Hiding In Plain Sight: Crypto Investigation Reveals How North Korean Hackers Infiltrated The Industry

A crypto investigation recently deep-dived into one of the industry’s largest problems, revealing its extent might be larger than suspected. The report exposed how North Korean hackers have targeted and infiltrated the sector, presenting many legal and cybersecurity risks for companies and investors.

DPRK Infiltration Targets The Whole Industry

CoinDesk recently published an investigation detailing how North Koreans have infiltrated the industry, finding that over a dozen crypto companies had fallen victim to the country’s tactics to bypass sanctions and receive money from these projects.

The report revealed that several companies, including well-established projects like Fantom, Injective, Yearn Finance, ZeroLend, and Sushi, had inadvertently hired IT workers from the Democratic People’s Republic of Korea (DPRK).

Moreover, it exposed the extent of the problem as the interviews with several founders, industry experts, and blockchain researchers showed that the infiltration is “far more prevalent” than expected.

During the investigation, most hiring management teams consulted revealed they had interviewed and hired suspected DPRK developers or knew someone who had.

Blockchain developer Zaki Manian disclosed he unknowingly hired two North Korean IT workers in 2021 to help develop the Cosmos Hub blockchain. He claimed that “everyone is struggling to filter out these people” as the probability of a job applicant being from the DPRK “is greater than 50% across the entire industry.”

On-chain investigator ZachXBT unveiled the North Korean chain of exploits in August, sharing he had discovered over 25 crypto projects with DPRK-linked developers that have been active since June 2024.

The crypto sleuth shared the names and addresses of 21 IT workers who had infiltrated the industry in just those three months. Additionally, he uncovered that North Korea was “receiving $300K – $500K / month from working at 25+ projects at once by using fake identities.”

Crypto Hacks Are Not Like Hollywood Movies

The report explained that North Korean cyberattacks “don’t tend to resemble the Hollywood version of hacking.” Instead, the hackers tend to involve some version of social engineering, earning the team’s trust to obtain access to the project’s private keys, usually through a malicious link.

Taylor Monahan, Product Manager at MetaMask, stated: “To date, we have never seen DPRK do, like, a real exploit. It’s always social engineering, and then compromise the device, and then compromise the private keys.”

The North Korean developers use fake documentation to disguise their real nationality, as hiring workers from the DPRK is prohibited in many countries due to sanctions. After being hired, the malicious actors initially do a good job to earn their employers’ trust.

However, work inconsistencies and discrepancies in their story begin to surface as time passes, making the crypto companies realize they have been targeted in a coordinated attack. Sometimes, teams discover they have been working with more than one individual who presented as one person or that several of their employees are all one person instead.

As reported by Bitcoinist, the Ethereum Layer-2 NFT gaming platform Munchables fell victim to an attack of this kind. In March, the project lost, and later recovered, over $60 million in crypto after a developer turned hacker.

The heist was revealed to be an inside job and was linked by several industry figures like Laura Shin and ZachXBT to the North Korean government. Moreover, it was suspected that four of the developers in the team were all one person.

Ultimately, the investigation showed that several crypto projects that employed DPRK IT workers later fell victim to hacks, including Sushi in 2021 and, most recently, Delta Primes in September 2024.

Crypto