Here’s how North Korean operators are trying to infiltrate US crypto companies

by Arthur · July 9, 2022

The man at the other end, an FBI agent, told Devin that the seemingly legitimate software developer he had hired the summer before was a North Korean operator who had sent tens of thousands of dollars of his salary to the country’s authoritarian regime.

Astonished, Devin hung up and immediately cut the employee from the company’s accounts, he said.

“He was a good contributor,” Devin lamented, puzzled by the man who had claimed to be Chinese and passed several rounds of interviews to be hired. (CNN uses a pseudonym for Devin to protect the identity of his company).

North Korean government-backed hackers have stolen the equivalent of billions of dollars in recent years by raiding cryptocurrency exchanges, according to the UN. In some cases, they have been able to capture hundreds of millions of dollars in a single robbery, say the FBI and private investigators.

US federal investigators are now publicly warning of a key pillar of the North Korean strategy, in which the regime places operators in technology jobs throughout the information technology industry.

The FBI, the Treasury Department and the State Department issued a rare public warning in May about thousands of “highly qualified” IT personnel giving Pyongyang “a critical stream of revenue” which helps the bankroll regime’s “highest economic and security priorities.”

It is an elaborate scheme to make money that depends on front companies, entrepreneurs and deception to consume a volatile industry that is always looking for top talent. North Korean technology workers can earn more than $ 300,000 a year – hundreds of times the average income of a North Korean citizen – and up to 90% of their salary goes to the regime, according to the US adviser.

“(North Koreans) take this very seriously,” said Soo Kim, a former North Korea analyst at the CIA. “It’s not just a coincidence in his basement trying to extract cryptocurrency,” she added, referring to the process of generating digital money. “It’s a lifestyle.”

The value of cryptocurrency has plummeted in recent months, draining the North Korean exchange of many millions of dollars. According to Chainalysis, a digital currency tracking company, the value of North Korean holdings in cryptocurrency “wallets” or unpaid accounts has fallen by more than half since the end of last year, from $ 170 million to around $ 65 million. dollars.

But analysts say the cryptocurrency industry is too valuable a target for North Korean operators to turn away from because of the industry’s relatively weak cyber defenses and the role that cryptocurrencies can play in avoiding sanctions.

In recent months, US officials have held a series of private briefings with foreign authorities such as Japan, and with technology companies in the United States and abroad, to sound the alarm about the threat from North Korean IT personnel, an official in the Ministry of Finance who specializes in the North. Korea tells CNN.

The list of companies targeted by North Koreans covers just about every aspect of the freelance technology sector, including payment processors and recruitment firms, the official said.

Pyongyang has been relying on its foreign technology workers for revenue for years. But the coronavirus pandemic – and the sporadic shutdown it has caused in North Korea – has, if anything, made the technology diaspora a more crucial source of funding for the regime, the finance minister told CNN.

“The Treasury will continue to target the DPRK’s revenue-generating efforts, including its illegal IT work program and related malicious cyber-activities,” Brian Nelsonc, Secretary of State for Terrorism and Financial Intelligence, said in a statement to CNN, with the acronym for North Korea.

“Companies that engage in or process transactions for [North Korean tech] Workers risk being subjected to sanctions from the United States and the United Nations, “added Nelson, who last month met with South Korean officials to discuss ways to combat Nordic money laundering and cybercrime.

CNN has sent an email calling the North Korean embassy in London for comment.

Federal investigators are also looking for Americans who may be inclined to lend their expertise in digital currencies to North Korea.

In April, a 39-year-old American computer programmer named Virgil Griffith was sentenced to more than five years in prison in the United States for violating US sanctions against North Korea after speaking at a blockchain conference there in 2019 on how to avoid sanctions. Griffith pleaded guilty and expressed in a statement sent to the judge before the sentencing “deep remorse” and “shame” for his actions, which he attributed to an obsession with seeing North Korea “before it fell.”

But the long-term challenge facing US officials is far more subtle than the notable blockchain conferences in Pyongyang. It involves trying to limit the diffuse sources of funding that the North Korean government receives from its technological diaspora.

Double-edged sword

The North Korean government has long benefited from the fact that outsiders have underestimated the regime’s ability to sustain itself, thrive on the black market and exploit the information technology that underpins the global economy.

The regime has built a formidable framework of hackers by highlighting promising maths and science students at the school, and putting North Korea in the same conversation as Iran, China and Russia when US intelligence officials discuss cyberpowers.

In this photo provided by the North Korean government, North Korean leader Kim Jong Un is attending a photo shoot with officers and soldiers on April 27, 2022.

