North Korean cybercriminals are targeting jobs listed on LinkedIn and Indeed to plagiarize resumes and other people’s profiles to land remote work at crypto firms, according to a Bloomberg report citing security researchers at Mandiant.
The objective is to access these firms’ internal operations and gather intelligence about upcoming trends, including those related to the Ethereum network development, non-fungible tokens (NFTs) and potential security lapses.
Another platform the suspected hackers were spotted at is cited as the popular coding site GitHub, where developers publicly discuss on-goings in the industry, according to Mandiant.
This information is allegedly helping North Korean hackers to launder cryptocurrencies that can later be used by the Pyongyang regime to evade Western sanctions.
“It comes down to insider threats,” Joe Dobson, a principal analyst at Mandiant, told Bloomberg. “If someone gets hired onto a crypto project, and they become a core developer, that allows them to influence things, whether for good or not.”
One such job seeker the researchers identified last month claimed to be an “innovative and strategic thinking professional” in the tech industry and an experienced software developer.
Mandiant said they had identified multiple North Koreans on employment websites that have successfully been hired as freelancers. The researchers declined to name the employers.
According to Mandiant analyst Michael Barnhart, "these are North Koreans trying to get hired and get to a place where they can funnel money back to the regime."
North Korea, crypto and hacks
Although the North Korean government has repeatedly denied involvement in any cyber-related theft, the U.S. government agencies, including the Department of State and the FBI, earlier this year warned businesses against unintentionally hiring freelancers from North Korea, as they were potentially obfuscating their true identities and ties to the government of the DPRK.
A joint release from U.S. government agencies in May indicated that North Korean “IT workers are located primarily in… China and Russia, with a smaller number in Africa and Southeast Asia,” and “often rely on their overseas contacts to obtain freelance jobs for them and to interface more directly with customers.”
The U.S. government issued a similar warning in April, saying that it “has observed North Korean cyber actors targeting a variety of organizations in the blockchain technology and cryptocurrency industry.”
The report specifically cited several target areas of the industry, including exchanges, decentralized finance (DeFi) protocols, venture capital funds, and individual holders of large amounts of crypto-related assets such as tokens or NFTs.
In April, the U.S. government concluded that Lazarus, a “state-sponsored hacking organization” with ties to the North Korean government, was behind the $622 million hack of a cross-chain Ronin bridge used by the play-to-earn game Axie Infinity.
Analytics firm Elliptic also suggested that North Korean hackers were the most likely culprits in a $100 million hack of the Harmony Protocol in June.