Exposed at Kraken: A North Korean Operative in Disguise
Kraken Detects Potential North Korean Infiltration Attempt by Job Applicant at Crypto Exchange
Your typical job interview at crypto exchange Kraken turned into an undercover mission after a job candidate raised suspicions of being a North Korean spy. Instead of cancelling the process, Kraken decided to continue the interviews to gather intel on the operative's tactics.
The job posting was for a remote engineering role, but it soon transformed into a full-fledged intelligence-gathering operation, revealed in a blog post by Kraken on Thursday.
North Korea's attempts to penetrate crypto and tech companies have become more brazen lately. The regime views the industry as a lucrative target. By placing spies within companies, they can access sensitive data and deploy ransomware or malicious code. Remote work and global hiring practices have made these operations easier to conceal, and North Korea has even created fake U.S. crypto firms to lure developers.
Catching the Spy
Red flags popped up immediately for Kraken. The candidate joined the initial video call using a name that did not match the one on their resume and changed it during the conversation. They also seemed to switch between different voices, suggesting real-time coaching.
Kraken had already received intelligence from partners about North Korean operatives trying to get jobs at crypto companies. One email used by the candidate matched addresses flagged by industry sources. An internal investigation linked the email to a larger network of aliases, some of which were already employed at other firms. One identity was tied to a sanctioned foreign agent.
The GitHub profile listed on the resume was associated with an email that had been exposed in a previous data breach. The ID submitted during the process appeared to be forged and might have used stolen information from a previous identity theft case.
The applicant used a colocated remote Mac desktop accessed via VPN to mask their location.
During the final interview with Nick Percoco, Kraken's Chief Security Officer, and other team members, Kraken introduced sudden verification requests, such as showing a government ID, confirming their city of residence, and naming local restaurants. The candidate faltered under the questioning, panicking, and struggling to answer basic questions about their city of residence or country of citizenship.
Unsurprisingly, Kraken decided against offering the position.
Kraken emphasized the importance of companies staying vigilant against sophisticated, state-sponsored infiltration attempts. "Don't trust, verify. This core crypto principle is more relevant than ever in the digital age," said Percoco. "State-sponsored attacks aren't just a crypto or U.S. corporate issue - they're a global threat."
Edited by Sebastian Sinclair
Sign Up for the Daily Debrief Newsletter
More on North Korean Infiltration Tactics and Red Flags
North Korean operatives often use synthetic identities and deepfakes during IT job interviews to bypass security checks. It's crucial for companies to remain vigilant and employ verification methods, such as mandatory camera-on interviews, geolocation checks, coding tests, and ethical questions to identify potential spies.
- Despite North Korea's efforts to infiltrate crypto exchanges like Kraken for access to sensitive data and deploying ransomware, the typical job interview at these platforms can transform into an intelligence-gathering operation.
- The job candidate at Kraken, who showed red flags such as using a name different from the one on their resume during the interview, was revealed to have an email address that matched those flagged by industry sources.
- The internal investigation at Kraken linked the email used by the candidate to a larger network of aliases, some of which were already employed at other firms, and one identity was tied to a sanctioned foreign agent.
- The GitHub profile listed on the resume was associated with an email that had been exposed in a previous data breach, while the ID submitted during the process appeared to be forged and might have used stolen information from a previous identity theft case.
- To mask their location, the applicant used a colocated remote Mac desktop accessed via VPN, but during the final interview, they faltered under questioning about basic details like their city of residence or country of citizenship.
- With such instances of North Korean infiltration tactics becoming more sophisticated, it's essential for companies to stay vigilant, employing verification methods such as mandatory camera-on interviews, geolocation checks, coding tests, and ethical questions to identify potential spies.
