Google Threat Intelligence Group reports that DPRK IT-worker operations have expanded beyond the United States into Europe while adopting more aggressive extortion and virtualized infrastructure tactics. One late-2024 worker operated at least 12 personas across Europe and the United States, sought jobs in defense and government-adjacent sectors, used fabricated references, and had controlled personas vouch for credibility. GTIG also found Germany and Portugal job-seeking activity, UK project work spanning web, blockchain, AI, and CMS development, and European facilitators helping with identity verification, job access, laptop logistics, and payments. Since late October 2024, terminated workers have increasingly threatened to leak source code or proprietary data, likely under pressure from law enforcement disruption.