North Korea’s Deep Roots in the Crypto Sector
North Korean operatives have reportedly infiltrated between 15% to 20% of all cryptocurrency companies, with estimates suggesting they may control as much as 30% to 40% of all crypto applications. This alarming information was revealed by Pablo Sabbatella, founder of a web3 auditing firm and a member of the Security Alliance, during a presentation at Devconnect in Buenos Aires. Sabbatella emphasized the severity of the situation, stating, “North Korea is much worse than everybody thinks,” in an interview with DL News. The implications of these figures could be catastrophic, extending beyond mere theft to include the hiring of workers within legitimate firms, who then gain access to critical systems and infrastructure that support major players in the cryptocurrency market.
The Scale of North Korean Cyber Theft
According to the U.S. Treasury Department, North Korean hackers have pilfered over $3 billion worth of cryptocurrency within the last three years, utilizing advanced malware and social engineering techniques. These funds are allegedly funneled into supporting North Korea’s nuclear weapons initiatives, highlighting the serious geopolitical ramifications of this infiltration.
Recruitment Tactics of North Korean Operatives
Most North Korean operatives do not apply for jobs directly due to international sanctions that restrict their movements. Instead, they employ a network of unwitting remote workers worldwide to serve as fronts. These operatives often masquerade as recruiters, luring individuals from countries such as Ukraine and the Philippines through freelance platforms like Upwork and Freelancer. The arrangement is straightforward: the collaborator provides access to their verified account credentials or allows the North Korean operative to use their identity remotely, in exchange for a share of the earnings—typically 20%, while the North Korean operative retains the remaining 80%.
Targeting the United States
Many North Korean hackers specifically target U.S. companies. Sabbatella explained that they seek individuals in the U.S. to act as their “front-end,” posing as someone from China who is not proficient in English and needs to secure an interview. Once they establish a connection, they can infect the front person’s computer with malware, thereby gaining access to a U.S. IP address, which allows them to bypass restrictions they face from North Korea. Once integrated into companies, these operatives tend to be retained due to their productivity and reliability. “They work well, they work a lot, and they never complain,” Sabbatella stated.
Identifying North Korean Hackers
But how can companies discern whether they are unwittingly employing a North Korean hacker? Sabbatella suggests a straightforward test: ask them to share their views on Kim Jong Un. “They aren’t allowed to say anything bad,” he noted, which can be a telling sign of their true affiliations.
Operational Security Challenges in Crypto
North Korea’s criminal activities are not solely due to sophisticated social engineering; they also exploit the weaknesses in operational security among cryptocurrency firms and their users. Sabbatella criticized the crypto industry for having what he calls “the worst opsec in the entire computer industry.” He pointed out that many crypto founders are easily identifiable, poorly manage their private keys, and frequently fall victim to social engineering tactics. Operational Security, often abbreviated to OPSEC, involves systematic methods for safeguarding critical information from adversaries. A lack of adequate operational security creates an environment where “every single person’s computer is going to get infected with malware at some point in their lives,” Sabbatella warned.