One of the most notorious North Korean hacks occurred in 2014 with the destruction of Sony Pictures Entertainment’s computer systems in retaliation for “The Interview”, a film involving a fictional conspiracy to kill Kim Jong Un. Two years later, North Korean hackers stole around $ 81 million from the Bank of Bangladesh by using the SWIFT system to transfer bank funds.

In recent years, North Korea’s hacking team has trained its sights on the cryptocurrency market.

The return has at times been astronomical.

Pyongyang-affiliated hackers in March stole the then equivalent of $ 600 million in cryptocurrency from a Vietnam-based video game company, according to the FBI. And North Korean hackers were probably behind a $ 100 million robbery in a California-based cryptocurrency company, according to blockchain analysis firm Elliptic.

“Most of these cryptocurrencies and services are still far from the security position we see in traditional banks and other financial institutions,” said Fred Plan, chief analyst at cyber security firm Mandiant, which investigated suspected North Korean technology workers and shared some of the findings with CNN.

The thousands of North Korean technology workers abroad give Pyongyang a double-edged sword: They can earn salaries that go beyond UN and US sanctions and go straight to the regime, while sometimes offering North Korean-based hackers a foothold in cryptocurrency or other technology companies. IT workers sometimes provide “logistical” support to hackers and transfer cryptocurrencies, said the recent US government advisory.

“The community of skilled programmers in North Korea with permission to contact Westerners is probably quite small,” Nick Carlsen, who until last year was an FBI intelligence analyst focusing on North Korea, told CNN.

“These guys know each other. Even if a certain IT worker is not a hacker, he certainly knows one,” said Carlsen, who now works for TRM Labs, a company that investigates financial fraud. “Any vulnerability they may identify in a client’s systems will be seriously compromised.”

And both technology workers and hackers from North Korea have used the relatively open door of the job search process – where anyone can pretend to be anyone on platforms like LinkedIn – to their advantage. In late 2019, for example, potential North Korean hackers posed as job recruiters on LinkedIn to target sensitive data held by employees of two European aviation and defense companies, according to researchers at cyber security firm ESET.

“We are actively seeking evidence of state-sponsored activity on the platform and taking swift action against bad actors to protect our members,” LinkedIn said in a statement to CNN. “We are not waiting for requests, our threat intelligence team is removing fake accounts using information we uncover and intelligence from a variety of sources, including government agencies.”

Learn to spot red flags

Some in the cryptocurrency industry become more cautious when looking to hire new talent. In Jonathan Wu’s case, a video interview with a job candidate in April may have prevented him from inadvertently hiring someone he suspected was a North Korean technical worker.

As head of growth marketing at Aztec, a company that offers privacy features for Ethereum, a popular type of cryptocurrency technology, Wu was looking for a new software engineer when the hiring team came across a promising resume that someone had submitted.

The applicant claimed experience with non-fungible tokens (NFT) and other segments of the cryptocurrency market.

“It looked like someone we could hire as an engineer,” Wu, who is based in New York, told CNN.

But Wu saw a number of red flags in the applicant, who gave his name as “Bobby Sierra”. He spoke in stopping English during the interview, kept the webcam off and could barely keep the back story straight when he practically demanded a job at Aztec, according to Wu.

Wu did not end up hiring “Sierra”, who on his resume claimed to live in Canada.

“It sounded like he was in a mall,” Wu said. “It sounded like there were four or five boys in the office, who also spoke loudly, also apparently in interviews or phone calls, and spoke a mixture of Korean and English.”

“Sierra” did not respond to messages sent to his apparent email and Telegram accounts seeking comments.

CNN obtained the CVs the alleged North Korean technology workers submitted to Wu’s company and the start-up of cryptocurrencies founded by Devin. The CVs seem deliberately generic so as not to arouse suspicion and used buzzwords that are popular in the cryptocurrency industry such as “scalability” and “blockchain”.

A suspected North Korean operator tracked down by Mandiant, the cybersecurity firm, asked a number of questions to others in the cryptocurrency community about how Ethereum works and interacts with other technology, Mandiant said.

The North Korean may have gathered information about the technology that could be useful for hacking it later, according to Mandiant’s chief analyst Michael Barnhart.

“These guys know exactly what they want from the Ethereum developers,” Barnhart said. “They know exactly what they’re looking for.”

The fake CVs and other Russians used by the North Koreans will probably only become more credible, said Kim, the former CIA analyst who is now a policy analyst at RAND Corp., a think tank.

“While the craft is not perfect right now, in terms of their ways of approaching foreigners and eroding their vulnerabilities, it is still a new market for North Korea,” Kim told CNN. “Given the challenges facing the regime – food shortages, fewer countries willing to engage with North Korea … this is only going to be something they will continue to use because no one is holding them back, really.”