Etiket: Hack

The crypto company Truflation was still in its early stages in 2023 when founder Stefan Rust unknowingly hired his first North Korean employee.

“We were always looking for good developers,” Rust said from his home in Switzerland. Out of the blue, “this one developer came across the line.”

“Ryuhei” sent his resume over Telegram and claimed he was based in Japan. Soon after he was hired, odd inconsistencies began to surface.

At one point, “I’m talking to the guy, and he said he was in an earthquake,” Rust recalled. Except there was no recent earthquake in Japan. Then the employee started missing calls, and when he did show up, “it wasn’t him,” Rust said. “It was somebody else.” Whoever it was had dropped the Japanese accent.

Rust would soon learn that “Ryuhei” and four other employees – more than a third of his entire team – were North Korean. Unwittingly, Rust had fallen prey to a coordinated scheme by North Korea to secure remote overseas jobs for its people and funnel the earnings back to Pyongyang.

U.S. authorities have intensified their warnings recently that North Korean information technology (IT) workers are infiltrating tech companies, including crypto employers, and using the proceeds to fund the pariah state’s nuclear weapons program. According to a 2024 United Nations report, these IT workers rake in as much as $600 million annually for Kim Jon Un’s regime.

Hiring and paying the workers – even inadvertently – violates U.N. sanctions and is illegal in the U.S. and numerous other countries. It also presents a grave security risk, because North Korean hackers have been known to target companies through covert workers.

A CoinDesk investigation now reveals just how aggressively and frequently North Korean job applicants have targeted crypto companies in particular – successfully navigating interviews, passing reference checks, even presenting impressive histories of code contributions on the open-source software repository GitHub.

CoinDesk spoke to more than a dozen crypto companies that said they inadvertently hired IT workers from the Democratic People’s Republic of Korea (DPRK), as the nation is officially called.

These interviews with founders, blockchain researchers and industry experts reveal that North Korean IT workers are far more prevalent in the crypto industry than previously thought. Virtually every hiring manager approached by CoinDesk for this story acknowledged that they had interviewed suspected North Korean developers, hired them unwittingly, or knew someone who had.

“The percentage of your incoming resumes, or people asking for jobs, or wanting to contribute – any of that stuff – that are probably from North Korea is greater than 50% across the entire crypto industry,” said Zaki Manian, a prominent blockchain developer who says he inadvertently hired two DPRK IT workers to help develop the Cosmos Hub blockchain in 2021. “Everyone is struggling to filter out these people.”

Among the unwitting DPRK employers identified by CoinDesk were several well-established blockchain projects, such as Cosmos Hub, Injective, ZeroLend, Fantom, Sushi and Yearn Finance. “This has all been happening behind the scenes,” said Manian.

This investigation marks the first time any of these companies have publicly acknowledged that they inadvertently hired DPRK IT workers.

In many cases, North Korean workers conducted their work just like typical employees; so the employers mostly got what they paid for, in a sense. But CoinDesk found evidence of workers subsequently funneling their wages to blockchain addresses linked to the North Korean government.

CoinDesk’s investigation also revealed several instances where crypto projects that employed DPRK IT workers later fell victim to hacks. In some of those cases, CoinDesk was able to link the heists directly to suspected DPRK IT workers on a firm’s payroll. Such was the case with Sushi, a prominent decentralized finance protocol that lost $3 million in a 2021 hacking incident.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the Department of Justice began publicizing North Korean attempts to infiltrate the U.S. crypto industry in 2022. CoinDesk uncovered evidence that DPRK IT workers started working at crypto companies under fake identities well before then, at least as early as 2018.

“A lot of people, I think, are under the mistaken impression that this is something new that suddenly happened,” said Manian. “There are GitHub accounts and other things with these people that, like, go back to 2016, 2017, 2018.” (GitHub, owned by Microsoft, is the online platform that many software organizations use to host code and allow developers to collaborate.)

CoinDesk linked DPRK IT workers to companies using various methods, including blockchain payment records, public GitHub code contributions, emails from U.S. government officials and interviews directly with target companies. One of the largest North Korean payment networks examined by CoinDesk was uncovered by ZachXBT, a blockchain investigator who published a list of suspected DPRK developers in August.

