Suspected North Korean agents are allegedly using fake job applications to infiltrate Web3 projects, stealing millions of dollars and raising security concerns.
In the past few years, blockchain and Web3 have been at the forefront of technological innovation. However, in other words, great innovation carries with it great risk.
Recent leaks have revealed a sophisticated scheme by suspected DPRK-linked agents to infiltrate the sector through fake job applications, raising alarms about the industry’s security and safety.
Economic Motivations and Cyber Strategies
North Korea’s economy has been severely impacted by international sanctions, which have limited its access to vital resources, restricted trade opportunities, and hampered its ability to engage in global financial transactions.
In response, the regime has resorted to various methods to circumvent these sanctions, including illicit shipping practices, smuggling, and tunneling, as well as the use of front companies and foreign banks to conduct transactions indirectly.
However, one of the most unconventional ways the DPRK raises revenue is its alleged use of a sophisticated cybercrime warfare program that allegedly carries out cyberattacks on financial institutions, cryptocurrency exchanges, and other targets.
The crypto industry has been one of the biggest victims of the rogue state’s alleged cyber operations, with a TRM report earlier this year noting that crypto lost at least $600 million to North Korea in 2023 alone.
In total, the report said North Korea has been responsible for stealing $3 billion worth of cryptocurrencies since 2017.
With cryptocurrencies looking like an easy and lucrative target, reports have emerged that North Korean-linked entities are tightening the screws by infiltrating the industry using fake job applications.
Once employed, these agents are better positioned to steal and drain funds to support North Korea’s nuclear weapons program and circumvent global financial restrictions.
How it works: Fake job applications
Based on stories in the media and information from government agencies, DPRK agents appear to have mastered the art of deception, crafting fake identities and resumes to secure remote jobs at crypto and blockchain companies around the world.
Axios story Since May 2024, it has highlighted how North Korean IT professionals exploit U.S. hiring practices to infiltrate the country’s tech industry.
Axios reported that North Korean operatives use forged documents and fake identities, and often hide their true locations using VPNs. Additionally, the report claimed that these potential bad actors primarily target sensitive roles in the blockchain sector, including developers, IT professionals, and security analysts.
300 companies affected by fake remote job application scam
The scope of this deception is so broad that the US Department of Justice recently announced: reveal More than 300 US companies were tricked into hiring North Koreans in a massive remote work scam.
These scammers have not only filled positions in the blockchain and web3 space, but have also tried to penetrate more secure and sensitive areas, including government agencies.
According to the US Department of Justice, North Korean operatives used stolen American identities to pose as local technology experts, with the hacks generating millions of dollars in revenue for their embattled country.
Interestingly, one of the organizers of this scheme was an Arizona woman named Christina Marie Chapman, who allegedly facilitated the recruitment of these workers by setting up a network of so-called “laptop farms” in the United States.
Reports indicate that these settings allowed job scammers to appear to work within the United States, thus deceiving numerous companies, including several Fortune 500 companies.
Highlights and Investigations
Several high-profile cases have shown how these North Korean-linked operatives were able to infiltrate the crypto industry, exploit security vulnerabilities, and engage in fraudulent activities.
Cybersecurity experts like ZachXBT have provided insights into these operations through detailed social media analytics. Below, we take a look at some of them.
Case 1: $300K Light Fury Transfer
ZachXBT recently highlighted an incident involving an alleged North Korean IT employee who goes by the alias “Light Fury.” Operating under the alias Gary Lee, ZachXBT alleged that Light Fury transferred over $300,000 from his public Ethereum Name Service (ENS) address, lightfury.eth, to Kim Sang Man, a name on the Office of Foreign Assets Control (OFAC) sanctions list.
Light Fury’s digital footprint includes a GitHub account, which shows him as a senior smart contract engineer who made over 120 contributions to various projects in 2024 alone.
Case 2: Munchables Hack
The Munchables hack of March 2024 is another case study that shows the importance of careful vetting and background checks for key positions in crypto projects.
The incident involved the hiring of four developers, suspected to be the same person from North Korea, who were tasked with creating smart contracts for the project.
