TLDR

• Kraken identified a suspected North Korean operative during a job interview for an engineering position
• The applicant used a false identity, appeared to be coached during interviews, and failed verification tests
• Industry partners had tipped off Kraken about North Korean actors applying for jobs at crypto companies
• Kraken continued the interview process to gather intelligence on the hacker’s tactics
• North Korean hackers have stolen billions in crypto in 2024, including the record $1.4 billion Bybit hack

North Korean Hackers Target Crypto Exchange Through Job Application

Crypto exchange Kraken recently uncovered an attempted infiltration by a suspected North Korean state-backed hacker who applied for an engineering position. The exchange detailed how what began as a standard hiring process quickly transformed into a counter-intelligence operation after staff spotted unusual behavior during the interview.

Kraken CSO @c7five recently spoke to @CBSNews about how a North Korean operative unsuccessfully attempted to get a job at Kraken.

Don’t trust. Verify 👇 pic.twitter.com/1vVo3perH2

— Kraken Exchange (@krakenfx) May 1, 2025

The applicant joined the initial video call using a name different from the one on their application materials. Kraken’s team noticed the candidate “occasionally switched between voices,” suggesting they were being coached through the interview in real time.

Rather than immediately ending the process, Kraken chose to advance the applicant through additional interview stages. This decision allowed the company to gather valuable information about the tactics being used by the hackers.

Red Flags and Detection Methods

Kraken had received prior intelligence from industry partners warning that North Korean actors were actively applying for jobs at crypto companies. When cross-referencing a list of email addresses linked to known hacker groups, Kraken found a match with the email the candidate had used in their application.

The security team then uncovered a network of fake identities used by the hacker. These identities had been used to apply for positions at multiple companies in the sector.

---

---

Technical inconsistencies further raised suspicions. The applicant used remote Mac desktops accessed through VPNs to hide their true location. The candidate’s identification documents appeared to be altered, likely using details stolen in an identity theft case from two years prior.

The GitHub profile listed on the resume contained an email address that had been exposed in a past data breach. This discovery added another layer to the growing evidence of deception.

Final Confirmation

During the final interview stages, Kraken Chief Security Officer Nick Percoco conducted what the company called “trap identity verification tests.” These included asking the candidate to show government ID, verify their city of residence, and name local restaurants in their supposed location.

The candidate failed these basic verification challenges. According to Kraken, “At this point, the candidate unraveled. Flustered and caught off guard, they struggled with the basic verification tests.”

These failures confirmed the deception, and Kraken declined to proceed with the hire. Percoco emphasized the importance of verification, stating, “Don’t trust, verify. This core crypto principle is more relevant than ever in the digital age.”

Broader North Korean Cyber Campaign

This attempted infiltration fits into a larger pattern of North Korean cyber activities targeting the crypto industry. International sanctions have effectively isolated North Korea from the global economy, leading the country to turn to cyber theft to fill state coffers.

North Korea-affiliated hacking collective Lazarus Group was responsible for February’s $1.4 billion hack of crypto exchange Bybit. This represents the largest crypto theft in industry history.

North Korean hackers have stolen more than $650 million through multiple crypto heists during 2024 alone. The country has also been deploying IT workers to infiltrate blockchain and crypto companies as insider threats.

In April, a subgroup of Lazarus was found to have established three shell companies. Two of these companies were registered in the United States. These fronts were used to deliver malware to unsuspecting users and scam crypto developers.

Remote work policies and global hiring practices have made such operations easier to hide. By embedding operatives inside firms, the North Korean regime gains access to sensitive data and can deploy ransomware or malicious code.

The case highlights how state-sponsored cyber threats continue to evolve. Hackers are moving beyond direct technical attacks to more complex social engineering and infiltration strategies.

Kraken’s experience serves as a warning to other companies in the space. Organizations must remain vigilant against these sophisticated infiltration attempts, which blend technical deception with elaborate identity fraud.

TLDR

• Kraken identified a suspected North Korean operative during a job interview for an engineering position
• The applicant used a false identity, appeared to be coached during interviews, and failed verification tests
• Industry partners had tipped off Kraken about North Korean actors applying for jobs at crypto companies
• Kraken continued the interview process to gather intelligence on the hacker’s tactics
• North Korean hackers have stolen billions in crypto in 2024, including the record $1.4 billion Bybit hack

North Korean Hackers Target Crypto Exchange Through Job Application

Crypto exchange Kraken recently uncovered an attempted infiltration by a suspected North Korean state-backed hacker who applied for an engineering position. The exchange detailed how what began as a standard hiring process quickly transformed into a counter-intelligence operation after staff spotted unusual behavior during the interview.

The applicant joined the initial video call using a name different from the one on their application materials. Kraken’s team noticed the candidate “occasionally switched between voices,” suggesting they were being coached through the interview in real time.

Rather than immediately ending the process, Kraken chose to advance the applicant through additional interview stages. This decision allowed the company to gather valuable information about the tactics being used by the hackers.

Red Flags and Detection Methods

Kraken had received prior intelligence from industry partners warning that North Korean actors were actively applying for jobs at crypto companies. When cross-referencing a list of email addresses linked to known hacker groups, Kraken found a match with the email the candidate had used in their application.

The security team then uncovered a network of fake identities used by the hacker. These identities had been used to apply for positions at multiple companies in the sector.

Technical inconsistencies further raised suspicions. The applicant used remote Mac desktops accessed through VPNs to hide their true location. The candidate’s identification documents appeared to be altered, likely using details stolen in an identity theft case from two years prior.

The GitHub profile listed on the resume contained an email address that had been exposed in a past data breach. This discovery added another layer to the growing evidence of deception.

Final Confirmation

During the final interview stages, Kraken Chief Security Officer Nick Percoco conducted what the company called “trap identity verification tests.” These included asking the candidate to show government ID, verify their city of residence, and name local restaurants in their supposed location.

The candidate failed these basic verification challenges. According to Kraken, “At this point, the candidate unraveled. Flustered and caught off guard, they struggled with the basic verification tests.”

These failures confirmed the deception, and Kraken declined to proceed with the hire. Percoco emphasized the importance of verification, stating, “Don’t trust, verify. This core crypto principle is more relevant than ever in the digital age.”

Broader North Korean Cyber Campaign

This attempted infiltration fits into a larger pattern of North Korean cyber activities targeting the crypto industry. International sanctions have effectively isolated North Korea from the global economy, leading the country to turn to cyber theft to fill state coffers.

North Korea-affiliated hacking collective Lazarus Group was responsible for February’s $1.4 billion hack of crypto exchange Bybit. This represents the largest crypto theft in industry history.

North Korean hackers have stolen more than $650 million through multiple crypto heists during 2024 alone. The country has also been deploying IT workers to infiltrate blockchain and crypto companies as insider threats.

In April, a subgroup of Lazarus was found to have established three shell companies. Two of these companies were registered in the United States. These fronts were used to deliver malware to unsuspecting users and scam crypto developers.

Remote work policies and global hiring practices have made such operations easier to hide. By embedding operatives inside firms, the North Korean regime gains access to sensitive data and can deploy ransomware or malicious code.

The case highlights how state-sponsored cyber threats continue to evolve. Hackers are moving beyond direct technical attacks to more complex social engineering and infiltration strategies.

Kraken’s experience serves as a warning to other companies in the space. Organizations must remain vigilant against these sophisticated infiltration attempts, which blend technical deception with elaborate identity fraud.