Devin, the founder of a cryptocurrency startup based in San Francisco, woke up one day in February to the most bizarre phone call of his life.
The man on the other end, an FBI agent, told Devin that the seemingly legitimate software developer he’d hired the previous summer was a North Korean operative who’d sent tens of thousands of dollars of his salary to the country’s authoritarian regime.
Stunned, Devin hung up and immediately cut the employee off from company accounts, he said.
“He was a good contributor,” Devin lamented, puzzled by the man who had claimed to be Chinese and passed multiple rounds of interviews to get hired. (CNN is using a pseudonym for Devin to protect the identity of his company).
Devin’s encounter is just one example of what US officials say is a relentless, evolving effort by the North Korean government to infiltrate and steal from cryptocurrency and other tech firms around the world to help fund Kim Jong Un’s illicit nuclear and ballistic weapons program.
North Korean government-backed hackers have stolen the equivalent of billions of dollars in recent years by raiding cryptocurrency exchanges, according to the United Nations. In some cases, they’ve been able to nab hundreds of millions of dollars in a single heist, the FBI and private investigators say.
Now, US federal investigators are publicly warning about a key pillar of the North Korean strategy, in which the regime places operatives in tech jobs throughout the information technology industry.
The FBI, Treasury and State departments issued a rare public advisory in May about thousands of “highly skilled” IT personnel who provide Pyongyang with “a critical stream of revenue” that helps bankroll the regime’s “highest economic and security priorities.”
It’s an elaborate money-making scheme that relies on front companies, contractors and deception to prey on a volatile industry that is always on the hunt for top talent. North Korean tech workers can earn more than $300,000 annually – hundreds of times the average income of a North Korean citizen – and up to 90% of their wages go to the regime, according to the US advisory.
“(The North Koreans) take this very seriously,” said Soo Kim, a former North Korea analyst at the CIA. “It’s not just some rando in his basement trying to mine cryptocurrency,” she added, referring to the process of generating digital money. “It’s a way of life.”
The value of cryptocurrency has plummeted in recent months, depleting the North Korean loot by many millions of dollars. According to Chainalysis, a firm that tracks digital currency, the value of North Korean holdings sitting in cryptocurrency “wallets,” or accounts, that have not been cashed out has dropped by more than half since the end of last year, from $170 million to about $65 million.
But analysts say the cryptocurrency industry is too valuable a target for North Korean operatives to turn away from because of the industry’s relatively weak cyber defenses and the role that cryptocurrency can play in evading sanctions.
US officials have in recent months held a series of private briefings with foreign governments such as Japan, and with tech firms in the US and abroad, to sound the alarm about the threat of North Korean IT personnel, a Treasury Department official who specializes in North Korea told CNN.
The list of companies targeted by North Koreans covers just about every aspect of the freelance technology sector, including payment processors and recruiting firms, the official said.
Pyongyang has banked on its overseas tech workers for revenue for years. But the coronavirus pandemic – and the occasional lockdown it has caused in North Korea – has, if anything, made the tech diaspora a more crucial funding source for the regime, the Treasury official told CNN.
“Treasury will continue to target the DPRK’s revenue generating efforts, including its illicit IT worker program and related malign cyber activities,” Brian Nelson, Treasury undersecretary for terrorism and financial intelligence, said in a statement to CNN, using the acronym for North Korea.
“Companies that engage with or process transactions for [North Korean tech] workers risk exposure to US and UN sanctions,” added Nelson, who last month met with South Korean government officials to discuss ways of countering the North’s money-laundering and cybercrime activity.
CNN has emailed and called the North Korean Embassy in London seeking comment.
Federal investigators are also on the lookout for Americans who may be inclined to lend their expertise in digital currencies to North Korea.
In April, a 39-year-old American computer programmer named Virgil Griffith was sentenced to more than five years in US prison for violating US sanctions on North Korea after speaking at a blockchain conference there in 2019 on how to evade sanctions. Griffith pleaded guilty and, in a statement submitted to the judge before sentencing, expressed “deep regret” and “shame” for his actions, which he attributed to an obsession to see North Korea “before it fell.”
But the long-term challenge facing US officials is much subtler than conspicuous blockchain conferences in Pyongyang. It involves trying to curtail the diffuse sources of funding that the North Korean government gets from its tech diaspora.
The North Korean government has long benefited from outsiders underestimating the regime’s ability to fend for itself, thrive in the black market and exploit the information technology that underpins the global economy.
The regime has built a formidable cadre of hackers by singling out promising math and science students in school, putting North Korea in the same conversation as Iran, China and Russia when US intelligence officials discuss cyber powers.
