top of page
L Misthos and S Pettigrove

Bad hire: North Korean hackers target crypto jobs

Updated: Oct 9



A recent investigation by CoinDesk has uncovered that more than a dozen crypto companies, including well-established blockchain projects like Injective, Fantom, and Cosmos Hub, unknowingly hired IT workers from North Korea.


This covert operation, orchestrated by the Democratic People's Republic of Korea (DPRK), poses significant cybersecurity and legal risks to the companies involved, many of which have subsequently suffered from hacking incidents linked to these employees.


The workers from North Korea operated under false identities, using forged documents, fake IDs, and resumes that showcased impressive technical skills and GitHub histories. These individuals were hired remotely, often through informal channels such as Telegram and Discord, and were able to pass standard background checks due to the sophistication of their forged credentials.


According to CoinDesk’s report, several North Korean IT workers were able to secure employment at prominent blockchain firms like Sushi and Yearn Finance, with some even maintaining positions at multiple companies. One of the most significant vulnerabilities of the crypto industry is its reliance on global, remote workforces, which allowed DPRK workers to exploit the hiring processes, especially among smaller teams that lacked thorough vetting protocols.


Hiring DPRK workers comes with serious cybersecurity risks. CoinDesk identified multiple cases where companies that hired North Korean IT workers later became targets of cyberattacks. In one instance, the decentralised finance (DeFi) platform Sushi fell victim to a $3 million hacking incident in 2021, which was traced back to two North Korean developers. These workers had embedded malicious code into Sushi’s platform, allowing them to redirect funds to wallets controlled by North Korean agents.


In another case, the crypto company Truflation, founded by Stefan Rust, unknowingly employed five North Korean developers. This included one employee, "Ryuhei," who initially posed as a Japanese national but was later revealed to be part of a North Korean scheme to funnel earnings back to Pyongyang. Rust’s company later suffered a significant breach, with millions of dollars stolen from his personal and company wallets.


The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has been closely monitoring these activities, linking blockchain payments from North Korean developers to sanctioned entities utilising blockchain's traceability. While no crypto companies have been prosecuted yet, the strict liability imposed by US sanctions means that businesses hiring DPRK workers, knowingly or not, could face legal repercussions.


CoinDesk’s investigation highlighted the sheer scale of North Korea’s infiltration into the crypto industry. Zaki Manian, a prominent blockchain developer, claimed that over 50% of the job applications in the crypto sector are suspected to come from North Korea. The challenge lies in identifying and filtering out these applicants, as they often possess legitimate technical skills and present convincing backgrounds.


Startups and smaller firms are particularly vulnerable, as they often lack the resources to conduct in-depth background checks. CoinDesk found that these companies are more likely to hire workers via informal channels, without verifying their true identities.


While North Korean IT workers may deliver satisfactory work, the legal and ethical implications are severe. Hiring DPRK workers violates international sanctions and contributes to the exploitation of these individuals, who are forced to send the majority of their earnings back to the North Korean regime. These wages, while high by North Korean standards, only enrich the oppressive government and its illicit and repressive activities.


As more stories come to light, developers must tighten their hiring processes and increase scrutiny of remote applicants, especially in a rapidly evolving industry that thrives on decentralised teams and remote workers. The risks extend well beyond one bad hire, and could extend to violations of international sanctions and the risk of cyber breaches and theft of digital assets.


By Steven Pettigrove and Luke Misthos

Comments


bottom of page