North Korean Workers Infiltrate Crypto Companies
CoinDesk has uncovered a troubling trend within the cryptocurrency sector, revealing that over a dozen companies, including notable blockchain projects like Injective, ZeroLend, Fantom, Sushi, Yearn Finance, and Cosmos Hub, have unwittingly employed IT workers from North Korea. These individuals utilized fabricated identities, skillfully navigated interviews, and even provided authentic work histories to secure positions within these firms. The recruitment of North Korean workers is not only illegal under U.S. law and various international sanctions but also poses significant cybersecurity threats, as evidenced by numerous hacking incidents following their employment.
Struggles to Identify North Korean Workers
Many in the industry are grappling with the challenge of identifying these workers. Zaki Manian, a well-known blockchain developer, shared his experience of mistakenly hiring two North Korean IT workers for the Cosmos Hub project in 2021. He highlighted the difficulties faced by employers in filtering out these individuals, stating, “Everyone is struggling to filter out these people.”
Unwitting Hiring Practices
In 2023, Stefan Rust, founder of the crypto company Truflation, unknowingly hired a North Korean employee under the guise of a Japanese developer named “Ryuhei.” Initially impressed by his skills, Rust soon noticed discrepancies, such as the employee claiming to be in an earthquake despite no such event occurring. Eventually, Rust discovered that “Ryuhei” and several other team members were indeed from North Korea, illustrating a sophisticated scheme orchestrated by the regime to secure foreign employment and redirect earnings to the government.
Funding Nuclear Programs
Recent alerts from U.S. authorities emphasize the infiltration of North Korean IT workers into the tech sector, including cryptocurrency firms, where their earnings are reportedly funneled into financing the country’s nuclear ambitions. A United Nations report from 2024 estimates that these IT workers generate approximately $600 million annually for Kim Jong Un’s government. Hiring or compensating these workers, even unknowingly, violates UN sanctions and poses severe security risks due to the potential for hacking.
Widespread Awareness of North Korean Infiltration
A CoinDesk investigation has revealed that North Korean job applicants have aggressively targeted the crypto industry, successfully completing interviews and references, and often showcasing impressive contributions to open-source projects on platforms like GitHub. Founders and industry experts acknowledge that the presence of North Korean IT workers is more extensive than previously recognized, with many hiring managers admitting they have encountered or unwittingly employed suspected North Korean developers.
Consequences of Employment
While many North Korean workers performed their duties effectively, CoinDesk’s findings indicate that some funneled their wages to blockchain addresses associated with the North Korean government. Additionally, several crypto projects that employed these workers later experienced hacking incidents, including Sushi, which lost $3 million in a 2021 breach that has been linked to North Korean IT employees.
Longstanding Issues of Employment
The U.S. Treasury and the Department of Justice have been warning about North Korean attempts to infiltrate the U.S. crypto sector since 2022. However, CoinDesk’s investigation suggests that North Korean IT workers have been infiltrating these companies since at least 2018. Manian expressed concern that many believe this is a new issue, highlighting that there are GitHub accounts associated with these workers dating back to 2016.
Identifying Connection to North Korean Workers
CoinDesk’s investigation utilized various methods to connect DPRK IT workers to companies, including blockchain payment records and interviews with affected firms. Some employers had previously remained silent due to fears of publicity or legal ramifications. However, confronted with substantial evidence, many are now willing to share their experiences and highlight the scale of North Korea’s infiltration efforts.
Challenges in Hiring Practices
After hiring “Ryuhei,” Rust experienced a surge in job applications, unwittingly hiring four additional North Korean developers who claimed to be based in various global locations. The crypto industry, characterized by its global workforce and inclination to hire remote workers, has become an appealing target for North Korean IT workers.
Exploiting the Hiring Processes
CoinDesk reviewed job applications from North Korean workers received through various channels, including messaging platforms and crypto-specific job boards. Taylor Monahan, a product manager at MetaMask, noted that startups often lack rigorous hiring processes and are more willing to hire individuals through less formal means, making them particularly vulnerable.
Forgery and Deception
Many of the counterfeit documents submitted by suspected North Korean workers closely resemble legitimate passports and identification, although experts indicated they would likely be flagged by professional background check services. A specific case involved a suspected North Korean IT worker named “Naoki Murano,” who provided an apparently authentic Japanese passport.
Hiding in Plain Sight
CoinDesk uncovered instances where North Korean IT workers operated under the radar, utilizing publicly available blockchain data. Manian, seeking help for a project, hired two freelancers who delivered quality work but later turned out to be funneling their earnings to individuals on U.S. sanctions lists linked to the North Korean regime.
Legal Implications
The hiring of North Korean IT workers has been illegal under U.S. and UN sanctions since 2016 and 2017, respectively. Companies can face legal repercussions regardless of whether they were aware of the employees’ true identities. However, to date, no crypto firm has faced prosecution for such hiring practices, with authorities acknowledging the complexity of these cases.
Ethical Considerations
Beyond the legal ramifications, paying North Korean IT workers raises ethical concerns, as these individuals are often exploited by their government. A UN report indicates that the majority of their earnings are retained by the regime, leaving workers with only a fraction of their wages.
Encouraging Transparency
Through its investigation, CoinDesk identified numerous companies that had employed North Korean IT workers, prompting some to come forward to share their experiences. Many employers reported that identifying these workers was easier after their employment had begun, often leading to terminations based on performance issues before any links to North Korea became known.
Variation in Skills
The skill levels of North Korean IT workers vary widely, with some demonstrating strong technical abilities while others may simply exploit the system for a short period. Rust recounted a positive experience with one developer, while other firms discovered red flags, such as frequent changes to payment addresses and alias names.
Indicators of Deception
Employers reported noticing odd behaviors that became clearer once they realized their employees were likely from North Korea. Some workers exhibited inconsistent work hours or appeared to be multiple people using the same identity, often attempting to conceal their identities by keeping their webcams off during meetings.
Linked Hacking Incidents
Many employers erroneously believed that North Korean IT workers operated independently of the regime’s hacking divisions. However, evidence suggests a strong connection between their employment and the regime’s hacking activities, as demonstrated by incidents like the $3 million theft from Sushi, which was linked to developers employed by the platform.
Coordinated Cybercrimes
In September 2021, a widely publicized hack of Sushi’s MISO platform was traced back to two freelance developers who had been contracted to assist with its creation. CoinDesk’s analysis revealed that their credentials and work history, while initially appearing legitimate, were part of a larger scheme that ultimately redirected funds to wallets controlled by North Korea.
Continuing Threats
North Korea has reportedly stolen over $3 billion in cryptocurrency over recent years, with a significant portion of these hacks connected to the activities of IT workers. The methods employed in these attacks often rely on social engineering rather than sophisticated hacking techniques, making IT workers ideal candidates for infiltration.
Recent Developments
As CoinDesk prepared to finalize this report, Rust experienced a security breach at Truflation, highlighting the ongoing vulnerabilities faced by companies in the crypto sector. The incident followed another breach at Delta Prime, underscoring the urgent need for increased vigilance against potential North Korean infiltration.
