North Korean Nationals Reportedly Applying for Crypto Jobs to Infiltrate Projects for Malicious Purposes

North Korean national fake job applicants are reportedly applying for crypto jobs to infiltrate projects for malicious purposes, making hiring even more difficult.

A recent investigation has uncovered a troubling trend where doctored CVs are being used to deceive crypto companies.

Crypto Job Industry Faces New Challenges Amid Influx of Fake Applicants

According to the report by DL News , mounting evidence suggests that many of these bogus applicants are North Korean nationals aiming to infiltrate crypto projects for malicious purposes, such as gathering sensitive data, hacking, and asset theft.

“It’s an operational hazard for the industry,” said Shaun Potts, founder of the crypto-specific recruiting firm Plexus.

“It’s an ongoing thing, in the same way that hacking is a thing within tech. You can’t stop it, but you can minimise its risks.”

According to a recent United Nations Security Council report, over 4,000 North Koreans have been directed to conceal their identities and seek jobs in technology sectors, including crypto.

The council’s recent 615-page report noted that North Korean hackers have stolen $3 billion worth of crypto assets from 58 suspected cyberheists over the past seven years. The UN estimates that the fake hiring scheme alone earns North Korea up to $600 million annually.

Taylor Monahan, lead security researcher at MetaMask, explained that North Korea generates revenue by illegally selling resources, doing IT work, doing hard labor, and hacking.

This new development poses a fresh challenge for an increasingly mainstream industry, with Bitcoin ETFs and growing DeFi projects.

Zak Cole, co-founder of crypto venture studio Number Group, expressed concerns about bringing in new talent, stating, “Everyone I know is either working on another project or unavailable. How are we going to bring in new talent?”

In response to the hiring challenges, Cole and his co-founders turned to an AI tool called Applicant AI to screen applicants.

However, the results were mixed. In one case, an applicant claiming to be a native Dutch speaker hung up during a video interview when asked to speak in Dutch.

Another applicant’s GitHub profile, created only a month prior, raised red flags for a senior-level developer position. Some applicants even listed state penitentiaries as their home addresses.

Cole noted a disturbing pattern among the fake applicants: many refused to turn on their cameras during video interviews, and their responses often contradicted their CVs.

“They all have the same kind of script,” he said.

Karolis Kundrotas, a crypto-industry consultant at Durlston Partners, added that many applicants copy real LinkedIn profiles, altering them slightly to avoid detection.

Some undercover North Korean crypto employees reportedly earn as much as $60,000 monthly, holding multiple full-time and freelance jobs.

According to the UN report, these high earners keep 30% of their earnings and hand the rest to authorities in Pyongyang, contributing to the country’s significant revenue.

“They will continue to flood job posting forums, create résumés, and go after crypto companies and projects as long as it’s effective,” Monahan warned.

Lazarus Group Adopts New Tactics to Infiltrate Crypto Industry Through LinkedIn

In April 2024, blockchain security analytics firm SlowMist revealed that the notorious Lazarus Group is now posing as a blockchain developer seeking jobs in the cryptocurrency sector via LinkedIn. This alarming tactic involves hackers stealing confidential employee credentials after accessing repositories to run malicious code.

SlowMist reported that the hackers invite victims to access their repositories under the pretext of conducting code reviews. Still, the snippets contain hidden malware to extract sensitive information and assets.

This method is not new for the North Korean hacking group; a similar strategy was employed in December 2023 when they impersonated a fake recruiter from Meta .

The impersonator contacted potential victims and requested they download two coding challenges as part of the application process.

These files were laced with malware, and executing them on a work computer deployed a Trojan, enabling remote access to the system.

The Lazarus Group is infamous for its sophisticated operations, stealing over $3 billion in cryptocurrency .

Emerging in 2009, this organized hacking group continues to target crypto firms despite facing numerous sanctions.