Kraken, a major U.S.-based cryptocurrency exchange, revealed it uncovered a North Korean hacker’s attempt to infiltrate its organization by posing as a job applicant. The incident, shared in a May 1 blog post, highlights the growing sophistication of cyber threats targeting the crypto sector.
Hacker Raised Suspicion Early
Kraken’s security team began to suspect foul play when an applicant for an engineering role joined an interview using a name different from the one on their application. The individual also occasionally switched voices during the conversation, suggesting they were being coached live.
Instead of cutting the process short, Kraken decided to advance the candidate further in the interview process. The goal? To gather intel on the tactics being used by hostile actors trying to penetrate crypto firms from the inside.
Tip-Off and Technical Clues
Kraken acted on a warning from its industry partners, who had circulated a list of email addresses linked to North Korean hacking groups. One of the emails matched the candidate’s, prompting a deeper investigation.
The company found the applicant was using a network of fake identities, remote Mac desktops via VPNs, and tampered identification documents. The applicant’s resume linked to a GitHub account using an email address compromised in a past data breach. Kraken said the ID appeared to be forged with details stolen from a two-year-old identity theft case.
Chief Security Officer Nick Percoco later administered trap identity tests during final interviews. The candidate failed, confirming Kraken’s suspicions.
State-Sponsored Threats Intensify
“Don’t trust, verify,” Percoco emphasized, reinforcing a core crypto principle. He added that state-sponsored attacks have become a global threat, not just a concern for U.S. corporations or the crypto industry.
The Lazarus Group, North Korea’s notorious cybercrime unit, is behind some of the most devastating crypto hacks in history. In February, it orchestrated a $1.4 billion hack on Bybit, the largest crypto heist to date. Throughout 2024, North Korean hackers have stolen over $650 million in crypto and increasingly resorted to deploying insiders by having operatives apply for jobs at blockchain firms.
In April, one Lazarus subgroup reportedly created three shell companies—two in the U.S.—to distribute malware to crypto developers.
