North Korea’s digital infiltration: Threat of fake job applications in crypto

Suspected
North
Korean
operatives
are
allegedly
using
fake
job
applications
to
infiltrate
web3
projects,
siphoning
off
millions
and
raising
security
concerns.

In
the
last
few
years,
blockchain
and

web3
have
been
at
the
forefront
of
technological
innovation.
However,
to
paraphrase
a
quote,
with
great
innovation
comes
great
risk. 

Recent
revelations
have
uncovered
a
sophisticated
scheme
by
operatives
suspected
to
be
affiliated
with
the
Democratic
People’s
Republic
of
Korea
to
infiltrate
the
sector
through
fake
job
applications,
raising
alarms
about
the
security
and
integrity
of
the
industry.

Economic
motives
and
cyber
strategies

North
Korea’s
economy
has
been
severely
crippled
by
international
sanctions,
limiting
its
access
to
crucial
resources,
restricting
trade
opportunities,
and
hindering
its
ability
to
engage
in
global
financial
transactions. 

In
response,
the
regime
has
employed
various
methods
to
circumvent
these
sanctions,
including
illicit
shipping
practices,
smuggling,
and
tunneling,
as
well
as
using
front
companies
and
foreign
banks
to
conduct
transactions
indirectly. 

However,
one
of
the
DPRK’s
most
unconventional
methods
of

raising
revenue
is
its
reported
use
of
a
sophisticated
cybercrime
warfare
program
that
allegedly
conducts
cyberattacks
on
financial
institutions,
crypto
exchanges,
and
other
targets.

The
crypto
industry
has
been
one
of
the
biggest
victims
of
this
rogue
state’s
alleged
cyber
operations,
with
a
TRM
report
from
earlier
in
the
year
indicating
crypto
lost
at
least

$600
million
to
North
Korea
in
2023
alone. 

In
total,
the
report
stated
that
North
Korea
was
responsible
for
an
eye-watering
$3
billion
worth
of
crypto
stolen
since
2017.

With
crypto
seemingly
a
soft
and
lucrative
target,
reports
have
emerged
of
DPRK-linked
actors
tightening
the
screw
by
infiltrating
the
industry
using
fake
job
applications. 

Once
hired,
these
operatives
are
in
a
better
position
to
steal
and
siphon
off
funds
to
support
North
Korea’s

nuclear
weapons
program
and
circumvent
the
global
financial
restrictions
imposed
on
it.

The
modus
operandi:
fake
job
applications

Going
by
stories
in
the
media
and
information
from
government
agencies,
it
seems
DPRK
operatives
have
perfected
the
art
of
deception,
crafting
fake
identities
and
resumes
to
secure
remote
jobs
in
crypto
and
blockchain
companies
worldwide. 

An
Axios

story
from
May
2024
highlighted
how
North
Korean
IT
specialists
were
gaming
American
hiring
practices
to
infiltrate
the
country’s
tech
space. 

Axios
said
the
North
Korean
agents
use
forged
documents
and
fake
identities,
often
masking
their
true
locations
with
VPNs.
Additionally,
the
story
claimed
that
these
would-be
bad
actors
primarily
target
sensitive
roles
in
the
blockchain
sector,
including
developers,
IT
specialists,
and
security
analysts.

300
companies
affected
by
fake
remote
job
application
scam

The
scale
of
this
deception
is
vast,
with
the
U.S.
Justice
Department
recently

revealing
that
more
than
300
U.S.
companies
were
duped
into
hiring
North
Koreans
through
a
massive
remote
work
scam. 

These
scammers
not
only
filled
positions
in
the
blockchain
and
web3
space
but
also
allegedly
attempted
to
penetrate
more
secure
and
sensitive
areas,
including
government
agencies.

According
to
the
Justice
Department,
the
North
Korean
operatives
used
stolen
American
identities
to
pose
as
domestic
technology
professionals,
with
the
infiltration
generating
millions
of
dollars
in
revenue
for
their
beleaguered
country.

Interestingly,
one
of
the
orchestrators
of
the
scheme
was
an
Arizona
woman,
Christina
Marie
Chapman,
who
allegedly
facilitated
the
placement
of
these
workers
by
creating
a
network
of
so-called
“laptop
farms”
in
the
U.S. 

These
setups
reportedly
allowed
the
job
scammers
to
appear
as
though
they
were
working
within
the
United
States,
thereby
deceiving
numerous
businesses,
including
several
Fortune
500
companies.