Previously, employers remained silent due to concerns about unwanted publicity or legal repercussions. Now, confronted with extensive payment records and other evidence unearthed by CoinDesk, many of them have decided to come forward and share their stories for the first time, exposing the overwhelming success and scale of North Korea’s efforts to penetrate the crypto industry.

After hiring Ryuhei, the ostensibly Japanese employee, Rust’s Truflation received a flood of new applicants. Over just a few months, Rust unwittingly hired four more DPRK developers who said they were based in Montreal, Vancouver, Houston and Singapore.

The crypto sector is especially ripe for sabotage by North Korean IT workers. The workforce is particularly global, and crypto companies tend to be more comfortable than others hiring fully remote – even anonymous – developers.

CoinDesk reviewed DPRK job applications that crypto companies received from a variety of sources, including messaging platforms like Telegram and Discord, crypto-specific job boards like Crypto Jobs List, and hiring sites like Indeed.

“Where they’re having the most luck getting hired is these really fresh, new upstart teams who are willing to hire off a Discord,” said Taylor Monahan, a product manager at the crypto wallet app MetaMask who frequently publishes security research related to North Korean crypto activity. “They don’t have processes in place to hire people with background checks. They’re willing to pay in crypto a lot of times.”

Rust said he had conducted his own background checks on all of Truflation’s new hires. “They sent us their passports and ID cards, gave us GitHub repos, went through a test, and then, basically, we brought them on.”

To the untrained eye, most of the forged documents look indistinguishable from authentic passports and visas, though experts told CoinDesk that they probably would have been caught by professional background-checking services.

Although startups are less likely to use professional background checkers, “we do see North Korean IT workers at bigger companies as well, either as real employees or at least as contractors,” said Monahan.

In many cases, CoinDesk discovered DPRK IT workers at companies using publicly available blockchain data.

In 2021, Manian, the blockchain developer, needed some help at his company, Iqlusion. He sought out freelance coders who might be able to help with a project to upgrade the popular Cosmos Hub blockchain. He found two recruits; they delivered capably.

Manian never met the freelancers, “Jun Kai” and “Sarawut Sanit,” in person. They had previously worked together on an open-source software project funded by THORChain, a closely affiliated blockchain network, and they told Manian they were based in Singapore.

“I talked to them almost every day for a year,” said Manian. “They did the work. And I was, frankly, pretty pleased.”

Two years after the freelancers completed their work, Manian received an email from an FBI agent investigating token transfers that appeared to have come from Iqlusion en route to suspected North Korean crypto wallet addresses. The transfers in question turned out to be Iqlusion’s payments to Kai and Sanit.

The FBI never confirmed to Manian that the developers he’d contracted were agents of the DPRK, but CoinDesk’s review of Kai and Sanit’s blockchain addresses showed that throughout 2021 and 2022, they funneled their earnings to two individuals on OFAC’s sanctions list: Kim Sang Man and Sim Hyon Sop.

Acording to OFAC, Sim is a representative for Kwangson Banking Corp, a North Korean bank that launders IT worker funds to help “finance the DPRK’s WMD and ballistic missile programs.” Sarawut appears to have funneled all of his earnings to Sim and other Sim-linked blockchain wallets.

Kai, meanwhile, funneled nearly $8 million directly to Kim. According to a 2023 OFAC advisory, Kim is a representative for the DPRK-operated Chinyong Information Technology Cooperation Company, which, “by way of companies under its control and their representatives, employs delegations of DPRK IT workers that operate in Russia and Laos.”

Iqlusion’s wages to Kai accounted for less than $50,000 of the nearly $8 million he sent to Kim, and some of the remaining funds came from other crypto companies.

For example, CoinDesk discovered payments from the Fantom Foundation, which develops the widely-used Fantom blockchain, to “Jun Kai” and another DPRK-linked developer.

“Fantom did identify two external personnel as being involved with North Korea in 2021,” a Fantom Foundation spokesperson told CoinDesk. “However, the developers in question worked on an external project that was never finished and never deployed.”

According to the Fantom Foundation, “The two individuals in question were terminated, never contributed any malicious code nor ever had access to Fantom’s codebase, and no users of Fantom were impacted.” One of the DPRK workers attempted to attack Fantom’s servers but failed because he lacked the requisite access, according to the spokesperson.

