How to identify North Korean hackers disguised as job-seeking developers?

Written by: Deep Tide TechFlow

On March 27, bad news broke on Blast that the Web3 gaming platform Munchables was hacked for over 17,000 ETH, worth 62.5 million dollars.

On-chain detective ZachXBT stated that the theft of Munchables may have been due to North Korean hackers posing as developers. Yu Xian, the founder of Slow Mist, also commented, "This is at least the second time we have encountered such a situation with a DeFi project. Core developers disguised themselves and lurked for a long time, gaining the trust of the entire team, and when the time was right, they struck without mercy."

When you are the founder of a crypto project, encountering North Korean hackers while interviewing remote developer candidates may not be a new experience.

Keone, the founder of Monad, revealed in 2022 on X that they posted many Solidity developer job listings and received numerous resumes… but they believed that many of them were from North Koreans and summarized some common characteristics:

• They seem to prefer GitHub usernames like SuperTalentedDev726 or CryptoKnight415;
• They also seem to like using numbers in their email and GitHub usernames, which might be a way to track their application identities?
• They tend to choose Japanese identities (perhaps Koreans are too obvious) and often claim to have attended top schools in Japan, Hong Kong, or Singapore (National University of Singapore, Nanyang Technological University, University of Hong Kong, Hong Kong University of Science and Technology);
• GitHub often (though not always) has stolen code repositories, taking existing projects and regenerating commit messages to use their usernames;
• They also often tend to use multiple email addresses to apply for the job multiple times, with these email addresses being different from each other;
• Having Solidity/EVM experience too early (e.g., since 2015).

According to the latest updates, the GitHub user Werewolves0493 is reportedly the North Korean hacker behind the Munchables attack, and his email address on GitHub is seniordev1225@gmail.com, which aligns with Keone's description.

In 2022, Jonwu from the privacy protocol aztecnetwork also encountered a North Korean hacker during an interview and described the scene during the online interview. Here is his account:

First, we at aztecnetwork were hiring and received a job application for "Bobby Sierra - Solidity Engineer" on @Greenhouse.

After an internal review, the system assigned me an online interview.

I scanned through the resume.

Name: Bobby Sierra

Position: Solidity Engineer

Location: Ontario

Languages: English and some Chinese

Experience: F2pool, with some DAO and NFT projects on the resume.

Keep this in mind, it will be relevant later.

Then I looked at the cover letter, which started with: "I am a blockchain developer with over 6 years of rich experience."

Then there was a bunch of vague information, belonging to some generic self-praise, but understandable, as not everyone is good at writing cover letters.

Finally, he wrote in the cover letter: "The world will see great results in my hands."

…

I immediately thought, this guy sounds like a Bond villain.

I imagined a guy whose arm is actually a laser cannon, and his eyeball is made of plutonium or something.

"The world will see great results in my hands"???

What normal person talks like that?

It's unsettling, so I went to check his GitHub. 12 commits in the past 12 months? That's not "rich experience."

Moreover, the projects he participated in seemed random:

BoredBunnies

PantherSwap

MetaverseDAO

Forget it, I told myself, Crypto is a strange and interesting space filled with strange and interesting people! Look, maybe Bobby is just a quirky guy.

Then, I started the interview!

Hi, this is Jon from Aztec, is this Bobby?

"Yes. This is…Bobby Sierra."

I noticed a few things:

His camera was off;

More than 5 people were talking loudly in the background;

A clear Korean accent;

I asked him why he was so loud.

"Oh, I'm in the office."

WTF, but why are there another 5 people speaking a mix of Korean and English?

You might ask, how do I know he is Korean?

Hehe, some of my good friends are Korean, so I'm very familiar with Korean accents, but this was not the accent of a typical Korean American or Korean Canadian or any Korean accent.

"Bobby" could certainly speak English, but not normal English: stiff, formal, and almost incomprehensible.

So, "Bobby, introduce yourself."

"I have participated in many blockchain developments, token issuances, have many successful projects, very successful, a lot of blockchain experience, all with very good results. Okay?"

Let's break it down:

***1) *The first part is just utter nonsense, and for that alone, I wanted to cancel his interview.

***2) *"Okay"

The expression "Okay" convinced me that this guy is Korean. How do I know?

Because my friend's mom would say this crap before they give me a bowl of steaming rib soup.

"This is delicious, eat it while it's hot, okay?"

Now the alarm bells were ringing. I knew about the recent spate of North Korean hacker attacks.

I decided to dig deeper.

Where are you based, Bobby?

Bobby: "Based?"

As in, where are you now?

"Oh, Hong Kong."

"Hong Kong? Where did you last work?"

"Oh, Ateke."

What is that?

"A German company, or a French company. I don't know."

Your resume says you worked for F2pool, can you tell me about F2pool?

"Um, um, um, can I wait a moment?"

Then he muted me for 5 minutes.

When Bobby came back, he seemed like a different person.

"Hello, are you there?"

Yes, Bobby, I'm here.

"I am an experienced blockchain developer, I want a new job, I have a lot of experience, I can bring value to your company, I want an engineering job now. Okay?"

Whether true or not, I hung up the phone.

We know that North Korean hackers like the Lazarus Group are attacking major protocols and individuals.

Ronin was hacked for 600 million dollars; Arthur0x, Mgnr, and countless other well-known accounts were attacked.

I don't know what the attack vector is.

• Download a compromised .docx resume?
• Have someone share their screen and navigate to Metamask?
• Gain access to our codebase and push a malicious modification?

I leave it to the internet to speculate.

In fact, I don't know if these people are North Korean hackers. Bobby might just be a very incompetent guy, but every fiber of my being says that's not the case.

Aside from fear and entertainment, I learned a lot from this strange interaction.

1) Our entire world is built on trust. If someone shows us their resume and GitHub, we believe it.

• The risks of smart contracts are overestimated; anything can be a vector for attack: hiring, events, travel, etc.
• Don't download attachments casually, keep your wallet isolated on your own machine, etc.

Later, "Bobby" updated his GitHub, pointing to an entirely new account, now with more code submissions.

I believe these people are learning, adapting, and getting smarter.

Fortunately, they cannot resolve how disconnected and incompetent they are.

We just need to stay sharp.