Surprised, Devin hung up the phone and immediately cut the employee off the company accounts, he said.
“He was a good contributor,” Devin lamented, confused by the man who had claimed to be Chinese and had gone through several rounds of interviews to be hired. (CNN uses a pseudonym for Devin to protect his company’s identity.)
North Korean government-backed hackers have stolen the equivalent of billions of dollars in recent years by raiding cryptocurrency exchanges, according to the United Nations. In some cases, they’ve made off with hundreds of millions of dollars in a single heist, the FBI and private investigators say.
Now, US federal investigators are publicly warning about a key pillar of North Korea’s strategy, in which the regime places executives in technology jobs across the information technology industry.
The FBI, Treasury and State Departments issued a rare public advisory in May about thousands of “highly skilled” IT personnel who provide Pyongyang with “a critical revenue stream” that helps fund the regime’s “highest economic and security priorities” .
It’s an elaborate profit-making scheme that relies on front companies, contractors and deception to prey on a volatile industry that’s always on the hunt for top talent. North Korean tech workers can earn more than $300,000 a year — hundreds of times the average income of a North Korean citizen — and up to 90% of their wages go to the regime, according to the US consultancy.
“(The North Koreans) take this very seriously,” said Soo Kim, a former CIA North Korea analyst. “It’s not just some rando in his basement trying to mine cryptocurrency,” she added, referring to the process of generating digital money. “It’s a way of life.”
The value of the cryptocurrency has plummeted in recent months, depleting North Korea’s loot by several million dollars. According to Chainalysis, a firm that tracks the digital currency, the value of North Korea’s holdings held in unredeemed cryptocurrency “wallets,” or accounts, has more than halved since late last year, from 170 million dollars to about $65 million.
But analysts say the cryptocurrency industry is a very valuable target for North Korean operatives because of its relatively weak cyber defenses and the role cryptocurrency can play in evading sanctions.
U.S. officials have held a series of private briefings in recent months with foreign governments, such as Japan, and with technology companies in the U.S. and abroad to sound the alarm about the threat to North Korean IT personnel, a department official said. Finance specializing in North Korea. Correa told CNN.
The list of companies targeted by the North Koreans covers almost every aspect of the freelance technology sector, including payment processing businesses and recruitment firms, the official said.
Pyongyang has financed overseas tech workers for revenue for years. However, the coronavirus pandemic — and the occasional lockdown it has caused in North Korea — has made technology deployment a more critical source of funding for the regime, the Treasury official told CNN.
“Treasury will continue to target the DPRK’s monetization efforts, including the illegal IT worker program and related malicious cyber activities,” Brian Nelsonc, Treasury’s undersecretary for terrorism and financial intelligence, said in a statement on CNN, using the acronym for North Korea.
“Companies that deal with or process transactions for [North Korean tech] workers are at risk of exposure to US and UN sanctions,” added Nelson, who last month met with South Korean government officials to discuss ways to deal with the North’s money laundering and cybercrime activity.
CNN emailed and called the North Korean embassy in London seeking comment.
Federal investigators are also on the lookout for Americans who may be inclined to offer their digital currency expertise to North Korea.
In April, a 39-year-old American computer programmer named Virgil Griffith was sentenced to more than five years in US prison for violating US sanctions on North Korea after he spoke at a blockchain conference there in 2019 about how to evade sanctions. Griffith pleaded guilty and, in a statement to the judge before sentencing, expressed “deep regret” and “shame” for his actions, which he attributed to an obsession with seeing North Korea “before it falls”.
But the long-term challenge facing US officials is far more nuanced than the obvious blockchain conferences in Pyongyang. It includes an effort to limit the pervasive sources of funding the North Korean government receives from its technological diaspora.
Double-edged sword
The North Korean government has long benefited from outsiders underestimating the regime’s ability to serve itself, thrive on the black market and exploit the information technology that underpins the global economy.
