Ten Thousand Character Investigation: How North Korea Infiltrates the Cryptocurrency Industry

CoinDesk
2024-10-03 10:51:56
Collection
CoinDesk's survey found that more than a dozen blockchain companies inadvertently hired undercover IT workers from North Korea, bringing cybersecurity and legal risks.

Original author: Sam Kessler, Coindesk

Translation by: Joy, PANews

Key Points:

  • CoinDesk found that over a dozen cryptocurrency companies unknowingly employed IT workers from North Korea, including well-known blockchain projects like Injective, ZeroLend, Fantom, Sushi, Yearn Finance, and Cosmos Hub.
  • These employees used fake IDs, successfully passed interviews, and provided real work experience.
  • Hiring North Korean workers is illegal in the U.S. and other countries that sanction North Korea. This also poses security risks, as CoinDesk found that multiple companies suffered hacking attacks after hiring North Korean IT workers.
  • Noted blockchain developer Zaki Manian stated, "Everyone is trying to filter these people out." He mentioned that he inadvertently hired two North Korean IT workers in 2021 to help develop the Cosmos Hub blockchain.

In 2023, cryptocurrency company Truflation was still in its early stages when founder Stefan Rust unknowingly hired the first North Korean employee.

"We were looking for great developers," Rust said from his home in Switzerland. Unexpectedly, "this developer came to us."

"Ryuhei" sent his resume via Telegram, claiming to work in Japan. Shortly after being hired, strange contradictions began to surface.

At one point, "I was on a call with that person, and he said he experienced an earthquake," Rust recalled. But there hadn't been an earthquake in Japan recently. Then, the employee started missing calls, and when he did show up, "it wasn't him," Rust said. "It was someone else." Whoever it was, they lacked a Japanese accent.

Rust soon learned that "Ryuhei" and four other employees (more than a third of his team) were all North Koreans. Rust had inadvertently fallen into an organized scheme by North Korea aimed at providing remote overseas work for its workers and funneling the income back to Pyongyang.

U.S. authorities have recently intensified warnings that North Korean IT workers are infiltrating tech companies, including cryptocurrency employers, and using the proceeds to fund the country's nuclear weapons program. According to a 2024 United Nations report, these IT workers earn North Korea up to $600 million annually.

Hiring and paying workers—whether knowingly or not—violates UN sanctions and is illegal in the U.S. and many other countries. This also poses serious security risks, as it is well-known that North Korean hackers attack companies by secretly employing staff.

A CoinDesk investigation revealed the eagerness and frequency of North Korean job seekers targeting cryptocurrency companies—successfully passing interviews, background checks, and even showcasing impressive code contribution histories on open-source software repository GitHub.

CoinDesk interviewed over a dozen cryptocurrency companies, which stated they had unknowingly hired North Korean IT workers.

Interviews with founders, blockchain researchers, and industry experts indicated that North Korean IT workers are far more prevalent in the crypto industry than previously thought. Almost every hiring manager interviewed for this article admitted to having interviewed suspected North Korean developers, having unknowingly hired them, or knowing someone who had.

Noted blockchain developer Zaki Manian stated, "The proportion of resumes, applicants, or contributors from North Korea in the entire crypto industry could exceed 50%." He mentioned that he inadvertently hired two North Korean IT workers in 2021 to help develop the Cosmos Hub blockchain. "Everyone is trying to filter these people out."

Among the unaware North Korean employers discovered by CoinDesk were several well-known blockchain projects, such as Cosmos Hub, Injective, ZeroLend, Fantom, Sushi, and Yearn Finance. "All of this is happening behind the scenes," Manian said.

This investigation marks the first time these companies have publicly acknowledged unknowingly hiring North Korean IT workers.

In many cases, North Korean workers operated like regular employees; thus, in a sense, employers essentially received the deliverables for which they paid. However, CoinDesk found evidence suggesting that these employees subsequently funneled their salaries to blockchain addresses linked to the North Korean government.

CoinDesk's investigation also uncovered several cases where cryptocurrency projects that employed North Korean IT workers later suffered hacking attacks. In some of these cases, the thefts could be directly linked to suspected North Korean IT workers on the company's payroll. Sushi was one such case, suffering a loss of $3 million in a hacking incident in 2021.

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) and the Department of Justice began publishing information in 2022 about North Korea's attempts to infiltrate the U.S. cryptocurrency industry. Evidence uncovered by CoinDesk suggests that North Korean IT workers had already begun working under false identities in cryptocurrency companies as early as 2018.

"I think a lot of people mistakenly believe this is something that happened suddenly," Manian said. "These people's GitHub accounts and other things can be traced back to 2016, 2017, 2018." (GitHub, owned by Microsoft, is an online platform used by many software organizations to host code and allow developers to collaborate.)

CoinDesk used various methods to connect North Korean IT workers to companies, including blockchain payment records, public GitHub code contributions, emails from U.S. government officials, and direct interviews with target companies. One of the largest payment networks for North Korea investigated by CoinDesk was identified by blockchain investigator ZachXBT, who released a list of suspected North Korean developers in August. Link to the list.

Previously, employers had remained silent due to concerns about unwanted exposure or legal repercussions. Now, faced with the extensive payment records and other evidence uncovered by CoinDesk, many of them decided to come forward to share their stories for the first time, revealing the scale and success of North Korea's infiltration of the cryptocurrency industry.

Forged Documents

After hiring the seemingly Japanese employee Ryuhei, Rust's Truflation received a flood of new applications. Within just a few months, Rust unknowingly hired four more North Korean developers, who claimed to be based in Montreal, Vancouver, Houston, and Singapore.

The cryptocurrency industry is particularly susceptible to disruption by North Korean IT workers. The workforce in the crypto industry is highly globalized, and compared to other companies, crypto firms are often more willing to hire fully remote (and even anonymous) developers.

CoinDesk reviewed North Korean job applications received by cryptocurrency companies from various sources, including messaging platforms like Telegram and Discord, cryptocurrency-specific job boards like Crypto Jobs List, and recruitment websites like Indeed.

"They are most likely to be hired by those truly fresh, emerging teams that are willing to hire from Discord," said Taylor Monahan, product manager of the crypto wallet app MetaMask, who frequently publishes security research related to North Korean crypto activities. "They don't have processes in place to hire people who have been background-checked. They are often willing to pay in cryptocurrency."

Rust stated that he conducted background checks on all new employees at Truflation. "They sent us passports and IDs, provided us with GitHub code repositories, took tests, and then basically we hired them."

In-depth Investigation: How North Korea Infiltrates the Cryptocurrency Industry

An applicant submitted a Texas driver's license as identification to the cryptocurrency company Truflation, which is currently suspected of being a North Korean citizen. CoinDesk has obscured some details as North Korean IT workers have used stolen identification documents. (Image provided by Stefan Rust)

To the untrained eye, most forged documents are difficult to distinguish from genuine passports and visas, but experts told CoinDesk that professional background check services would likely uncover these forged documents.

In-depth Investigation: How North Korea Infiltrates the Cryptocurrency IndustryOne of the suspected North Korean IT workers confirmed by ZachXBT, "Naoki Murano," provided the company with a seemingly authentic Japanese passport. (Image provided by Taylor Monahan)

While startups are unlikely to use professional background checkers, "we do see North Korean IT personnel at large companies, either as actual employees or at least as contractors," Monahan said.

Hiding in Plain Sight

In many cases, CoinDesk found that North Korean IT workers from companies used publicly available blockchain data.

In 2021, blockchain developer Manian's company Iqlusion needed some help. He sought freelance programmers who could assist in upgrading the popular Cosmos Hub blockchain. He found two new employees; they performed excellently.

Manian never met the freelancers "Jun Kai" and "Sarawut Sanit" in person. They had previously collaborated on an open-source software project funded by the closely related blockchain network THORChain, and they told Manian they were in Singapore.

"For a year, I spoke with them almost every day," Manian said. "They completed the work. Frankly, I was very satisfied."

Two years after these freelancers completed their work, Manian received an email from an FBI agent investigating what appeared to be token transfers from Iqlusion that were sent to suspected North Korean crypto wallet addresses. The transfers in question turned out to be payments Iqlusion made to Kai and Sanit.

In-depth Investigation: How North Korea Infiltrates the Cryptocurrency Industry

Left: An FBI agent (name redacted) requested Zaki Manian provide information about two blockchain payments from his company Iqlusion. Right: Manian informed the agent that these transactions were made between Iqlusion and several contractors.

The FBI never confirmed to Manian that the developers he contracted were North Korean agents, but CoinDesk's review of the blockchain addresses for Kai and Sanit showed that during 2021 and 2022, they funneled their earnings to two individuals on the OFAC sanctions list: Kim Sang Man and Sim Hyon Sop.

According to OFAC, Sim is a representative of North Korea's Foreign Trade Bank, which launders funds for IT workers to help "finance North Korea's weapons of mass destruction and ballistic missile programs." Sarawut appears to have sent all his earnings to Sim and other blockchain wallets associated with Sim.

In-depth Investigation: How North Korea Infiltrates the Cryptocurrency Industry

Blockchain records from April to December 2022 show that "Sarawut Sanit" sent all his wages to wallets associated with OFAC-designated North Korean agent Sim Hyon Sop. (Ethereum wallets tracked by CoinDesk. Asset prices estimated by Arkham.)

Meanwhile, Kai directly remitted nearly $8 million to Kim. According to a 2023 OFAC advisory report, Kim is a representative of Chinyong Information Technology Cooperation, which "employs North Korean IT workers operating in Russia and Laos through its controlled companies and representatives."

In-depth Investigation: How North Korea Infiltrates the Cryptocurrency Industry

*Throughout 2021, "Jun Kai" sent $7.7 million worth of cryptocurrency directly to blockchain addresses on the OFAC sanctions list associated with * Kim Sang Man. (Ethereum wallets tracked by CoinDesk. Asset prices estimated by Arkham.)*

Iqlusion's payment to Kai accounted for less than $50,000 of the nearly $8 million he sent to Kim, with the remainder coming from other cryptocurrency companies.

For example, CoinDesk found that the Fantom Foundation, which develops the widely used Fantom blockchain, made payments to "Jun Kai" and another developer linked to North Korea.

A spokesperson for the Fantom Foundation told CoinDesk, "Fantom does confirm that two external individuals were involved with North Korea in 2021. However, the developers in question were involved in an external project that was never completed and never deployed."

According to the Fantom Foundation, "The two employees involved have been terminated, and they never contributed any malicious code or accessed Fantom's codebase, and Fantom's users were not affected." The spokesperson noted that one North Korean employee attempted to attack Fantom's servers but failed due to a lack of necessary access.

According to the OpenSanctions database, Kim's blockchain addresses linked to North Korea were only publicly disclosed by the government in May 2023, more than two years after the payments to Iqlusion and Fantom.

Giving Room for Maneuver

The U.S. and the UN imposed sanctions on hiring North Korean IT workers in 2016 and 2017, respectively.

Whether knowingly or not, paying wages to North Korean workers in the U.S. is illegal—this legal concept is known as "strict liability."

The location of the company is also irrelevant: hiring North Korean workers poses legal risks for any company operating in countries that sanction North Korea.

However, U.S. and other UN member states have yet to prosecute cryptocurrency companies for hiring North Korean IT workers.

The U.S. Treasury Department launched an investigation into Iqlusion, based in the U.S., but Manian stated that no penalties were imposed at the end of the investigation.

U.S. authorities have been lenient in bringing charges against these companies—acknowledging to some extent that these companies, at best, encountered an unusually complex and sophisticated identity fraud, or at worst, a long-running and deeply embarrassing scam.

In addition to the legal risks, MetaMask's Monahan explained that paying North Korean IT workers is also "bad because the people you are paying are essentially exploited by the regime."

According to a lengthy 615-page report from the UN Security Council, North Korean IT workers can only keep a small portion of their wages. The report states, "Low-income earners keep 10%, while high-income earners can keep 30%."

While these wages may still be high relative to the average in North Korea, "I don't care where they live," Monahan said. "If I pay someone, and they are forced to send all their salary to their boss, that makes me very uncomfortable. If their boss is the North Korean regime, that makes me even more uncomfortable."

CoinDesk reached out to several suspected North Korean IT workers during the reporting process but did not receive any responses.

Future

CoinDesk identified over 20 companies that may have employed North Korean IT workers by analyzing blockchain payment records of OFAC-sanctioned entities. Twelve companies that submitted relevant records confirmed to CoinDesk that they had previously identified suspected North Korean IT workers on their payroll.

Some declined to comment further due to concerns about legal repercussions, but others agreed to share their stories in the hope that others could learn from their experiences.

In many cases, North Korean employees were easier to identify after being hired.

Eric Chen, CEO of the decentralized finance project Injective, stated that he contracted a freelance developer in 2020 but quickly fired him due to poor performance.

"He didn't last long," Chen said. "The code he wrote was terrible and didn't work well." It wasn't until last year, when a "government agency" in the U.S. contacted Injective, that Chen learned the employee had ties to North Korea.

Several companies told CoinDesk that they had fired an employee for poor work quality before learning of any connection to North Korea.

"Months of Payroll"

However, North Korean IT workers are similar to typical developers, with varying abilities.

Manian said that on one hand, you have some employees "coming into the company, going through the interview process, and earning several months' salary." "On the other hand, when you interview these people, you find that their actual technical skills are really strong."

Rust recalled encountering "a very good developer" at Truflation who claimed to be from Vancouver but was later found to be from North Korea. "He was really a young guy," Rust said. "It felt like he had just graduated from college. A bit naive, very enthusiastic, and very excited to have the opportunity to work."

Another example is the DeFi startup Cluster, which fired two developers in August after ZachXBT provided evidence linking them to North Korea.

The anonymous founder of Cluster, z3n, told CoinDesk, "These people knew too much; it was unbelievable." In hindsight, there were some "obvious red flags." For instance, "they would change their payment addresses every two weeks and change their Discord or Telegram names every month or so."

Cameras Off

In conversations with CoinDesk, many employers noted that when they learned their employees might be North Korean, some unusual behaviors made more sense.

Sometimes these hints were subtle, such as employees' working hours not aligning with their supposed locations.

Other employers, like Truflation, noticed that employees might be impersonated by multiple people, and they would hide this by turning off their cameras. (They were almost all male.)

One company hired an employee who attended morning meetings but seemed to forget everything discussed later that day, even though she had clearly spoken with many people beforehand, making this quirk even more significant.

When Rust expressed his concerns about the "Japanese" employee Ryuhei to an investor with experience tracking criminal payment networks, the investor quickly identified four other suspected North Korean IT workers on Truflation's payroll.

"We immediately cut off contact," Rust stated, adding that his team conducted a security audit of their code, enhanced background check processes, and changed certain policies. One new policy required remote workers to turn on their cameras.

$3 Million Hacking Attack

Many employers consulted by CoinDesk mistakenly believed that North Korean IT workers operated independently of North Korean hacking departments, but blockchain data and conversations with experts indicate that North Korean hacking activities are often linked to IT workers.

In September 2021, Sushi's platform MISO, used for issuing crypto tokens, lost $3 million in a theft incident. CoinDesk found evidence suggesting that this attack was related to Sushi hiring two developers whose blockchain payment records were linked to North Korea.

At the time of the hack, Sushi was one of the most prominent platforms in the emerging DeFi space. SushiSwap had over $5 billion in deposits and primarily served as a "decentralized exchange" for people to trade cryptocurrencies without intermediaries.

At that time, Sushi's CTO Joseph Delong traced the MISO theft back to two freelance developers involved in developing the platform: they used the names Anthony Keller and Sava Grujic. Delong stated that these developers (whom he now suspects are the same person or organization) injected malicious code into the MISO platform, transferring funds to wallets they controlled.

When Keller and Grujic were hired to manage the decentralized autonomous organization Sushi DAO, they provided credentials that were sufficiently typical or even impressive for entry-level developers.

