This article is more than three months old

North Korean hackers are infiltrating crypto job boards in a ‘quiet war’ that rakes in $600m

North Korean hackers are infiltrating crypto job boards in a ‘quiet war’ that rakes in $600m
DeFiPeople & culture
Fake job applicants are becoming a security problem for the crypto industry. Credit: Shutterstock / Shutterstock AI Generator
  • Bogus applicants are testing crypto's embrace of anonymity.
  • The UN says 4,000 North Koreans are trying to penetrate the tech industry by getting jobs.
  • 'There's this quiet war happening,' says one expert.

Hiring in the crypto industry has never been easy.

Finding skilled devs is tough, as is managing remote workers in multiple time zones.

Now, crypto staffing is about to get even harder.

A DL News investigation has found that fake applicants are flooding job boards with doctored CVs.

Moreover, mounting evidence suggests a number of these bogus applicants appear to be North Korean nationals who are trying to infiltrate crypto projects for nefarious purposes, including gathering sensitive data, hacking, and stealing assets.

“It’s an operational hazard for the industry,” Shaun Potts, founder of crypto-specific recruiting firm Plexus, told DL News. “It’s an ongoing thing, in the same way that hacking is a thing within tech. You can’t stop it, but you can minimise its risks.”

Concealing identities

More than 4,000 North Koreans have been directed to worm their way into jobs in the technology industry in the West by concealing their identities, according to the United Nations Security Council. That includes the crypto industry.

In 58 suspected cyberheists, North Korean hackers have stolen $3 billion worth of crypto assets in the last seven years, the council said in a recent 615-page report.

Join the community to get our latest stories and updates

While it’s unclear how many of those thefts were perpetrated with the help of fake employees, experts fear the trend is just beginning.

‘They illegally sell resources, IT work, hard labour, and hacking.’

—  Taylor Monahan, MetaMask

That’s because it’s big business. The fake hiring scheme alone earns North Korea up to $600 million annually, the UN said.

“They have very limited amounts of resources they can sell to China,” Taylor Monahan, lead security researcher at crypto wallet MetaMask, told DL News. “So they generate revenue by doing things like illegally selling resources, IT work, hard labour, and hacking.”

New challenge

This development is a fresh challenge for an industry that is going mainstream. With the rollout of Bitcoin ETFs, Wall Street has embraced crypto as an asset class. DeFi stalwarts such as Solana and Aave are recording rising revenues and expanding their businesses.

The last thing crypto needs is an army of bogus job applicants as the industry scales up and demand for new hires jumps.

Ten of the largest crypto exchanges, including Coinbase and Binance, posted more than 1,200 new openings in May. Layoffs are also slowing.

According to data from Layoffs.fyi, the number of jobless people in crypto fell dramatically in the first quarter compared with the same period last year.

‘They’ve just added a couple of new roles to make it appear differently on LinkedIn search.’

—  Karolis Kundrotas, Durlston Partners

“Everyone I know is either working on another project or unavailable,” Zak Cole, co-founder of crypto venture studio Number Group, told DL News. “How are we going to bring in new talent?”

The answer — cast a wider net.

AI search

Instead of turning to a formal recruiting agency, Cole and his co-founders used an artificial intelligence tool called Applicant AI to screen applicants. It uses AI to flag keywords in CVs that meet their criteria.

The results have been mixed. In a video interview with Number Group, one applicant who listed Dutch as their native tongue hung up when asked to speak in the language.

Another applicant’s GitHub profile — a LinkedIn for programmer types — was only created a month prior, even though they were applying for a senior-level developer role.

On another résumé, an applicant for a remote working position listed a state penitentiary in Texas as a home address.

When asked if they indeed lived in a prison, the applicant said, “Yes.”

Cole’s biggest concern was making sure applicants were who they said they were.

He said a pattern emerged as he sifted through them and set up interviews: Many refused to turn on their cameras.

Video calls

Often, what they said during interviews contradicted what was written on their CVs. In other words, they were lying.

“They all have the same kind of script,” said Cole. He said their backgrounds were also blurred if they appeared on camera and that they were calling from a room with other people in it.

Karolis Kundrotas, a crypto-industry consultant at the recruiting firm Durlston Partners, said many applicants are copying real LinkedIn profiles.

“It’s the exact same experiences, and it’s the exact same kind of education as a real person,” he said. “They’ve just added a couple of new roles to make it appear differently on LinkedIn search.”

Kundrotas said video calls are crucial, too, because you can see if the person is quickly reading additional information before answering.

An applicant did precisely this during one video call shared with DL News.

The applicant indicated a deep knowledge of non-fungible tokens and crypto games, but had never heard of “Axie Infinity,” one of the industry’s largest and most well-known games.

Naturally, this is a big red flag.

Shunning background checks

Besides being a massive waste of time, these fake applicants are also doing damage to a key pillar of crypto’s ethos.

Anonymity and pseudonymity are prized values in crypto. The tendency of project teams to shun background checks and work at breakneck startup speed makes them a prime target for illegitimate hiring schemes.

For this reason, Potts says that 95% of his clients have stopped hiring pseudonymous developers.

“People underestimate the low bar across a lot of crypto,” MetaMask’s Monahan said. “It’s actually not all that uncommon for a random project to hire someone to do some work and then level them up rapidly.”

That may be what North Korea’s sleeper applicants are counting on.

$60,000 monthly pay

Some undercover North Korean crypto employees earn as much as $60,000 monthly and hold multiple full-time and freelance jobs.

The higher earners get to keep 30% of their earnings and hand the rest to authorities in Pyongyang, according to the UN report.

Given reports of extreme poverty in North Korea, the sums are vast for individuals.

That’s why startups must remain diligent.

“They will continue to flood job posting forums, create résumés, and go after crypto companies and projects as long as it’s effective,” said Monahan.

There is a geopolitical angle to their work as well.

Erin Plante, vice-president of investigations at Chainalysis, said there is evidence North Korea is partly funding its nuclear weapons programme by hacking crypto sites. The Lazarus Group, a North Korean hacking operation, raided the Ronin bridge for $540 million in 2022, according to Elliptic, the blockchain analytics firm.

In 2019, the US Treasury Department’s Office of Foreign Assets Control sanctioned Lazarus.

If North Korea is using bogus applicants as part of this programme, that’s a major issue, said Adam Zarzinski, CEO of blockchain analytics firm Inca Digital.

“There’s this quiet war happening,” Zarzinski, a former US Air Force judge advocate, told DL News.

Liam Kelly is a DeFi correspondent at DL News. Reach out at liam@dlnews.com.

Related Topics