- Kraken uncovered a North Korean hacker posing as a job seeker using fake IDs, VPNs, and digital obfuscation tactics.
- OSINT tools linked the applicant to sanctioned entities and broader crypto infiltration campaigns by state-backed actors.
- Crypto firms face rising threats from North Korean operatives exploiting job interviews to breach systems undetected.
U.S.-based crypto exchange Kraken recently disclosed an incident in which a North Korean hacker penetrated the company’s systems. According to Kraken’s statement, the attempt was found during a standard hiring process for an engineering position.
Recruiters initially flagged the applicant for providing inconsistent information and the discrepancy prompted an internal investigation after the applicant was interviewed by video. This included using a different name from the one that showed up on the resume submitted, inconsistent shifts in voice during the call, and overall poor knowledge of location and personal details.
Deceptive Tactics and Digital Obfuscation Are Utilized
Following an investigation by Kraken’s security and IT teams, it was determined that the applicant ran their management behind multiple digital layers to conceal their identity and location. Typically used for accessing the interview via a colocated Mac desktop and hiding geolocation data, the candidate accessed the event through a virtual private network (VPN).
A closer inspection of the applicant’s GitHub profile showed that the email used in their account was featured in a recent data breach. This email was also part of a slate of emails the same industry partners shared with Kraken that warned of North Korean threat actors targeting crypto firms. The submitted identification documents were also found to have been altered and used for an identity theft case filed two years back.
Investigation Escalates to the Security Team
After discovering these red flags, Kraken referred the issue to its Red Team for additional inspection. The team used open-source intelligence (OSINT) tools to trace the email address and digital footprint. According to their findings, the person who had applied for the job with the government used multiple aliases when applying for positions with different organizations.
Some of these aliases were linked to individuals under international sanctions for known foreign intelligence activities. Additionally, it was found that some of the identities had managed to land a job at other crypto companies, pointing to a wider infiltration campaign.
Final Verification and Operation Outcome
Kraken decided not to end the interview process there and instead continued interacting to gather information. The final round of interviews, including the additional verification measures, was done with the applicant. Among them were requested to confirm where they were, show a government-issued ID live on camera, or answer basic questions about local establishments in the city where they claim to live.
These prompts received inconsistent and inaccurate responses from the candidate. Because Kraken could not verify personal info relating to this applicant, it concluded that this applicant was not a real job seeker but an agent of a state-sponsored cyber operation.
Industry Implications and Broader Threats
As per Kraken, this incident is part of a growing trend in which groups associated with North Korea leverage employment channels to control access to sensitive systems. The company claims that this infiltration method makes the cybersecurity landscape a tougher place to be especially for blockchain and cryptocurrency firms.