Notable
incidents
and
investigations

Several
high-profile
cases
have
shown
how
these
North
Korea-linked
agents
infiltrated
the
crypto
industry,
exploited
vulnerabilities,
and
engaged
in
fraudulent
activities. 

Cybersecurity
experts
like
ZachXBT
have
provided
insights
into
these
operations
through
detailed
analyses
on
social
media.
Below,
we
look
at
a
few
of
them.

Case
1:
Light
Fury’s
$300K
transfer

ZachXBT
recently
spotlighted
an
incident
involving
an
alleged
North
Korean
IT
worker
using
the
alias
“Light
Fury.”
Operating
under
the
fake
name
Gary
Lee,
ZachXBT
claimed
Light
Fury
transferred
over
$300,000
from
his
public
Ethereum
Name
Service
(ENS)
address,
lightfury.eth,
to
Kim
Sang
Man,
a
name
which
is
on
the
Office
of
Foreign
Assets
Control
(OFAC)
sanctions
list. 

Light
Fury’s
digital
footprint
includes
a
GitHub
account,
which
shows
him
as
a
senior
smart
contract
engineer
who
has
made
more
than
120
contributions
to
various
projects
in
2024
alone.

Case
2:
the
Munchables
hack

The
Munchables
hack
from
March
2024
serves
as
another
case
study
showing
the
importance
of
thorough
vetting
and
background
checks
for
key
positions
in
crypto
projects. 

This
incident
involved
the
hiring
of
four
developers,
suspected
to
be
the
same
person
from
North
Korea,
who
were
tasked
with
creating
the
project’s
smart
contracts. 

The
fake
team
was
linked
to
the
$62.5
million
hack
of
the

GameFi
project
hosted
on
the
Blast
layer-2
network.

The
operatives,
with
GitHub
usernames
such
as
NelsonMurua913,
Werewolves0493,
BrightDragon0719,
and
Super1114,
apparently
displayed
coordinated
efforts
by
recommending
each
other
for
jobs,
transferring
payments
to
the
same
exchange
deposit
addresses,
and
funding
each
other’s
wallets.

Additionally,
ZachXBT
said
they
frequently
used
similar
payment
addresses
and
exchange
deposit
addresses,
which
indicated
a
tightly-knit
operation.

The
theft
happened
because
Munchables
initially
used
an
upgradeable
proxy
contract
that
was
controlled
by
the
suspected
North
Koreans
who
had
inveigled
themselves
into
the
team,
rather
than
the
Munchables
contract
itself. 

This
setup
provided
the
infiltrators
with
significant
control
over
the
project’s
smart
contract.
They
exploited
this
control
to
manipulate
the
smart
contract
to
assign
themselves
a
balance
of
1
million

Ethereum. 

Although
the
contract
was
later
upgraded
to
a
more
secure
version,
the
storage
slots
manipulated
by
the
alleged
North
Korean
operatives
remained
unchanged. 

They
reportedly
waited
until
enough
ETH
had
been
deposited
in
the
contract
to
make
their
attack
worthwhile.
When
the
time
was
right,
they
transferred
approximately
$62.5
million
worth
of
ETH
into
their
wallets.

Fortunately,
the
story
had
a
happy
ending.
After
investigations
revealed
the
former
developers’
roles
in
the
hack,
the
rest
of
the
Munchables
team
engaged
them
in
intense
negotiations,
following
which
the
bad
actors
agreed
to
return
the
stolen
funds.

$97m
has
been
secured
in
a
multisig
by
Blast
core
contributors.
Took
an
incredible
lift
in
the
background
but
I’m
grateful
the
ex
munchables
dev
opted
to
return
all
funds
in
the
end
without
any
ransom
required.

@_munchables_
and
protocols
integrating
with
it
like

@juice_finance…

—
Pacman
|
Blur
+
Blast
(@PacmanBlur)

March
27,
2024

Case
3:
Holy
Pengy’s
hostile
governance
attacks

Governance
attacks
have
also
been
a
tactic
employed
by
these
fake
job
applicants.
One
such
alleged
perpetrator
is
Holy
Pengy.
ZachXBT
claims
that
name
is
an
alias
for
Alex
Chon,
an
infiltrator
allied
to
the
DPRK.

When
a
community
member
alerted
users
about
a
governance
attack
on
the

Indexed
Finance
treasury,
which
held
$36,000
in
DAI
and
approximately
$48,000
in
NDX,
ZachXBT
linked
the
attack
to
Chon.

