Kraken Detects Possible North Korean Infiltration Attempt by Job Applicant on Cryptocurrency Exchange

The Unmasking of a Crypto Job Applicant: A Covert Operation Reveals North Korean Connections

Kraken Detects Possible North Korean Infiltration Attempt by Job Applicant on Cryptocurrency Exchange

A run-of-the-mill job interview for a remote engineering position at Kraken took an unexpected turn when the company discovered the applicant might be a North Korean operative. Instead of scrapping the hiring process, Kraken chose to delve deeper, turning the interview into an "intelligence-gathering operation" as they described in a recent blog post.

Recent years have seen North Korea's efforts to infiltrate cryptocurrency and tech companies grow more aggressive. The regime views these industries as lucrative targets, providing opportunities to harvest sensitive data and deploy ransomware or malicious code. Remote work and global hiring practices have made these infiltration attempts even more concealed. Moreover, North Korea has been accused of creating fake U.S. crypto firms, targeting developers with them.

A Suspicious Candidate, Red Flags Abound

From the get-go, several red flags emerged. The candidate, who used a different name on the initial video call than the one on their resume, frequently changed their designated name during conversation. Suspiciously, they appeared to switch between different voices, implying potential real-time coaching.

Kraken had already received warnings about North Korean operatives applying for jobs at crypto firms. One email used by the applicant matched addresses that industry sources had previously flagged.

An internal investigation tied the email to a broader network of aliases, some of which had already ensconced themselves within the ranks of other companies. One alias was even linked to a sanctioned foreign agent.

The GitHub profile referenced in the resume was associated with an email exposed in a prior data breach. The ID submitted during the hiring process seemed falsified, using potentially stolen information from a previous identity theft case.

The applicant employed a colocated remote Mac desktop, which they accessed via VPN to hide their location. During the final interview with Nick Percoco, Kraken’s Chief Security Officer, the candidate crumbled under questioning, failing basic verification tests and stumbling on real-time questions about their city of residence or country of citizenship.

Unsurprisingly, Kraken decided not to move forward with the hire.

Kraken's experience serves as a sobering reminder about the need for companies to vigilantly counter sophisticated, state-sponsored infiltration attempts. "Don't trust, verify," Percoco emphasized, "State-sponsored attacks aren't just a crypto or U.S. corporate issue - they're a global threat."

Keeping Vigilant: Strategies for Defending Against State-Sponsored Threats

To strengthen defenses against such state-sponsored infiltration attempts, companies should implement a multi-layered approach that encompasses technical controls, employee training, and policy enforcement:

1. Enhanced Identity Verification: Implement stringent identity verification protocols, including biometric checks (when applicable), multi-factor authentication for hiring portals, cross-referencing employment histories with tax records and professional networks.
2. Technical Safeguards: Bolster security using network monitoring, anomaly detection, and AI-driven behavioral analysis. For critical infrastructure, deploy air-gapped systems and hardware-based security modules.
3. Employee Training: Conduct regular security awareness programs focusing on social engineering red flags during interviews, secure communication protocols for sensitive roles, and reporting mechanisms for suspicious applicant behavior.
4. Policy Framework: Align with best practices by segmenting networks to limit lateral movement, enforcing zero-trust architecture with least-privilege access, and conducting supply chain audits for third-party vendors.
5. Threat Intelligence Collaboration: Share indicators of compromise through Information Sharing and Analysis Centers (ISACs) and keep tabs on emerging tactics, like those used by Chinese state-sponsored groups such as Volt Typhoon's infrastructure targeting.

In high-risk sectors, government-private sector threat assessments should be regarded as a priority and actively engaged in through CISA's joint cyber defense initiatives.

1. Despite a seemingly mundane interview for a remote engineering position, Kraken uncovered potential North Korean connections, transforming the process into an "intelligence-gathering operation."
2. North Korea's attempts to infiltrate cryptocurrency and tech companies have become increasingly aggressive, targeting sensitive data and deploying ransomware or malicious code.
3. Warning signs appeared early in the interview with a job applicant, who provided a different name during the video call and frequently changed their designated name throughout the conversation.
4. The job applicant's email address had been previously flagged by industry sources, and an internal investigation linked it to a network of aliases already embedded within other companies.
5. The applicant's GitHub profile and ID seemed falsified, using potentially stolen information from a previous identity theft case, and they employed a remote Mac desktop disguised by VPN to hide their location.
6. During the final interview, the applicant failed basic verification tests and struggled with location-specific questions, ultimately leading Kraken to decide not to move forward with the hire.
7. To counter state-sponsored infiltration attempts, companies should strengthen defenses through multi-layered approaches including enhanced identity verification, technical safeguards, employee training, policy framework, and threat intelligence collaboration.

Read also: