Threat of fake job applications in crypto

It is alleged that individuals believed to be North Koreans infiltrated web3 projects with fake job applications, defrauding millions of dollars and causing security concerns.

For the past few years, blockchain and web3 have been at the forefront of technological innovation. However, to paraphrase a quote, with great innovation comes great risk.

Recent findings have revealed that individuals suspected of having links to the Democratic People’s Republic of Korea were operating a complex scheme to infiltrate the industry through fake job applications, raising concerns about the security and integrity of the industry.

Economic reasons and cyber strategies

North Korea’s economy has been severely damaged by international sanctions, which have restricted the country’s access to vital resources, constrained trade opportunities and hampered its ability to participate in global financial transactions.

The regime, on the other hand, resorted to various methods such as smuggling, tunnel digging, and smuggling to circumvent these sanctions, and also carried out transactions indirectly through front companies and foreign banks.

But one of North Korea’s most unusual methods of generating revenue is reportedly using an advanced cybercrime warfare program that allegedly launches cyberattacks on financial institutions, cryptocurrency exchanges and other targets.

The crypto industry has been one of the biggest victims of this rogue state’s alleged cyber operations, with a report from TRM earlier in the year stating that cryptocurrencies lost at least $600 million to North Korea in 2023 alone.

The report stated that North Korea has been responsible for the theft of a total of $3 billion worth of cryptocurrencies since 2017.

Amount of cryptocurrency reported stolen by North Korea-linked actors between 2017 and 2023 | Source: TRM Labs

Given that cryptocurrencies are an easy and lucrative target, reports have emerged that North Korean-linked actors are increasing the pressure by infiltrating the industry using fake job applications.

Once hired, these officers are in a better position to steal and embezzle money to support North Korea’s nuclear weapons program and circumvent global financial restrictions imposed on it.

How it works: Fake job applications

According to media reports and information from government agencies, it appears that North Korean officials have mastered the art of deception, creating fake identities and resumes to secure remote jobs at crypto and blockchain companies around the world.

A May 2024 report by Axios highlighted how North Korean IT experts were abusing American hiring practices to infiltrate the country’s tech sector.

North Korean agents used fake documents and identities, often hiding their true locations with VPNs, Axios said. The story also alleged that these potential bad actors primarily targeted sensitive roles in the blockchain industry, including developers, IT professionals, and security analysts.

300 companies affected by fake remote job application scam

The scale of this scam is huge; the US Department of Justice recently revealed that more than 300 US companies were tricked into hiring North Koreans in a massive remote work scam.

These scammers are allegedly not only filling positions in the blockchain and web3 space, but are also attempting to infiltrate more secure and sensitive areas, including government agencies.

North Korean agents used stolen American identities to pose as domestic technology professionals, and the infiltration generated millions of dollars in revenue for their struggling country, according to the Justice Department.

Interestingly, one of the organizers of this scheme was a woman named Christina Marie Chapman from Arizona, who allegedly facilitated the placement of these workers by creating a network of so-called “laptop farms” across the US.

Such arrangements reportedly allow job scammers to appear to be operating in the United States, thereby deceiving businesses including Fortune 500 companies.

Major events and investigations

Several high-profile cases have revealed how North Korean-linked agents have infiltrated the crypto industry, exploited vulnerabilities, and engaged in fraudulent activities.

Cybersecurity experts like ZachXBT have provided insights into these operations through detailed analysis of social media, and we look at a few of them below.

Case 1: Light Fury’s $300,000 transfer

ZachXBT recently brought to light an incident involving an alleged North Korean IT employee using the alias “Light Fury.” Operating under the pseudonym Gary Lee, ZachXBT claimed that Light Fury transferred over $300,000 from its public Ethereum Name Service (ENS) address lightfury.eth to Kim Sang Man, who is on the Office of Foreign Assets Control (OFAC) sanctions list.

Light Fury’s digital footprint also includes a GitHub account listing him as a senior smart contract engineer who has made over 120 contributions to various projects in 2024 alone.

Case 2: Munchables trick

The Munchables attack in March 2024 stands as another case study in the importance of thorough vetting and background checks for key positions in crypto projects.

In this case, four developers were hired, the same person believed to be North Korean, who were tasked with creating the project’s smart contracts.

The rogue team was linked to the $62.5 million hack of the GameFi project hosted on the Blast layer-2 network.

The operators, with GitHub usernames such as NelsonMurua913, Werewolves0493, BrightDragon0719, and Super1114, appear to have been conducting coordinated efforts by recommending each other for jobs, transferring payments to the same exchange deposit addresses, and depositing funds into each other’s wallets.

ZachXBT also said that they frequently used similar payment addresses and currency deposit addresses, indicating a tightly knit operation.

The theft occurred because Munchables initially used an upgradeable proxy contract controlled by North Korean suspects who infiltrated the team; not the Munchables contract itself.

This setup gave the infiltrators significant control over the project’s smart contract, which they used to manipulate the smart contract to assign themselves a balance of 1 million Ethereum.

Although the contract was later upgraded to a more secure version, the storage slots, allegedly manipulated by North Korean agents, remained unchanged.

They reportedly waited until enough ETH was deposited into the contract to make their attack worthwhile. When the time was right, they transferred approximately $62.5 million worth of ETH to their wallets.

Thankfully, the story had a happy ending. After investigations uncovered the former developers’ roles in the hack, the rest of the Munchables team engaged in intense negotiations with them, after which the bad actors agreed to return the stolen funds.

$97 million secured in a multi-signature project by Blast core contributors. It’s been an incredible build-up in the background, but I’m grateful that the former munchables developer has ultimately chosen to return all funds without demanding any ransom. @_foods_ and protocols that integrate with it @meyve_suyu_finans…

— Pacman | Blur + Explosion (@PacmanBlur) March 27, 2024

Case 3: Holy Pengy’s hostile management attacks

Management attacks have also been a tactic used by these fake job applicants. One such perpetrator is allegedly Holy Pengy, who ZachXBT claims is the alias of Alex Chon, an infiltrator allied with the DPRK.

When a community member alerted users to a governance attack on the Indexed Finance treasury, which held $36,000 in DAI and approximately $48,000 in NDX, ZachXBT attributed the attack to Chon.

According to the on-chain researcher, Chon, whose GitHub profile features a Pudgy Penguins avatar, was regularly changing his username and was reportedly fired from at least two different positions due to questionable behavior.

In a previous message to ZachXBT, Chon, who goes by the pseudonym Pengy, described himself as a senior full-stack engineer specializing in frontend and solidity. He claimed to be interested in ZachXBT’s project and wanted to join his team.

It was determined that an address connected to it was behind both the Indexed Finance management attack and the previous attack on web3 news sharing and discussion platform Relevant.

Case 4: Suspicious activity at Starlay Finance

In February 2024, Starlay Finance faced a serious security breach affecting its liquidity pool on the Acala Network. This incident led to unauthorized withdrawals, causing significant concern in the crypto community.

The lending platform attributed the breach to “abnormal behavior” in its liquidity index.

Security Incident Report: Anomaly and Exploit in USDC Pool

Executive Summary:
This report details a critical security incident that occurred in the USDC lending pool of the Starlay protocol on the Acala EVM platform. Due to the anomalous behavior, an exploit was detected and executed… https://t.co/8Q3od5g6Rc

— Starlay Finance🚀 (@starlay_fi) February 9, 2024

However, following this exploit, a crypto analyst using the username @McBiblets X expressed his concerns about the Starlay Finance development team.

I looked too @starlay_fi There is something very suspicious about the event and development team, David and Kevin

It wouldn’t surprise me if they were responsible for the latest attack, and my intuition suggests they may have ties to the DPRK.

Here’s why 🧵

— McBiblets (@mcbiblets) March 16, 2024

As can be seen in the X heading above, McBiblets was particularly interested in two people named “David” and “Kevin.” The analyst discovered unusual patterns in their activities and contributions to the project’s GitHub.

Allegedly, David, who goes by the alias Wolfwarrier14, and Kevin, who goes by the alias devstar, appear to share links with other GitHub accounts, including silverstargh and TopDevBeast53.

McBiblets concluded that these similarities, combined with the Treasury Department’s warnings about DPRK-linked employees, suggest that the Starley Finance business may have been a coordinated effort by a small North Korea-linked infiltration group to exploit the crypto project.

Implications for blockchain and the web3 industry

The apparent prevalence of suspected DPRK agents in key businesses poses significant risks to the blockchain and web3 sector, not just financial, but also potential data breaches, intellectual property theft, and sabotage.

For example, operators could potentially embed malicious code into blockchain projects, compromising the security and functionality of entire networks.

Crypto companies now face the challenge of rebuilding trust and reputation in their recruitment processes, and the financial impact is serious, with projects potentially losing millions of dollars to fraudulent activity.

Additionally, the U.S. government has noted that funds funneled through these operations often support North Korea’s nuclear ambitions, further complicating the geopolitical landscape.

Therefore, society needs to prioritize stricter vetting processes and better security measures to protect against such deceptive job search tactics.

It is important that there is increased vigilance and collaboration across the industry to prevent these malicious activities and protect the integrity of the evolving blockchain and crypto ecosystem.