According to the OpenSanctions database, Kim’s DPRK-linked blockchain addresses were not published by any governments until May 2023 – more than two years after Iqlusion and Fantom made their payments.

The U.S. and the UN sanctioned the hiring of DPRK IT workers in 2016 and 2017, respectively.

It is illegal to pay North Korean workers in the U.S. whether you know you’re doing it or not—a legal concept called “strict liability.”

It doesn’t necessarily matter where a company is based, either: Hiring workers from the DPRK can carry legal risks for any company that does business in countries that enforce sanctions against North Korea.

However, the U.S. and other U.N. member states have yet to prosecute a crypto company for hiring North Korean IT workers.

The U.S. Treasury Department opened an inquiry into Iqlusion, which is based in the U.S., but Manian says the investigation concluded without any penalties.

U.S. authorities have been lenient about bringing charges against the firms – on some level acknowledging that they were victims of, at best, an unusually elaborate and sophisticated type of identity fraud, or, at worst, a long con of the most humiliating sort.

Legal risks aside, paying DPRK IT workers is also “bad because you’re paying people that are basically being exploited by the regime,” explained MetaMask’s Monahan.

According to the UN Security Council’s 615-page report, DPRK IT workers only keep a small portion of their paychecks. “Lower earners keep 10 percent while the highest earners could keep 30 percent, ” the report states.

While these wages might still be high relative to the average in North Korea, “I don’t care where they live,” said Monahan. “If I am paying someone and they’re literally being forced to send their entire paycheck to their boss, that would make me very uncomfortable. It would make me more uncomfortable if their boss is, you know, the North Korean regime.”

CoinDesk reached out to multiple suspected DPRK IT workers over the course of reporting but did not hear back.

CoinDesk identified more than two dozen companies that employed possible DPRK IT workers by analyzing blockchain payment records to OFAC-sanctioned entities. Twelve companies presented with the records confirmed to CoinDesk that they had previously discovered suspected DPRK IT workers on their payrolls.

Some declined to comment further for fear of legal repercussions, but others agreed to share their stories with the hope that others could learn from their experiences.

In many cases, DPRK employees proved easier to identify after they’d been hired.

Eric Chen, CEO of Injective, a decentralized finance-focused project, said that he contracted a freelance developer in 2020 but quickly fired him for underperformance.

“He didn’t last long,” said Chen. “He was writing crappy code that didn’t work well.” It wasn’t until this past year, when a U.S. “government agency” reached out to Injective, that Chen learned the employee was linked to North Korea.

Several companies told CoinDesk that they fired an employee before even knowing about any links to the DPRK – say, due to substandard work.

However, DPRK IT workers are similar to typical developers in that their aptitudes can vary.

On the one hand, you’ll have employees who “show up, get through an interview process, and just milk payroll for a few months of salary,” said Manian. “There’s also another side of it, which is you encounter these people who, when you interview them, their actual technical chops are really strong.”

Rust recalled having “one really good developer” at Truflation who claimed he was from Vancouver but turned out to be from North Korea. “He was really a young kid,” Rust said. “It felt like he was just out of college. A bit green behind the ears, super keen, really excited to be working on an opportunity.”

In another instance, Cluster, a decentralized finance startup, fired two developers in August after ZachXBT reached out with evidence that they were linked to the DPRK.

“It’s actually crazy how much these guys knew,” Cluster’s pseudonymous founder, z3n, told CoinDesk. In retrospect, there were some “clear red flags.” For example, “every two weeks they changed their payment address, and every month or so they would change their Discord name or Telegram name.”

In conversations with CoinDesk, many employers said they noticed abnormalities that made more sense when they learned that their employees were probably North Korean.

Sometimes the hints were subtle, like employees working hours that didn’t match their supposed work location.

Other employers, like Truflation, noticed hints that an employee was multiple people masquerading as a single individual – something the employee would try to hide by keeping his webcam off. (They’re almost always men).

One company hired an employee who showed up for meetings in the morning but would seem to forget everything that was discussed later on in the day – a quirk that made more sense when the employer realized she’d been speaking to multiple people.

