Here’s how North Korean operatives are trying to infiltrate US crypto firms

Please fol­low and like us:
Pin Share

The man on the oth­er end, an FBI agent, told Devin that the seem­ing­ly legit­i­mate soft­ware devel­op­er he’d hired the pre­vi­ous sum­mer was a North Kore­an oper­a­tive who’d sent tens of thou­sands of dol­lars of his salary to the coun­try’s author­i­tar­i­an regime. 

Stunned, Devin hung up and imme­di­ate­ly cut the employ­ee off from com­pa­ny accounts, he said.

“He was a good con­trib­u­tor,” Devin lament­ed, puz­zled by the man who had claimed to be Chi­nese and passed mul­ti­ple rounds of inter­views to get hired. (CNN is using a pseu­do­nym for Devin to pro­tect the iden­ti­ty of his company).

North Kore­an gov­ern­ment-backed hack­ers have stolen the equiv­a­lent of bil­lions of dol­lars in recent years by raid­ing cryp­tocur­ren­cy exchanges, accord­ing to the Unit­ed Nations. In some cas­es, they’ve been able to nab hun­dreds of mil­lions of dol­lars in a sin­gle heist, the FBI and pri­vate inves­ti­ga­tors say.

Now, US fed­er­al inves­ti­ga­tors are pub­licly warn­ing about a key pil­lar of the North Kore­an strat­e­gy, in which the regime places oper­a­tives in tech jobs through­out the infor­ma­tion tech­nol­o­gy industry. 

The FBI, Trea­sury and State depart­ments issued a rare pub­lic advi­so­ry in May about thou­sands of “high­ly skilled” IT per­son­nel who pro­vide Pyongyang with “a crit­i­cal stream of rev­enue” that helps bankroll the regime’s “high­est eco­nom­ic and secu­ri­ty priorities.”

It’s an elab­o­rate mon­ey-mak­ing scheme that relies on front com­pa­nies, con­trac­tors and decep­tion to prey on a volatile indus­try that is always on the hunt for top tal­ent. North Kore­an tech work­ers can earn more than $300,000 annu­al­ly — hun­dreds of times the aver­age income of a North Kore­an cit­i­zen — and up to 90% of their wages go to the regime, accord­ing to the US advisory.

“(The North Kore­ans) take this very seri­ous­ly,” said Soo Kim, a for­mer North Korea ana­lyst at the CIA. “It’s not just some ran­do in his base­ment try­ing to mine cryp­tocur­ren­cy,” she added, refer­ring to the process of gen­er­at­ing dig­i­tal mon­ey. “It’s a way of life.” 

The val­ue of cryp­tocur­ren­cy has plum­met­ed in recent months, deplet­ing the North Kore­an loot by many mil­lions of dol­lars. Accord­ing to Chainal­y­sis, a firm that tracks dig­i­tal cur­ren­cy, the val­ue of North Kore­an hold­ings sit­ting in cryp­tocur­ren­cy “wal­lets,” or accounts, that have not been cashed out has dropped by more than half since the end of last year, from $170 mil­lion to about $65 million. 

But ana­lysts say the cryp­tocur­ren­cy indus­try is too valu­able a tar­get for North Kore­an oper­a­tives to turn away from because of the indus­try’s rel­a­tive­ly weak cyber defens­es and the role that cryp­tocur­ren­cy can play in evad­ing sanctions.

US offi­cials have in recent months held a series of pri­vate brief­in­gs with for­eign gov­ern­ments such as Japan, and with tech firms in the US and abroad, to sound the alarm about the threat of North Kore­an IT per­son­nel, a Trea­sury Depart­ment offi­cial who spe­cial­izes in North Korea told CNN.

The list of com­pa­nies tar­get­ed by North Kore­ans cov­ers just about every aspect of the free­lance tech­nol­o­gy sec­tor, includ­ing pay­ment proces­sors and recruit­ing firms, the offi­cial said. 

Pyongyang has banked on its over­seas tech work­ers for rev­enue for years. But the coro­n­avirus pan­dem­ic — and the occa­sion­al lock­down it has caused in North Korea — has, if any­thing, made the tech dias­po­ra a more cru­cial fund­ing source for the regime, the Trea­sury offi­cial told CNN.

“Trea­sury will con­tin­ue to tar­get the DPRK’s rev­enue gen­er­at­ing efforts, includ­ing its illic­it IT work­er pro­gram and relat­ed malign cyber activ­i­ties,” Bri­an Nel­sonc, Tre­suary under­sec­re­tary for ter­ror­ism and finan­cial intel­li­gence, said in a state­ment to CNN, using the acronym for North Korea. 

