Kraken, a prominent cryptocurrency exchange, has uncovered a sophisticated infiltration attempt by a North Korean hacker posing as a job candidate.
The security and recruitment teams advanced the candidate through the hiring process. The aim was to study their strategies and gather crucial insights.
How a North Korean Hacker Tried to Infiltrate Kraken
Kraken detailed the incident in a recent blog post on May 1. The hacker applied for an engineering role at the exchange, initially appearing as a legitimate candidate, allegedly named Steven Smith. However, several red flags emerged during the hiring process.
“What started as a routine hiring process for an engineering role quickly turned into an intelligence gathering operation, as our teams carefully advanced the candidate through our hiring process to learn more about their tactics at every stage of the process,” Kraken noted.
The candidate used a different name during the interview and kept switching voices, suggesting coaching. They applied using an email linked to North Korean hackers.
Moreover, the Open-Source Intelligence gathering (OSINT) investigation uncovered the candidate’s involvement in a network of fake identities.
“This meant that our team had uncovered a hacking operation where one individual had established multiple identities to apply for roles in the crypto space and beyond. Several of the names had previously been hired by multiple companies, as our team identified work-related email addresses linked to them. One identity in this network was also a known foreign agent on the sanctions list,” the blog read.
Additionally, technical inconsistencies in their setup, like using remote, colocated Mac desktops accessed via a VPN and altered IDs, pointed to an infiltration attempt. This information confirmed that the candidate was likely a state-sponsored hacker.
In a final interview with the candidate, Kraken’s Chief Security Officer, Nick Percoco, and some team members confirmed the company’s suspicions. The candidate’s failure to verify their location or answer questions about their city and citizenship revealed them as an impostor.
“Their job is to start employment to steal intellectual property, steal money from those companies, take home a paycheck, and do it in a widespread way,” Percoco told CBS about the hackers.
FinCEN Proposes Ban on Huione Group Over North Korean Ties
Meanwhile, in another development, the US Financial Crimes Enforcement Network (FinCEN) has proposed banning Cambodia-based Huione Group from the US financial system. The department identified Huione as a key facilitator for North Korean hacker groups, including those involved in cyber heists and “pig butchering” cryptocurrency scams.
“Huione Group has established itself as the marketplace of choice for malicious cyber actors like the DPRK and criminal syndicates, who have stolen billions of dollars from everyday Americans,” Secretary of the Treasury Scott Bessent said.
FinCEN accused the group of laundering over $4 billion in illicit funds between August 2021 and January 2025. According to the department, Huione’s network, including Huione Pay, Huione Crypto, and Haowang Guarantee, is a preferred marketplace for cryptocurrency criminals, offering services such as payment processing and an illicit online marketplace.
“Today’s proposed action will sever Huione Group’s access to correspondent banking, degrading these groups’ ability to launder their ill-gotten gains. Treasury remains committed to disrupting any attempt by malicious cyber actors to secure revenue from or for their criminal schemes,” Bessent added.
These incidents highlighted a pattern of North Korean cyberattacks on the cryptocurrency sector. In 2024, hackers stole over $659 million from crypto firms.
According to a joint statement from the United States, Japan, and the Republic of Korea, North Korean hackers targeted the industry using tactics like social engineering and malware (e.g., TraderTraitor, AppleJeus). Additionally, North Korean IT workers were identified as insider threats to private sector companies.
Previously, BeInCrypto reports have highlighted the notorious Lazarus Group, a North Korean state-sponsored hacking collective’s involvement in Bybit and Upbit thefts. Moreover, hacker groups from the country were also behind the Radiant Capital hack and the DMM Bitcoin exploit.
In fact, recently, on-chain investigator ZachXBT uncovered significant North Korean involvement in decentralized finance (DeFi) protocols, with some of them relying on nearly 100% of their monthly volume/fees from the Democratic People’s Republic of Korea (DPRK).
Disclaimer
In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our Terms and Conditions, Privacy Policy, and Disclaimers have been updated.
