This CoinDesk investigation highlights how North Korean IT workers have infiltrated the global cryptocurrency industry, leading to their inadvertent hiring by over a dozen companies. Notable projects such as Injective, Fantom, Cosmos Hub, Sushi, and Yearn Finance found themselves unknowingly employing workers from the Democratic People’s Republic of Korea (DPRK). These workers utilized fake identities, passed interviews, cleared reference checks, and even showcased authentic work histories on platforms like GitHub.

Cybersecurity and Legal Concerns

The situation raises significant cybersecurity and legal issues, particularly since hiring workers from North Korea is a violation of U.S. and U.N. sanctions. These IT workers are believed to be part of a coordinated effort by the North Korean government to generate foreign earnings, which are often funneled into the regime’s nuclear weapons and missile programs. According to the United Nations, North Korea earns approximately $600 million annually from such operations.

The investigation revealed numerous cases where North Korean workers were hired under false pretenses. For instance, Stefan Rust, founder of Truflation, unknowingly hired a developer named “Ryuhei” who claimed to be from Japan. It wasn’t until later, after numerous inconsistencies, that Rust discovered “Ryuhei” and four other team members were actually North Korean.

Risks to Companies

Companies employing these workers face substantial risks. Aside from the potential violation of international sanctions, employing DPRK workers has resulted in various security breaches. Notably, the decentralized finance platform Sushi lost $3 million in a 2021 hack that CoinDesk linked to North Korean IT workers. Other firms learned that their employees were funneling wages to blockchain addresses associated with North Korean entities involved in illicit activities, including financing weapons programs.

Zaki Manian, a blockchain developer involved with Cosmos Hub, admitted to unwittingly hiring two North Korean IT workers in 2021. Filtering out these applicants poses a significant challenge, with more than 50% of incoming resumes in the crypto sector suspected to be from North Korean workers. These workers often employ sophisticated identity fraud tactics, submitting seemingly legitimate IDs and impressive code repositories.

Discovery of Links to North Korea

Manian’s company, Iqlusion, learned it had paid DPRK workers after an inquiry from the FBI regarding blockchain transactions linked to North Korean wallets. Although the freelancers “Jun Kai” and “Sarawut Sanit” initially delivered satisfactory work, it later became clear that they funneled their earnings to individuals on the U.S. Treasury’s Office of Foreign Assets Control (OFAC) sanctions list. Similarly, Fantom unknowingly hired North Korean developers in 2021, but those workers never accessed the project’s codebase or deployed any malicious code.

Many companies only realize they’ve been compromised after payments have been made or security incidents occur. This vulnerability is exacerbated by the fact that the crypto industry often hires remote, anonymous developers without thorough background checks. The global nature of the sector and reliance on platforms like Telegram, Discord, and open-source job boards like GitHub facilitate the infiltration of bad actors.

Technical Competence of North Korean Workers

CoinDesk spoke with several companies, many of which acknowledged the difficulty in spotting North Korean applicants. Often, DPRK IT workers exhibit technical competence and operate much like regular employees, complicating detection efforts. In some instances, the workers produced valuable code contributions before being identified, leaving many firms feeling blindsided.

Eric Chen, CEO of Injective, hired a freelance developer in 2020 who was later revealed to be North Korean. Although the developer was quickly dismissed due to underperformance, it wasn’t until 2023, when a U.S. government agency contacted Injective, that Chen learned of the developer’s ties to North Korea.

The Crypto Sector as a Target

The crypto sector has proven ripe for exploitation due to its decentralized and fast-paced nature. Startups and larger firms often hire based on convenience, sometimes relying on pseudonymous profiles or skipping professional background checks. This environment has enabled North Korean IT workers to infiltrate the sector in large numbers, often working for months before detection.

The consequences of these hiring practices extend beyond financial and legal risks; there’s also a moral dimension to consider. Most North Korean IT workers are severely exploited, with the UN Security Council reporting that these individuals retain only 10-30% of their pay, while the majority is funneled back to the regime. Many workers operate under strict surveillance and are compelled to send their earnings to North Korean entities, thereby contributing to the country’s authoritarian system and nuclear ambitions.

Signs of Compromised Employees

In several cases, companies discovered they had been dealing with multiple individuals posing as one worker. Employers observed odd behaviors, such as employees frequently changing their Discord or Telegram names or avoiding video calls. These behaviors often indicated that the employee was sharing an identity with others or working shifts aligned with North Korea’s time zone.

Despite the gravity of the situation, U.S. authorities have been lenient in prosecuting companies that inadvertently hire DPRK workers. This leniency may reflect the complexity of the issue, as many firms are victims of sophisticated fraud. However, these companies still face legal risks and must adopt greater precautions to prevent similar incidents in the future.

The CoinDesk investigation underscores the importance of rigorous identity verification and security practices in the crypto industry. Without better safeguards, North Korean workers are likely to continue exploiting the industry, posing financial and geopolitical threats. As the industry matures, addressing these vulnerabilities will be crucial for protecting companies from legal repercussions, financial loss, and security risks associated with North Korean cyber operations.