The fake team has been linked to a $62.5 million hack of the GameFi project hosted on the Blast layer-2 network.
The clients, who go by GitHub usernames NelsonMurua913, Werewolves0493, BrightDragon0719, and Super1114, appear to have demonstrated coordinated efforts by recommending each other for jobs, transferring payments to the same exchange deposit addresses, and funding each other’s wallets.
Additionally, ZachXBT said they often use similar payment addresses and exchange deposit addresses, which indicates a cohesive process.
The theft occurred because the Munchables team initially used an upgradeable retainer contract that was controlled by North Korean suspects who had infiltrated the team, not the Munchables contract itself.
This setup gave the hackers significant control over the project’s smart contract. They exploited this control to manipulate the smart contract to allocate themselves a balance of 1 million ETH.
Although the contract was later upgraded to a more secure version, the storage slots that the alleged North Korean agents had tampered with remained unchanged.
They reportedly waited until enough ETH was deposited into the contract to make their attack worthwhile, and when the time was right, they moved approximately $62.5 million worth of ETH into their wallets.
Fortunately, the story had a happy ending. After investigations revealed the role of the former developers in the hack, the rest of the Munchables team entered into intensive negotiations with them, after which the criminals agreed to return the stolen funds.
Case 3: Hostile Judgment Attacks by Holly Benge
Governance attacks have also been a tactic used by these fake job applicants. One of the alleged perpetrators is Holy Pengy. ZachXBT claims this name is an alias for Alex Chon, a hacker aligned with the Democratic People’s Republic of Korea.
When a community member alerted users to a governance attack on the Indexed Finance vault, which held $36,000 in DAI and about $48,000 in NDX, ZachXBT linked the attack to Chon.
According to the on-chain investigator, Chun, whose GitHub profile features an avatar of Pudgy Penguins, regularly changed his username, and was fired from at least two different positions due to his suspicious behavior.
In a previous message to ZachXBT, Chon, under the pseudonym Pengy, described himself as a senior engineer specializing in front-end and Solidity. He claimed to be interested in the ZachXBT project and wanted to join its team.
An address associated with it has been identified as being behind an Indexed Finance governance attack and a previous attack against Relevant, a Web3 news sharing and discussion platform.
Case 4: Suspicious activity at Starlay Finance
In February 2024, Starlay Finance experienced a serious security breach that affected its liquidity pool on the Acala network. This incident resulted in unauthorized withdrawals, which caused great concern within the cryptocurrency community.
The lending platform attributed the hack to “abnormal behavior” in its liquidity indicator.
However, following the exploit, a crypto analyst who goes by the username X @McBiblets, raised concerns about the Starlay Finance development team.
As we can see in the X-chain above, McBiblets was particularly interested in two individuals, “David” and “Kevin.” The analyst discovered unusual patterns in their activities and contributions to the project’s GitHub.
According to them, David, who uses the alias Wolfwarrier14, and Kevin, known as devstar, appear to share connections with other GitHub accounts such as silverstargh and TopDevBeast53.
Accordingly, McPebbles concluded that these similarities, coupled with Treasury Department warnings about North Korea-linked workers, suggest that the Starly Finance mission may have been a coordinated effort by a small group of North Korea-linked hackers to exploit the crypto project.
Impacts on the blockchain and web3 sector
The apparent proliferation of suspected North Korean agents in key positions poses significant risks to the blockchain and web3 sector. These risks are not only financial, but also involve potential data breaches, intellectual property theft, and sabotage.
For example, it is possible for workers to implant malicious code within blockchain projects, compromising the security and functionality of entire networks.
Crypto companies now face the challenge of rebuilding trust and credibility in their recruitment processes. The financial consequences are also severe, with projects potentially losing millions of dollars due to fraudulent activity.
Moreover, the US government has noted that the money transferred through these operations often ends up supporting North Korea’s nuclear ambitions, further complicating the geopolitical landscape.
For this reason, society must prioritize strict verification processes and better security measures to protect against such deceptive job search tactics.
It is important that there is increased vigilance and cooperation across the sector to thwart these malicious activities and protect the integrity of the blockchain system and the thriving cryptocurrency ecosystem.