Keller publicly used the alias "eratos1122," but when he applied for the MISO job, he used a name that seemed to be his real name, "Anthony Keller." In a resume shared by Delong with CoinDesk, Keller claimed to reside in Gainesville, Georgia, and graduated from the University of Phoenix with a bachelor's degree in computer engineering. (The university did not respond to requests regarding whether there were any graduates with that name.)

In-depth Investigation: How North Korea Infiltrates the Cryptocurrency Industry

"Anthony Keller" claimed to reside in Gainesville, Georgia, and listed his experience working on the popular decentralized finance application Yearn in his resume.

Keller's resume did mention previous work. The most impressive was with Yearn Finance, a very popular crypto investment protocol that offers users a way to earn interest through a series of investment strategies. Yearn's core developer Banteg confirmed that Keller was involved in developing Coordinape, an application developed by Yearn to facilitate team collaboration and payments. (Banteg stated that Keller's work was limited to Coordinape, and he did not have access to Yearn's core codebase.)

According to Delong, Keller introduced Grujic to MISO, and the two claimed to be "friends." Like Keller, Grujic's resume listed his real name rather than his online pseudonym "AristoK3." He claimed to be from Serbia, graduated from the University of Belgrade with a bachelor's degree in computer science, and his GitHub account was active, listing his experience with several smaller crypto projects and gaming startups.

In-depth Investigation: How North Korea Infiltrates the Cryptocurrency Industry

In his resume, "Sava Grujic" listed five years of programming experience and claimed to be based in Belgrade, Serbia.

Rachel Chu, a former core developer at Sushi, closely collaborated with Keller and Grujic before the theft incident and stated that she had already developed "suspicions" about the two before the hack occurred.

Despite being far apart, Grujic and Keller "had the same accent" and "texted in the same way," Chu said. "Every time we had a call, there would be some background noise, like in a factory," she added. Chu recalled that she had seen Keller's face but had never seen Grujic's. According to Chu, Keller's camera "zoomed in," so she couldn't see what was behind him at all.

Grujic and Keller ultimately stopped contributing to MISO at the same time. "We thought they were the same person," Delong said, "so we stopped paying them." This occurred during the height of the COVID-19 pandemic, and it was not uncommon for remote crypto developers to impersonate multiple people to earn extra income from the payroll.

After Grujic and Keller were fired in the summer of 2021, the Sushi team neglected to revoke their access to the MISO codebase.

According to a screenshot obtained by CoinDesk, on September 2, Grujic submitted malicious code to the MISO platform under his alias "Aristok3," transferring $3 million to a new cryptocurrency wallet.

In-depth Investigation: How North Korea Infiltrates the Cryptocurrency Industry"Sava Grujic" submitted contaminated code to Sushi's MISO using the alias AristoK3. (Screenshot provided by Joseph Delong)

CoinDesk's analysis of blockchain payment records suggests a possible connection between Grujic, Keller, and North Korea. In March 2021, Keller posted a blockchain address in a now-deleted tweet. CoinDesk discovered that this address, along with Grujic's hacker address and archived addresses for Keller from Sushi, had multiple payments between them. According to Delong, Sushi's internal investigation ultimately concluded that the address belonged to Keller.

In-depth Investigation: How North Korea Infiltrates the Cryptocurrency Industry

During 2021 to 2022, blockchain addresses linked to Keller and Grujic sent most of their funds to wallets associated with North Korea. (Ethereum wallets tracked by CoinDesk. Asset prices estimated by Arkham.)

CoinDesk found that this address sent most of its funds to "Jun Kai" (the Iqlusion developer who remitted to OFAC-designated Kim Sang Man) and another wallet that appeared to act as a North Korean proxy (as it also paid Kim).

Sushi's internal investigation found that Keller and Grujic often operated using IP addresses from Russia, further corroborating claims that they were North Koreans. OFAC stated that North Korean IT workers are sometimes based in Russia. (The U.S. phone number on Keller's resume has been disconnected, and his "eratos1122" GitHub and Twitter accounts have been deleted.)