When Rust brought his concerns about Ryuhei, his “Japanese” employee, to an investor with experience tracking criminal payment networks, the investor quickly identified the four other suspected DPRK IT workers on Truflation’s payroll.

“We immediately cut our ties,” Rust said, adding that his team conducted a security audit of its code, enhanced its background-checking processes and changed certain policies. One new policy was to require remote workers to turn on their cameras.

Many of the employers consulted by CoinDesk were under the mistaken impression that DPRK IT workers operate independently from North Korea’s hacking arm, but blockchain data and conversations with experts reveal that the regime’s hacking activities and IT workers are frequently linked.

In September 2021, MISO, a platform built by Sushi for launching crypto tokens, lost $3 million in a widely reported heist. CoinDesk found evidence that the attack was linked to Sushi’s hiring of two developers with blockchain payment records connected to North Korea.

At the time of the hack, Sushi was one of the most-talked-about platforms in the emerging world of decentralized finance (DeFi). More than $5 billion had been deposited into SushiSwap, which mainly serves as a “decentralized exchange” for people to swap between cryptocurrencies without intermediaries.

Joseph Delong, Sushi’s chief technology officer at the time, traced the MISO heist to two freelance developers who helped to build it: individuals using the names Anthony Keller and Sava Grujic. Delong said the developers – who he now suspects were a single person or organization – injected malicious code into the MISO platform, redirecting funds to a wallet they controlled.

When Keller and Grujic were contracted by Sushi DAO, the decentralized autonomous organization that governs the Sushi protocol, they supplied credentials that seemed typical enough – even impressive – for entry-level developers.

Keller operated under the pseudonym “eratos1122” in public, but when he applied to work on MISO he used what appeared to be his real name, “Anthony Keller.” In a resume that Delong shared with CoinDesk, Keller claimed to reside in Gainesville, Georgia, and to have graduated from the University of Phoenix with a bachelor’s degree in computer engineering. (The university didn’t respond to a request for confirmation of whether there was a graduate by that name.)

Keller’s resume included genuine references to previous work. Among the most impressive was Yearn Finance, an extremely popular crypto investment protocol that offers users a way to earn interest across a range of pre-made investment strategies. Banteg, a core developer at Yearn, confirmed that Keller worked on Coordinape, an app built by Yearn to help teams collaborate and facilitate payments. (Banteg says Keller’s work was restricted to Coordinape and he didn’t have access to Yearn’s core codebase.)

Keller referred Grujic to MISO and the two presented themselves as “friends,” according to Delong. Like Keller, Grujic supplied a resume with his supposed real name rather than his online pseudonym, “AristoK3.” He claimed to be from Serbia and a graduate of the University of Belgrade with a bachelor’s degree in computer science. His GitHub account was active, and his resume listed experience with several smaller crypto projects and gaming startups.

Rachel Chu, a former core developer at Sushi who worked closely with Keller and Grujic before the heist, said she was already “suspicious” of the pair before any hack had taken place.

Despite claiming to be based across the globe from one another, Grujic and Keller “had the same accent” and the “same way of texting,” said Chu. “Every time we talked, they’d have some background noise, like they’re in a factory,” she added. Chu recalled seeing Keller’s face but never Grujic’s. According to Chu, Keller’s camera was “zoomed in” so that she couldn’t ever make out what was behind him.

Keller and Grujic eventually stopped contributing to MISO around the same time. “We think that Anthony and Sava are the same guy,” said Delong, “so we stop paying them.” This was the height of the COVID-19 pandemic, and it was not unheard of for remote crypto developers to masquerade as multiple people to extract extra money from payroll.

After Keller and Grujic were let go in the summer of 2021, the Sushi team neglected to revoke their access to the MISO codebase.

On Sept. 2, Grujic committed malicious code to the MISO platform under his “Aristok3” screen name, redirecting $3 million to a new cryptocurrency wallet, based on a screenshot provided to CoinDesk.

CoinDesk’s analysis of blockchain payment records suggests a potential link between Keller, Grujic and North Korea. In March 2021, Keller posted a blockchain address in a now-deleted tweet. CoinDesk discovered multiple payments between this address, Grujic’s hacker address and the addresses Sushi had on file for Keller. Sushi’s internal investigation ultimately concluded that the address belonged to Keller, according to Delong.

