vulnerable personal information has become in the digital age. Ordinary citizens can have their identities stolen and used in international criminal operations without their knowledge.
The revelations have also raised concerns about the security procedures used by international companies when hiring remote workers. Analysts say many firms remain vulnerable to sophisticated identity fraud schemes, particularly in the rapidly expanding remote-work sector.
For Serbia, the case has drawn attention to the unintended risks associated with the country’s growing reputation as a technology hub. While Serbian IT professionals are respected worldwide, that credibility has also made Serbian identities attractive targets for cybercriminals and foreign intelligence-linked operations.
As investigations continue, authorities are attempting to determine how many Serbian citizens may have been affected and whether additional stolen identities remain active on employment platforms around the world.
The case serves as a stark reminder that cybercrime increasingly extends beyond financial theft, turning ordinary people’s identities into tools for international sanctions evasion, espionage, and covert state-sponsored operations.