The regime has built a formidable cadre of hackers by singling out promising math and science students at the school, putting North Korea in the same conversation as Iran, China and Russia when US intelligence officials discuss cyberpower.
One of the most notorious North Korean hacks occurred in 2014 with the collapse of Sony Pictures Entertainment’s computer systems in retaliation for “The Interview,” a film featuring a fictional plot to assassinate Kim Jong Un. Two years later, North Korean hackers stole approximately $81 million from the Bangladesh Bank by exploiting the SWIFT system to transfer bank funds.
North Korean hacking groups have trained their sights on the boom-and-bust cryptocurrency market.
The returns were astronomical at times.
Hackers linked to Pyongyang in March stole what was then equivalent to $600 million in cryptocurrency from a Vietnam-based video game company, according to the FBI. And North Korean hackers were likely behind a $100 million heist at a California-based cryptocurrency firm, according to blockchain analytics firm Elliptic.
“Most of these crypto companies and services are still a long way from the security posture we see with traditional banks and other financial institutions,” said Fred Plan, principal analyst at cybersecurity firm Mandiant, which has investigated suspected North Korean tech workers. and shared some of his findings with CNN.
The thousands of North Korean tech workers abroad give Pyongyang a double-edged sword: They can earn salaries that bypass U.N. and U.S. sanctions and go straight to the regime, while occasionally giving North Korea-based hackers a base in cryptocurrency or other technology companies. IT workers sometimes provide “logistical” support to hackers and transfer cryptocurrencies, a recent US government advisory said.
“The community of skilled programmers in North Korea with clearance to communicate with Westerners is certainly very small,” Nick Carlsen, who until last year was an FBI intelligence analyst focused on North Korea, told CNN.
“These guys know each other. Even if a particular IT worker isn’t a hacker, they absolutely know,” said Carlsen, who now works at TRM Labs, a firm that investigates financial fraud. “Any vulnerability it can find in a customer’s systems would be at great risk.”
And both tech workers and North Korean hackers have used the relatively open nature of the job search process — in which anyone can pretend to be anyone on platforms like LinkedIn — to their advantage. In late 2019, for example, potential North Korean hackers posed as job recruiters on LinkedIn to target sensitive data held by employees of two European aerospace and defense companies, according to researchers at cybersecurity firm ESET.
“We actively look for signs of state-sponsored activity on the platform and take swift action against bad actors to protect our members,” LinkedIn said in a statement to CNN. “We don’t wait for requests, our threat intelligence team removes fake accounts using information we disclose and information from various sources, including government agencies.”
We learn to spot red flags
Some in the cryptocurrency industry are becoming more cautious as they try to hire new talent. In Jonathan Wu’s case, a video call with a job candidate in April may have prevented him from inadvertently hiring someone he suspected was a North Korean tech worker.
As the head of development marketing at Aztec, a company that offers privacy features for Ethereum, a popular type of cryptocurrency technology, Wu was looking for a new software engineer when the hiring team came across a promising resume that someone had submitted.
The applicant claimed to have experience with non-tradable tokens (NFTs) and other segments of the cryptocurrency market.
“He looked like someone we could hire as an engineer,” Wu, who is based in New York, told CNN.
But Wu saw a number of red flags in the applicant, who gave his name as “Bobby Sierra.” He spoke in English during the interview, kept his webcam away and could hardly keep his background straight as he essentially demanded a job with the Aztecs, according to Wu.
Wu ended up not hiring “Sierra,” who claimed on his resume that he lives in Canada.
“He sounded like he was in a call center,” Wu said. “It sounded like there were four or five guys in the office, also talking loudly, also seemingly in interviews or phone calls, and speaking a combination of Korean and English.”
“Sierra” did not respond to messages sent to his apparent email and Telegram accounts seeking comment.
CNN obtained the resumes submitted by the alleged North Korean tech workers at Wu’s company and the cryptocurrency startup founded by Devin. Resumes appear deliberately generic so as not to arouse suspicion and use buzzwords popular in…