“Com­pa­nies that engage with or process trans­ac­tions for [North Kore­an tech] work­ers risk expo­sure to US and UN sanc­tions,” added Nel­son, who last month met with South Kore­an gov­ern­ment offi­cials to dis­cuss ways of coun­ter­ing the North’s mon­ey-laun­der­ing and cyber­crime activity.

CNN has emailed and called the North Kore­an Embassy in Lon­don seek­ing comment. 

Fed­er­al inves­ti­ga­tors are also on the look­out for Amer­i­cans who may be inclined to lend their exper­tise in dig­i­tal cur­ren­cies to North Korea.

In April, a 39-year-old Amer­i­can com­put­er pro­gram­mer named Vir­gil Grif­fith was sen­tenced to more than five years in US prison for vio­lat­ing US sanc­tions on North Korea after speak­ing at a blockchain con­fer­ence there in 2019 on how to evade sanc­tions. Grif­fith plead­ed guilty and, in a state­ment sub­mit­ted to the judge before sen­tenc­ing, expressed “deep regret” and “shame” for his actions, which he attrib­uted to an obses­sion to see North Korea “before it fell.”

But the long-term chal­lenge fac­ing US offi­cials is much sub­tler than con­spic­u­ous blockchain con­fer­ences in Pyongyang. It involves try­ing to cur­tail the dif­fuse sources of fund­ing that the North Kore­an gov­ern­ment gets from its tech diaspora.

Double-edged sword

The North Kore­an gov­ern­ment has long ben­e­fit­ed from out­siders under­es­ti­mat­ing the regime’s abil­i­ty to fend for itself, thrive in the black mar­ket and exploit the infor­ma­tion tech­nol­o­gy that under­pins the glob­al economy. 

The regime has built a for­mi­da­ble cadre of hack­ers by sin­gling out promis­ing math and sci­ence stu­dents in school, putting North Korea in the same con­ver­sa­tion as Iran, Chi­na and Rus­sia when US intel­li­gence offi­cials dis­cuss cyber powers. 
In this photo provided by the North Korean government, North Korean leader Kim Jong Un attends a photo session with officers and soldiers, April 27, 2022.

One of the most infa­mous North Kore­an hacks occurred in 2014 with the crip­pling of Sony Pic­tures Enter­tain­men­t’s com­put­er sys­tems in retal­i­a­tion for “The Inter­view,” a movie involv­ing a fic­tion­al plot to kill Kim Jong Un. Two years lat­er, North Kore­an hack­ers stole some $81 mil­lion from the Bank of Bangladesh by exploit­ing the SWIFT sys­tem for trans­fer­ring bank funds.

North Kore­a’s hack­ing teams have in the years since trained their sights on the boom-and-bust cryp­tocur­ren­cy market. 

The returns have been astro­nom­i­cal at times.

Pyongyang-linked hack­ers in March stole what was then the equiv­a­lent of $600 mil­lion in cryp­tocur­ren­cy from a Viet­nam-based video gam­ing com­pa­ny, accord­ing to the FBI. And North Kore­an hack­ers were like­ly behind a $100 mil­lion heist at a Cal­i­for­nia-based cryp­tocur­ren­cy firm, accord­ing to blockchain analy­sis firm Elliptic.

“Most of these cryp­to firms and ser­vices are still a long way off from the secu­ri­ty pos­ture that we see with tra­di­tion­al banks and oth­er finan­cial insti­tu­tions,” said Fred Plan, prin­ci­pal ana­lyst at cyber­se­cu­ri­ty firm Man­di­ant, which inves­ti­gat­ed sus­pect­ed North Kore­an tech work­ers and shared some of its find­ings with CNN.

The thou­sands of North Kore­an tech work­ers over­seas give Pyongyang a dou­ble-edged sword: They can earn salaries that skirt UN and US sanc­tions and go straight to the regime while also occa­sion­al­ly offer­ing North Korea-based hack­ers a foothold into cryp­tocur­ren­cy or oth­er tech firms. The IT work­ers some­times pro­vide “logis­ti­cal” sup­port to the hack­ers and trans­fer cryp­tocur­ren­cy, the recent US gov­ern­ment advi­so­ry said. 

“The com­mu­ni­ty of skilled pro­gram­mers in North Korea with per­mis­sion to con­tact West­ern­ers is sure­ly quite small,” Nick Carlsen, who until last year was an FBI intel­li­gence ana­lyst focused on North Korea, told CNN. 

“These guys know each oth­er. Even if a par­tic­u­lar IT work­er isn’t a hack­er, he absolute­ly knows one,” said Carlsen, who now works at TRM Labs, a firm that inves­ti­gates finan­cial fraud. “Any vul­ner­a­bil­i­ty they might iden­ti­fy in a clien­t’s sys­tems would be at grave risk.”