One of the most infamous North Korean hacks occurred in 2014 with the crippling of Sony Pictures Entertainment’s computer systems in retaliation for “The Interview,” a movie involving a fictional plot to kill Kim Jong Un. Two years later, North Korean hackers stole some $81 million from the Bank of Bangladesh by exploiting the SWIFT system for transferring bank funds.
North Korea’s hacking teams have in the years since trained their sights on the boom-and-bust cryptocurrency market.
The returns have been astronomical at times.
Pyongyang-linked hackers in March stole what was then the equivalent of $600 million in cryptocurrency from a Vietnam-based video gaming company, according to the FBI. And North Korean hackers were likely behind a $100 million heist at a California-based cryptocurrency firm, according to blockchain analysis firm Elliptic.
“Most of these crypto firms and services are still a long way off from the security posture that we see with traditional banks and other financial institutions,” said Fred Plan, principal analyst at cybersecurity firm Mandiant, which investigated suspected North Korean tech workers and shared some of its findings with CNN.
The thousands of North Korean tech workers overseas give Pyongyang a double-edged sword: They can earn salaries that skirt UN and US sanctions and go straight to the regime while also occasionally offering North Korea-based hackers a foothold into cryptocurrency or other tech firms. The IT workers sometimes provide “logistical” support to the hackers and transfer cryptocurrency, the recent US government advisory said.
“The community of skilled programmers in North Korea with permission to contact Westerners is surely quite small,” Nick Carlsen, who until last year was an FBI intelligence analyst focused on North Korea, told CNN.
“These guys know each other. Even if a particular IT worker isn’t a hacker, he absolutely knows one,” said Carlsen, who now works at TRM Labs, a firm that investigates financial fraud. “Any vulnerability they might identify in a client’s systems would be at grave risk.”
And both tech workers and hackers from North Korea have used the relatively open-door nature of the job search process – in which anyone can pretend to be anyone on platforms such as LinkedIn – to their advantage. In late 2019, for example, possible North Korean hackers posed as job recruiters on LinkedIn to target sensitive data held by employees at two European aerospace and defense firms, according to researchers at cybersecurity firm ESET.
“We actively seek out signs of state-sponsored activity on the platform and quickly take action against bad actors in order to protect our members,” LinkedIn said in a statement to CNN. “We don’t wait on requests, our threat intelligence team removes fake accounts using information we uncover and intelligence from a variety of sources, including government agencies.”
Learning to spot red flags
Some in the cryptocurrency industry are getting more cautious as they look to hire new talent. In Jonathan Wu’s case, a video call with a job candidate in April may have kept him from unwittingly hiring someone he came to suspect was a North Korean tech worker.
As head of growth marketing at Aztec, a company that offers privacy features for Ethereum, a popular type of cryptocurrency technology, Wu was looking for a new software engineer when the hiring team came across a promising résumé that someone had submitted.
The applicant claimed experience with non-fungible tokens (NFTs) and other segments of the cryptocurrency market.
“It looked like someone we might hire as an engineer,” Wu, who is based in New York, told CNN.
But Wu saw a number of red flags in the applicant, who gave his name as “Bobby Sierra.” He spoke in halting English during the interview, kept his web camera off, and could hardly keep his backstory straight as he practically demanded a job at Aztec, according to Wu.
Wu didn’t end up hiring “Sierra,” who claimed on his résumé to live in Canada.
“It sounded like he was in a call center,” Wu said. “It sounded like there were four or five guys in the office, also speaking loudly, also seemingly on interviews or phone calls and speaking a mix of Korean and English.”
“Sierra” did not respond to messages sent to his apparent email and Telegram accounts seeking comment.
CNN obtained the résumés the alleged North Korean tech workers submitted to Wu’s firm and the cryptocurrency startup founded by Devin. The résumés seem deliberately generic as to not arouse suspicion and used buzzwords popular in the cryptocurrency industry such as “scalability” and “blockchain.”
One suspected North Korean operative tracked by Mandiant, the cybersecurity firm, asked numerous questions of others in the cryptocurrency community about how Ethereum works and interacts with other technology, Mandiant said.
The North Korean may have been gathering information about the technology that could be useful for hacking it later, according to Mandiant principal analyst Michael Barnhart.
“These guys know exactly what they want from the Ethereum developers,” Barnhart said. “They know exactly what they’re looking for.”
The fake résumés and other ruses used by the North Koreans will likely only get more believable, said Kim,the former CIA analyst who is now a policy analyst at RAND Corp., a think tank.
“Even though the tradecraft is not perfect right now, in terms of their ways of approaching foreigners and preying upon their vulnerabilities, it’s still a fresh market for North Korea,” Kim told CNN. “In light of the challenges that the regime is facing – food shortages, fewer countries willing to engage with North Korea … this is just going to be something that they will continue to use because nobody is holding them back, essentially.”