CoinDesk has uncovered a troubling trend in the cryptocurrency sector, revealing that numerous companies have unknowingly employed IT professionals from North Korea (officially the Democratic People’s Republic of Korea, or DPRK). Among the notable organizations implicated are prominent blockchain projects such as Injective, ZeroLend, Fantom, Sushi, Yearn Finance, and Cosmos Hub. These workers managed to deceive hiring managers using counterfeit identification, successfully clearing interviews and reference checks while providing credible work histories.
### Legal and Security Concerns
Employing workers from North Korea violates sanctions imposed by the United States and other nations, posing significant security threats, as evidenced by instances where firms employing DPRK IT staff later experienced hacking incidents. Zaki Manian, a recognized blockchain developer, shared his experience of inadvertently hiring two North Korean IT workers for the Cosmos Hub blockchain in 2021, emphasizing the challenges companies face in identifying these individuals.
### An Unexpected Hire
Stefan Rust, founder of the crypto company Truflation, recounted his experience of hiring a North Korean employee under the alias “Ryuhei,” who claimed to be located in Japan. Once onboarded, Rust noted several discrepancies, including the employee’s inconsistent claims and missed communications. Ultimately, he discovered that “Ryuhei” and several other hires were from North Korea, part of a broader scheme by the regime to secure foreign employment and redirect earnings to Pyongyang.
### Financial Implications
Recent warnings from U.S. authorities highlight the infiltration of tech companies, including those in the cryptocurrency sector, by North Korean IT workers, who reportedly generate up to $600 million each year to support the regime’s nuclear ambitions. Hiring such workers, even unknowingly, is illegal under U.N. sanctions and poses a serious security risk, as North Korean hackers are known to exploit companies through covert employment.
### A Growing Problem
CoinDesk’s investigation suggests that North Korean job applicants are notably targeting the cryptocurrency industry, successfully navigating hiring processes while often boasting impressive coding backgrounds visible on platforms like GitHub. Interviews with over a dozen cryptocurrency firms revealed that many have unintentionally hired DPRK IT staff, with Zaki Manian estimating that over half of the resumes received in the sector could be from North Korea.
### Behind the Scenes
This investigation marks a significant acknowledgment from various blockchain projects regarding their inadvertent employment of DPRK IT workers. Despite functioning similarly to typical employees, some of these workers were found to be transferring their earnings to government-associated blockchain addresses, raising further concerns about the implications of hiring such individuals.
### Hacking Incidents
CoinDesk’s research indicates that companies that employed DPRK IT workers often became targets for hacks. A notable case involved Sushi, a decentralized finance protocol that lost $3 million to a cyberattack in 2021, which was linked to their hiring of developers with ties to North Korea.
### Regulatory Inaction
Despite the legal risks associated with hiring DPRK workers, the U.S. and U.N. have yet to prosecute any cryptocurrency companies for this issue. While the U.S. Treasury Department initiated an inquiry into Iqlusion, a firm based in the U.S., it reportedly concluded without imposing penalties. Authorities seem to recognize that these companies are victims of a sophisticated identity fraud scheme.
### Exploitation of Workers
Paying North Korean IT workers not only poses legal challenges but also raises ethical concerns, as many of these individuals receive only a fraction of their earnings due to the oppressive nature of the regime. A report by the U.N. Security Council noted that lower earners retain just 10% of their salaries, while higher earners may keep up to 30%. This exploitation raises significant moral questions about the implications of hiring such workers.
### Acknowledging the Issue
CoinDesk’s analysis identified over two dozen companies that have employed potential DPRK IT workers, with many coming forward after being presented with blockchain payment evidence. Some companies had previously terminated these employees due to unsatisfactory work quality, only to later discover their connections to North Korea.
### Varied Work Ethics
The capabilities of DPRK IT workers vary significantly. While some may exploit their positions, others demonstrate considerable technical skills. Rust reflected on hiring a talented developer who turned out to be North Korean, emphasizing the diverse skill sets within this group.
### Unusual Behavior
Employers reported noticing odd behaviors among DPRK hires that became more apparent upon learning of their origins. Instances included inconsistent work hours and attempts to conceal identities, such as keeping webcams off during meetings. Rust’s concerns about his North Korean employee led to a comprehensive security audit and changes in hiring protocols.
### Linked to High-Profile Hacks
Many companies have mistakenly believed that DPRK IT workers operate independently from the regime’s hacking efforts. However, evidence suggests that some of these workers are actively involved in high-profile heists, including a notable $3 million theft from Sushi linked to developers with connections to North Korea.
### Methods of Attack
North Korea has reportedly stolen over $3 billion in cryptocurrency through various hacking methods, primarily relying on social engineering rather than sophisticated cyber techniques. IT workers are in a prime position to facilitate DPRK heists, either by extracting sensitive information or gaining direct access to digital assets.
### Recent Developments
As CoinDesk was finalizing this report, Truflation’s Rust experienced a hacking incident, further underscoring the ongoing risk associated with employing DPRK IT workers. The breach resulted in a significant financial loss, raising questions about the security vulnerabilities linked to inadvertently hiring such employees.
