A recent investigation revealed that over a dozen crypto firms inadvertently hired undercover IT workers from North Korea, resulting in significant cybersecurity and legal risks.
As outlined in the comprehensive report by CoinDesk’s deputy managing editor, more than 12 blockchain companies, including notable names like Iqlusion, Fantom, and Injective, unwittingly hired North Korean operatives who used fraudulent identities to pass their background checks and obtain positions.
According to a 2024 report from the United Nations, these IT employees contribute approximately $600 million annually to Kim Jong Un’s regime.
The ability of numerous workers to demonstrate authentic work experience creates challenges for hiring companies in detecting their true backgrounds.
Hiring and paying these workers—whether knowingly or not—violates U.N. sanctions and is illegal in the U.S. as well as many other countries.
This also poses a serious security threat, as North Korean hackers infiltrate companies via undercover employees.
“Everyone is struggling to filter out these people,” said Zaki Manian, a prominent blockchain developer who says he inadvertently hired two DPRK IT workers to help develop the Cosmos Hub blockchain in 2021.
In 2023, the crypto company Truflation was just beginning when its founder, Stefan Rust, unknowingly employed his first North Korean worker, Ryuhei.
“We were always looking for good developers,” Rust said from his home in Switzerland. Out of the blue, “this one developer came across the line.”
Rust unwittingly became a target of a coordinated effort by North Korea to gain remote work opportunities for its people and transfer the earnings back to Pyongyang.
U.S. authorities have recently heightened their warnings regarding North Korean IT workers infiltrating tech companies, including cryptocurrency firms, who use the earnings to finance the pariah state’s nuclear weapons program.
A CoinDesk investigation now uncovers how North Korean applicants systematically targeted crypto companies, succeeded in interviews, passed reference checks, and presented strong records of code contributions on GitHub, the open-source repository.
More than a dozen cryptocurrency companies revealed that they inadvertently recruited IT workers from the Democratic People’s Republic of Korea (DPRK), the nation’s official title.
“The percentage of your incoming resumes, or people asking for jobs, or wanting to contribute – any of that stuff – that are probably from North Korea is greater than 50% across the entire crypto industry,” said Zaki Manian.
This investigation is significant as it marks the first public acknowledgment by these companies of their unintentional hiring of IT workers from the Democratic People’s Republic of Korea.
Additionally, the CoinDesk investigation highlighted several cases in which crypto projects engaged DPRK IT workers who later became victims of hacks.
The Department of Justice and the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) began to publicize North Korean efforts to infiltrate the U.S. crypto industry in 2022.
CoinDesk’s findings reveal that DPRK IT professionals have operated in crypto companies under fake identities since at least 2018.
In early May, cybersecurity company Kaspersky published a report revealing that hackers from North Korea initiated a cyberattack campaign against cryptocurrency firms using a novel malware variant named “Durian,” specifically targeting South Korean cryptocurrency companies.
The report outlined the actions of the North Korean hacking group Kimsuky revealing that the group employed this new malware variant in a series of targeted attacks on at least two crypto firms.
The attackers took advantage of weaknesses in legitimate security software unique to these firms, gaining access to their systems and potentially stealing sensitive financial information.
The Durian malware acts as an installer, deploying a continuous stream of malware components, including a backdoor called “Appleseed,” a custom proxy tool called “LazyLoad,” and other legitimate tools such as Chrome Remote Desktop.
“Durian boasts comprehensive backdoor functionality, enabling the execution of delivered commands, additional file downloads, and exfiltration of files,” wrote Kaspersky.
The report also indicated a possible link between Kimsuky and the infamous Lazarus Group, another North Korean hacking collective. Kaspersky observed that LazyLoad, the custom proxy tool used by Kimsuky, was also utilized by Andariel, a subgroup within the Lazarus Group.
The Lazarus Group, initially appearing in 2009, has become infamous as one of the leading cryptocurrency hacking organizations globally.
