Are North Korean IT Remote Workers Targeting Crypto Firms? Here’s What We Know

According to the US Government, North Korean IT workers are flooding the freelance market. It’s illegal for US businesses to employ them, but, what if they have no idea they’re doing it? In this new remote work world we’re living in, it’s completely possible. The North Korean workers are targeting all kinds of technology-focused businesses, but of course, the CNN report on the matter focused on cryptocurrency firms.

“It’s an elaborate money-making scheme that relies on front companies, contractors and deception to prey on a volatile industry that is always on the hunt for top talent. North Korean tech workers can earn more than $300,000 annually — hundreds of times the average income of a North Korean citizen — and up to 90% of their wages go to the regime, according to the US advisory.”

In contrast, this is what the US Government actually published: 

“The DPRK dispatches thousands of highly skilled IT workers around the world to generate revenue that contributes to its weapons of mass destruction (WMD) and ballistic missile programs, in violation of U.S. and UN sanctions. These IT workers take advantage of existing demands for specific IT skills, such as software and mobile application development, to obtain freelance employment contracts from clients around the world, including in North America, Europe, and East Asia.”

It’s worth noting that the document doesn’t mention “crypto” or “bitcoin,” but let’s read what mainstream media has to say.

How Does CNN Relate North Korean IT Workers To Crypto?  

The plan is simple, to associate this new development with the numerous crypto-related hacks that NewsBTC has timely reported on: 

“North Korean government-backed hackers have stolen the equivalent of billions of dollars in recent years by raiding cryptocurrency exchanges, according to the United Nations. In some cases, they’ve been able to nab hundreds of millions of dollars in a single heist, the FBI and private investigators say.”

To establish authority, CNN also quotes US Government-related individuals, like “Soo Kim, a former North Korea analyst at the CIA.” She said, “(The North Koreans) take this very seriously. It’s not just some rando in his basement trying to mine cryptocurrency it’s a way of life.” Is she talking about the hackers or the job hunters, though? “Even though the tradecraft is not perfect right now, in terms of their ways of approaching foreigners and preying upon their vulnerabilities, it’s still a fresh market for North Korea,” she said later, apparently talking about the job hunters.

Another authority figure CNN features is “Fred Plan, principal analyst at cybersecurity firm Mandiant, which investigated suspected North Korean tech workers”. He says, “Most of these crypto firms and services are still a long way off from the security posture that we see with traditional banks and other financial institutions”. He’s right about that, but, what does that have to do with freelancers looking for jobs in IT?

ETH price chart for 07/12/2022 on FTX | Source: ETH/USD on TradingView.com
What About Those Hacks That Everyone Keeps Talking About?

The only authority figure that relates the IT workers to North Korean hackers is “Nick Carlsen, who until last year was an FBI intelligence analyst focused on North Korea”. What this man says might be the most important part of the article. “These guys know each other. Even if a particular IT worker isn’t a hacker, he absolutely knows one. Any vulnerability they might identify in a client’s systems would be at grave risk.”

The CNN article keeps it as vague as possible regarding the hacks:

“Pyongyang-linked hackers in March stole what was then the equivalent of $600 million in cryptocurrency from a Vietnam-based video gaming company, according to the FBI. And North Korean hackers were likely behind a $100 million heist at a California-based cryptocurrency firm, according to blockchain analysis firm Elliptic.”

Luckily for you, NewsBTC is here to help.

What Does NewsBTC Know About The North Korean Hackers?

The first item seems to refer to the Axie Infinity/ Ronin hack. About that one, we reported:

“The alphabet agency traced the funds to wallets associated with North Korean hacking group Lazarus. Does The Block’s article complete or negate this version of the story? It’s hard to see North Koreans pulling a stunt quite like this.

In any case, at the time the FBI was extremely clear in a statement quoted here: 

“Through our investigation we were able to confirm Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $620 million in Ethereum reported on March 29th.”

If the IT remote workers’ story is true, we were wrong by saying, “It’s hard to see North Koreans pulling a stunt quite like this.” The second item seems to refer to the Harmony hack, and to describe that one we’ll quote our sister site Bitcoinist, who reported:

“The United States government believes that Lazarus was acting on behalf of North Korea’s covert intelligence service. Elliptic, a blockchain analytics company, disclosed in a report that: “The theft was achieved by compromising the cryptographic keys of a multi-signature wallet — most likely through a social engineering attack on members of the Harmony team. The Lazarus Group has routinely employed such methods.”

And that’s what we know so far. Are the North Korean IT workers related to the hackers? Probably so, but, the US Government didn’t even mention cryptocurrencies or bitcoin in their “Guidance on the Democratic People’s Republic of Korea information technology workers.”

Featured Image taken from this post | Charts by TradingView