And both tech work­ers and hack­ers from North Korea have used the rel­a­tive­ly open-door nature of the job search process — in which any­one can pre­tend to be any­one on plat­forms such as LinkedIn — to their advan­tage. In late 2019, for exam­ple, pos­si­ble North Kore­an hack­ers posed as job recruiters on LinkedIn to tar­get sen­si­tive data held by employ­ees at two Euro­pean aero­space and defense firms, accord­ing to researchers at cyber­se­cu­ri­ty firm ESET.

“We active­ly seek out signs of state-spon­sored activ­i­ty on the plat­form and quick­ly take action against bad actors in order to pro­tect our mem­bers,” LinkedIn said in a state­ment to CNN. “We don’t wait on requests, our threat intel­li­gence team removes fake accounts using infor­ma­tion we uncov­er and intel­li­gence from a vari­ety of sources, includ­ing gov­ern­ment agencies.”

Learning to spot red flags

Some in the cryp­tocur­ren­cy indus­try are get­ting more cau­tious as they look to hire new tal­ent. In Jonathan Wu’s case, a video call with a job can­di­date in April may have kept him from unwit­ting­ly hir­ing some­one he came to sus­pect was a North Kore­an tech worker.

As head of growth mar­ket­ing at Aztec, a com­pa­ny that offers pri­va­cy fea­tures for Ethereum, a pop­u­lar type of cryp­tocur­ren­cy tech­nol­o­gy, Wu was look­ing for a new soft­ware engi­neer when the hir­ing team came across a promis­ing résumé that some­one had submitted.

The appli­cant claimed expe­ri­ence with non-fun­gi­ble tokens (NFTs) and oth­er seg­ments of the cryp­tocur­ren­cy market. 

“It looked like some­one we might hire as an engi­neer,” Wu, who is based in New York, told CNN.

But Wu saw a num­ber of red flags in the appli­cant, who gave his name as “Bob­by Sier­ra.” He spoke in halt­ing Eng­lish dur­ing the inter­view, kept his web cam­era off, and could hard­ly keep his back­sto­ry straight as he prac­ti­cal­ly demand­ed a job at Aztec, accord­ing to Wu.

Wu did­n’t end up hir­ing “Sier­ra,” who claimed on his résumé to live in Canada. 

“It sound­ed like he was in a call cen­ter,” Wu said. “It sound­ed like there were four or five guys in the office, also speak­ing loud­ly, also seem­ing­ly on inter­views or phone calls and speak­ing a mix of Kore­an and English.”

“Sier­ra” did not respond to mes­sages sent to his appar­ent email and Telegram accounts seek­ing comment.

CNN obtained the résumés the alleged North Kore­an tech work­ers sub­mit­ted to Wu’s firm and the cryp­tocur­ren­cy start­up found­ed by Devin. The résumés seem delib­er­ate­ly gener­ic as to not arouse sus­pi­cion and used buzz­words pop­u­lar in the cryp­tocur­ren­cy indus­try such as “scal­a­bil­i­ty” and “blockchain.”

One sus­pect­ed North Kore­an oper­a­tive tracked by Man­di­ant, the cyber­se­cu­ri­ty firm, asked numer­ous ques­tions of oth­ers in the cryp­tocur­ren­cy com­mu­ni­ty about how Ethereum works and inter­acts with oth­er tech­nol­o­gy, Man­di­ant said.

The North Kore­an may have been gath­er­ing infor­ma­tion about the tech­nol­o­gy that could be use­ful for hack­ing it lat­er, accord­ing to Man­di­ant prin­ci­pal ana­lyst Michael Barnhart.

“These guys know exact­ly what they want from the Ethereum devel­op­ers,” Barn­hart said. “They know exact­ly what they’re look­ing for.”

The fake résumés and oth­er rus­es used by the North Kore­ans will like­ly only get more believ­able, said Kim,the for­mer CIA ana­lyst who is now a pol­i­cy ana­lyst at RAND Corp., a think tank.

“Even though the trade­craft is not per­fect right now, in terms of their ways of approach­ing for­eign­ers and prey­ing upon their vul­ner­a­bil­i­ties, it’s still a fresh mar­ket for North Korea,” Kim told CNN. “In light of the chal­lenges that the regime is fac­ing — food short­ages, few­er coun­tries will­ing to engage with North Korea … this is just going to be some­thing that they will con­tin­ue to use because nobody is hold­ing them back, essentially.”

Source link

Please fol­low and like us:
Pin Share

Leave a Reply

Your email address will not be published. Required fields are marked *