CoinDesk found that the address in question sent most of its funds to “Jun Kai” (the Iqlusion developer who sent money to the OFAC-sanctioned Kim Sang Man) and another wallet that appears to serve as a DPRK proxy (because it, too, paid Kim).

Lending further credence to the theory that Keller and Grujic were North Korean, Sushi’s internal investigation found that the pair frequently operated using IP addresses in Russia, which is where OFAC says North Korea’s DPRK IT workers are sometimes based. (The U.S. phone number on Keller’s resume is out of service, and his “eratos1122” Github and Twitter accounts have been deleted.)

Additionally, CoinDesk discovered evidence that Sushi employed another suspected DPRK IT contractor at the same time as Keller and Grujic. The developer, identified by ZachXBT as “Gary Lee,” coded under the pseudonym LightFury and funneled his earnings to “Jun Kai” and another Kim-linked proxy address.

After Sushi publicly pinned the attack on Keller’s pseudonym, “eratos1122,” and threatened to involve the FBI, Grujic returned the stolen funds. While it might seem counterintuitive that a DPRK IT worker would care about protecting a fake identity, DPRK IT workers seem to reuse certain names and build up their reputations over time by contributing to many projects, perhaps as a way to earn credibility with future employers.

Someone might have decided that protecting the Anthony Keller alias was more lucrative in the long run: In 2023, two years after the Sushi incident, someone named “Anthony Keller” applied to Truflation, Stefan Rust’s company.

Attempts to contact “Anthony Keller” and “Sava Grujic” for comment were unsuccessful.

North Korea has stolen more than $3 billion in cryptocurrency through hacks over the past seven years, according to the UN. Of the hacks that blockchain analysis firm Chainalysis has tracked in the first half of 2023 and which it believes are connected to the DPRK, “approximately half of them involved IT worker-related theft,” said Madeleine Kennedy, a spokesperson for the firm.

North Korean cyberattacks don’t tend to resemble the Hollywood version of hacking, where hoodie-wearing programmers break into mainframes using sophisticated computer code and black-and-green computer terminals.

DPRK-style attacks are decidedly lower-tech. They usually involve some version of social engineering, where the attacker earns the trust of a victim who holds the keys to a system and then extracts those keys directly through something as simple as a malicious email link.

“To date, we have never seen DPRK do, like, a real exploit,” said Monahan. “It’s always: social engineering, and then compromise the device, and then compromise the private keys.”

IT workers are well-placed to contribute to DPRK heists, either by extracting personal information that could be used to sabotage a potential target or by gaining direct access to software systems flush with digital cash.

On Sept. 25, as this article was nearing publication, CoinDesk was scheduled for a video call with Truflation’s Rust. The plan was to fact-check some details he had shared previously.

A flustered Rust joined the call 15 minutes late. He’d just been hacked.

CoinDesk reached out to more than two dozen projects that appeared to have been duped into hiring DPRK IT workers. In the final two weeks of reporting alone, two of those projects were hacked: Truflation and a crypto borrowing app called Delta Prime.

It’s too early to determine if either hack was directly connected to any inadvertent hiring of DPRK IT workers.

Delta Prime was breached first, on Sept. 16. CoinDesk had previously uncovered payments and code contributions connecting Delta Prime to Naoki Murano, one of the DPRK-linked developers publicized by ZachXBT, the pseudonymous blockchain sleuth.

The project lost more than $7 million, officially because of “a compromised private key.” Delta Prime did not respond to numerous requests for comment.

The Truflation hack followed less than two weeks later. Rust noticed funds streaming out of his crypto wallet around two hours before the call with CoinDesk. He had just returned home from a trip to Singapore and was scrambling to make sense of what he’d done wrong. “I just have no idea how it happened,” he said. “I had my notebooks all locked up in the safe in the wall in my hotel. I had my mobile with me the whole time.”

Millions of dollars were leaving Rust’s personal blockchain wallets as he was speaking. “I mean, that really sucks. That’s my kids’ school; pension fees.”

Truflation and Rust ultimately lost around $5 million. The official cause was a stolen private key.