North Korean Operative Exposed During Kraken Exchange Job Interview

TLDR North Korean actor attempted to infiltrate Kraken by applying for an engineering position Kraken received industry tip-off about suspicious emails linked to the hacker The applicant used fake identities, altered documents, and appeared to be coached during interviews Kraken deliberately continued the hiring process to gather intelligence on hacking tactics This incident highlights North Korea’s ongoing efforts to target crypto companies for financial gain North Korean hackers are getting creative in their attempts to infiltrate crypto companies, as demonstrated by a recent job application at Kraken exchange. The US-based crypto exchange revealed that it identified and tracked a North Korean operative who applied for an engineering role at the company. In a blog post published on May 1, Kraken detailed how what began as a standard hiring process quickly evolved into an intelligence-gathering operation. The company decided to advance the suspicious candidate through its hiring process after noticing several red flags. The first warning signs appeared early in the interview process. The applicant joined video calls using a name different from what was on their application. During the calls, they “occasionally switched between voices,” suggesting they were being coached in real-time by others. Rather than immediately rejecting the applicant, Kraken made the strategic decision to continue the process. This allowed them to collect valuable information about the tactics being used by the state-sponsored actor. Sophisticated Deception Methods The deception was uncovered thanks to a tip from industry partners who had warned that North Korean operatives were actively seeking employment at crypto companies. Kraken received a list of suspicious email addresses, and one matched the candidate’s application email. With this lead, Kraken’s security team uncovered a network of fake identities used by the hacker. These identities had been used to apply to multiple companies in the industry. Kraken CSO @c7five recently spoke to @CBSNews about how a North Korean operative unsuccessfully attempted to get a job at Kraken. Don’t trust. Verify pic.twitter.com/1vVo3perH2 — Kraken Exchange (@krakenfx) May 1, 2025 Technical inconsistencies further exposed the scheme. The applicant used remote Mac desktops accessed through VPNs to hide their true location. The identification documents they provided appeared to be altered, likely using details stolen in a previous identity theft case. The GitHub profile linked to the applicant’s resume contained an email address that had been exposed in a previous data breach. This created another connection to the suspicious activity. During final interviews, Kraken Chief Security Officer Nick Percoco conducted impromptu identity verification tests. These included asking the candidate to show government ID, verify their city of residence, and name local restaurants from their supposed location. “At this point, the candidate unraveled,” Kraken stated in their blog post. “Flustered and caught off guard, they struggled with the basic verification tests and couldn’t convincingly answer real-time questions.” Broader Threat Landscape The infiltration attempt comes amid heightened cyber activity from North Korea. International sanctions have effectively cut the country off from the global financial system, pushing the regime to target crypto as an alternative source of funds. North Korean hackers have stolen billions worth of cryptocurrency this year alone. The Lazarus Group, a hacking collective affiliated with North Korea, was responsible for February’s $1.4 billion Bybit exchange hack, which stands as the largest crypto theft in industry history. In April, a subgroup of Lazarus was found to have established three shell companies, including two in the US. These entities were created to deliver malware to unsuspecting users and scam crypto developers. According to a January statement released by the US, Japan, and South Korea, North Korean-linked hackers stole more than $650 million through multiple crypto heists during 2024. They’ve also deployed IT workers to infiltrate blockchain and crypto companies as insider threats. The remote work trend has made it easier for such operatives to conceal their identities and locations. By embedding agents inside firms, the regime gains access to sensitive data and can deploy ransomware or malicious code. “Don’t trust, verify. This core crypto principle is more relevant than ever in the digital age,” said Percoco. “State-sponsored attacks aren’t just a crypto or US corporate issue — they’re a global threat.” Kraken’s investigation underscores the need for companies to maintain vigilant hiring practices, particularly as state-sponsored actors become increasingly sophisticated in their infiltration attempts. Source: https://blockonomi.com/north-korean-operative-exposed-during-kraken-exchange-job-interview/