Kraken, a famous cryptocurrency exchange, discovered a sophisticated infiltration attempt by North Korean hackers disguised as job seekers.
The security and recruitment team advanced the candidate through the hiring process with the purpose of studying their strategy and gaining important insights.
North Korean Hackers' Attempt to Infiltrate Kraken
Kraken detailed the incident in a recent blog post on May 1st. The hackers applied for an engineering role, initially appearing as a legitimate candidate named Steven Smith. However, several warning signs emerged during the hiring process.
"A routine hiring process for an engineering role quickly turned into an information gathering operation. Our team carefully advanced the candidate at every stage of the hiring process to better understand their tactics," Kraken mentioned.
The candidate used different names during interviews and continuously changed their voice, suggesting coaching. They applied using an email connected to North Korean hackers.
Additionally, an open-source intelligence (OSINT) investigation revealed that the candidate was involved in a fake identity network.
"This means our team discovered a hacking operation where an individual set up multiple identities to apply for roles in the cryptocurrency sector and beyond. Multiple names were previously employed by various companies, and our team confirmed work-related email addresses associated with them. One identity in this network was also known as a foreign agent on sanctions lists," the blog stated.
Technical inconsistencies, such as remote access through VPN and a co-located Mac desktop, also suggested an infiltration attempt. This information confirmed the candidate was highly likely to be a state-sponsored hacker.
In the final interview, Kraken's Chief Security Officer Nick Percoco and some team members confirmed the company's suspicions. The candidate's inability to confirm their location or answer questions about their city and citizenship revealed them as fraudsters.
"Their job is to steal intellectual property, steal money from companies, get paid, and do it broadly," Percoco told CBS about the hackers.
FinCEN Proposes Banning Huione Group... Linked to North Korea
Meanwhile, the U.S. Financial Crimes Enforcement Network (FinCEN) proposed banning the Cambodia-based Huione Group from the U.S. financial system. The department identified Huione as a primary facilitator of North Korean hackers involved in cyber theft and "pig butchering" cryptocurrency scams.
"The Huione Group has become the market of choice for malicious cyber actors and criminal organizations like the DPRK. They have stolen billions from everyday Americans," said Treasury Secretary Scott Besent.
FinCEN accused the group of laundering over $4 billion in illegal funds from August 2021 to January 2025. According to the department, Huione's network, including Huione Pay, Huione Crypto, and Hao Wang Guarantee, is preferred by cryptocurrency criminals, providing services like payment processing and illegal online markets.
"Today's proposed action will block Huione Group's correspondent banking access, diminishing their ability to launder illegal proceeds. The Treasury is committed to disrupting malicious cyber actors' attempts to secure profits from their criminal schemes," Besent added.
These incidents highlighted North Korea's cyber attack patterns in the cryptocurrency sector. In 2024, hackers stole $659 million from cryptocurrency companies.
According to a joint statement by the U.S., Japan, and South Korea, North Korean hackers targeted the industry using tactics like social engineering and malware (e.g., TraderTraitor, AppleJeus). Additionally, North Korean IT workers were identified as insider threats to private sector companies.
Previous BeInCrypto reports highlighted the involvement of the notorious Lazarus Group, a North Korea state-sponsored hacking collective, in the theft of Bithumb and Upbit. The country's hacker groups were also involved in hacking Radiant Capital and exploiting DMM Bitcoin.
In fact, on-chain investigator ZachXBT recently revealed significant North Korean involvement in DeFi protocols, with some depending almost 100% on monthly transaction volume/fees from the Democratic People's Republic of Korea (DPRK).