According
to
the
on-chain
investigator,
Chon,
whose
GitHub
profile
features
a
Pudgy
Penguins
avatar,
regularly
changed
his
username
and
had
been
reportedly
fired
from
at
least
two
different
positions
for
suspicious
behavior.

In
an
earlier
message
to
ZachXBT,
Chon,
under
the
Pengy
alias,
described
himself
as
a
senior
full-stack
engineer
specializing
in
frontend
and
solidity.
He
claimed
he
was
interested
in
ZachXBT’s
project
and
wanted
to
join
his
team.

An
address
linked
to
him
was
identified
as
being
behind
both
the
Indexed
Finance
governance
attack
and
an
earlier
one
against
Relevant,
a
web3
news
sharing
and
discussion
platform.

Case
4:
Suspicious
activity
in
Starlay
Finance

In
February
2024,
Starlay
Finance
faced
a
serious
security
breach
impacting
its
liquidity
pool
on
the
Acala
Network.
This
incident
led
to
unauthorized
withdrawals,
sparking
significant
concern
within
the
crypto
community.

The
lending
platform
attributed
the
breach
to
“abnormal
behavior”
in
its
liquidity
index.

Security
Incident
Report:
Anomaly
in
USDC
Pool
and
Exploitation

Executive
Summary:
This
report
details
a
critical
security
incident
within
the
Starlay
protocol’s
USDC
lending
pool
on
the
Acala
EVM
platform.
An
exploit
was
identified
and
executed
due
to
abnormal
behavior
in
the…

https://t.co/8Q3od5g6Rc

—
Starlay
Finance🚀
(@starlay_fi)

February
9,
2024

However,
following
the
exploit,
a
crypto
analyst
using
the
X
handle
@McBiblets,
raised
concerns
regarding
the
Starlay
Finance
development
team.

I’ve
looked
into
the

@starlay_fi
incident
and
there
is
something
extremely
suspicious
about
their
dev
team,
David
and
Kevin

I
would
not
be
surprised
if
they
were
responsible
for
the
recent
attack
and
my
intuition
is
making
me
think
they
could
be
DPRK
affiliated

Here’s
why
🧵

—
McBiblets
(@mcbiblets)

March
16,
2024

As
can
be
seen
in
the
X
thread
above,
McBiblets
was
particularly
concerned
with
two
individuals,
“David”
and
“Kevin.”
The
analyst
uncovered
unusual
patterns
in
their
activities
and
contributions
to
the
project’s
GitHub.

According
to
them,
David,
using
the
alias
Wolfwarrier14,
and
Kevin,
identified
as
devstar,
appeared
to
share
connections
with
other
GitHub
accounts
like
silverstargh
and
TopDevBeast53.

As
such,
McBiblets
concluded
that
those
similarities,
coupled
with
the
Treasury
Department’s
warnings
about
DPRK-affiliated
workers,
suggested
the
Starley
Finance
job
may
have
been
a
coordinated
effort
by
a
small
group
of
North
Korean
linked
infiltrators
to
exploit
the
crypto
project.

Implications
for
the
blockchain
and
web3
sector

The
seeming
proliferation
of
suspected
DPRK
agents
in
key
jobs
poses
significant
risks
to
the
blockchain
and
web3
sector.
These
risks
are
not
just
financial
but
also
involve
potential
data
breaches,
intellectual
property
theft,
and
sabotage. 

For
instance,
operatives
could
potentially
implant

malicious
code
within
blockchain
projects,
compromising
the
security
and
functionality
of
entire
networks.

Crypto
companies
now
face
the
challenge
of
rebuilding
trust
and
credibility
in
their
hiring
processes.
The
financial
implications
are
also
severe,
with
projects
potentially
losing
millions
to
fraudulent
activities. 

Furthermore,
the
U.S.
government
has
indicated
that
funds
funneled
through
these
operations
often
end
up
supporting
North
Korea’s
nuclear
ambitions,
further
complicating
the
geopolitical
landscape.

For
that
reason,
the
community
must
prioritize
stringent
vetting
processes
and
better
security
measures
to
safeguard
against
such
deceptive
job-hunting
tactics. 

It
is
important
for
there
to
be
enhanced
vigilance
and
collaboration
across
the
sector
to
thwart
these
malicious
activities
and
protect
the
integrity
of
the
burgeoning
blockchain
and
crypto
ecosystem.