Additionally, CoinDesk found evidence suggesting that while hiring Keller and Grujic, Sushi also employed another suspected North Korean IT contractor. ZachXBTidentified this developer as "Gary Lee," who coded under the alias LightFury and funneled income to "Jun Kai" and another address associated with Kim.

In-depth Investigation: How North Korea Infiltrates the Cryptocurrency Industry

From 2021 to 2022, Sushi also employed another individual who was clearly a North Korean contractor named "Gary Lee." This worker funneled his income from 2021 to 2022 to blockchain addresses associated with North Korea, including the wallet used by Iqlusion's "Jun Kai." (Ethereum wallets tracked by CoinDesk. Asset prices estimated by Arkham.)

After Sushi publicly blamed the attack on Keller's alias "eratos1122" and threatened to involve the FBI, Grujic returned the stolen funds. While it may seem counterintuitive for North Korean IT workers to care about protecting their false identities, they appear to reuse certain names and build their reputations by contributing to many projects, perhaps to gain the trust of future employers.

One might think that protecting the alias Anthony Keller would be more profitable in the long run: in 2023, two years after the Sushi incident, someone named "Anthony Keller" applied to Stefan Rust's company Truflation.

CoinDesk attempted to contact "Anthony Keller" and "Sava Grujic" for comments but was unsuccessful.

North Korean-style Heist

According to the UN, North Korea has stolen over $3 billion in cryptocurrency through hacking attacks over the past seven years. Among the hacking incidents tracked by blockchain analysis firm Chainalysis in the first half of 2023, 15 were linked to North Korea, "about half of which involved thefts related to IT workers," said company spokesperson Madeleine Kennedy.

North Korea's cyberattacks are not like Hollywood-style hacking, where hoodie-wearing programmers use complex computer code and black-green terminals to infiltrate mainframes.

North Korean-style attacks are apparently less sophisticated. They often involve some form of social engineering, where attackers gain the trust of victims holding system keys and then extract those keys directly through simple means like malicious email links.

Monahan said, "So far, we have never seen North Korea conduct a real attack. They always start with social engineering, then compromise devices, and finally steal private keys."

IT workers are well-suited to contribute to North Korea's heists, as they either obtain personal information that can be used to compromise potential targets or directly access software systems filled with digital cash.

A Series of Coincidences

On September 25, just as this article was about to be published, CoinDesk arranged a video call with Rust from Truflation. The plan was to verify some details he had previously shared.

A flustered Rust joined the call 15 minutes late. He had just been hacked.

CoinDesk contacted over 20 projects that appeared to have been tricked into hiring North Korean IT workers. In just the last two weeks of interviews, two of those projects were hacked: Truflation and a cryptocurrency lending application called Delta Prime.

It is still too early to determine whether these two hacking incidents have a direct connection to the unintentional hiring of North Korean IT workers.

On September 16, Delta Prime was first breached. CoinDesk previously discovered payments and code contributions between Delta Prime and Naoki Murano, one of the developers promoted by anonymous blockchain detective ZachXBT as being linked to North Korea.

The project lost over $7 million, officially attributed to a "private key leak." Delta Prime did not respond to multiple requests for comment.

Less than two weeks later, the Truflation hacking incident followed. About two hours before speaking with CoinDesk, Rust noticed funds flowing out of his crypto wallet. He had just returned from a business trip to Singapore and was trying to figure out what went wrong. "I just don't know how this happened," he said. "I locked my notebook in the hotel safe. I always had my phone with me."

As Rust spoke, millions of dollars were flowing out of his personal blockchain wallet. "I mean, this is really bad. This money is for my kids' tuition and retirement."

Truflation and Rust ultimately lost about $5 million. The official reason for the loss was that the private key was stolen.

ChainCatcher reminds readers to view blockchain rationally, enhance risk awareness, and be cautious of various virtual token issuances and speculations. All content on this site is solely market information or related party opinions, and does not constitute any form of investment advice. If you find sensitive information in the content, please click "Report", and we will handle it promptly.
banner
ChainCatcher Building the Web3 world with innovators