Our teams recently identified a North Korean hacker’s attempts to infiltrate our ranks by applying for a job at Kraken.
Watch CBS News’ full coverage of how Kraken identified — and then strategically interacted with — a North Korean hacker who tried to get a job at Kraken
What started as a routine hiring process for an engineering role quickly turned into an intelligence gathering operation, as our teams carefully advanced the candidate through our hiring process to learn more about their tactics at every stage of the process.
This is an established challenge for the crypto community, with estimates indicating that North Korean hackers stole over $650 million from crypto firms in 2024 alone. We’re disclosing these events today as part of our ongoing transparency efforts and to help companies, both in crypto and beyond, to strengthen their defenses.
The candidate’s red flags
From the outset, something felt off about this candidate. During their initial call with our recruiter, they joined under a different name from the one on their resume, and quickly changed it. Even more suspicious, the candidate occasionally switched between voices, indicating that they were being coached through the interview in real time.
Before this interview, industry partners had tipped us off that North Korean hackers were actively applying for jobs at crypto companies. We received a list of email addresses linked to the hacker group, and one of them matched the email the candidate used to apply to Kraken.
With this intelligence in hand, our Red Team launched an investigation using Open-Source Intelligence gathering (OSINT) methods. One method involved analyzing breach data, which hackers often use to identify users with weak or reused passwords. In this instance, we discovered that one of the emails associated with the malicious candidate was part of a larger network of fake identities and aliases.
This meant that our team had uncovered a hacking operation where one individual had established multiple identities to apply for roles in the crypto space and beyond. Several of the names had previously been hired by multiple companies, as our team identified work-related email addresses linked to them. One identity in this network was also a known foreign agent on the sanctions list.
As our team dug deeper into the candidate’s history and credentials, technical inconsistencies emerged
The candidate used remote colocated Mac desktops but interacted with other components through a VPN, a setup commonly deployed to hide location and network activity.
Their resume was linked to a GitHub profile containing an email address exposed in a past data breach.
The candidate’s primary form of ID appeared to be altered, likely using details stolen in an identity theft case two years prior.
By this point, the evidence was clear, and our team was confident this wasn’t just a suspicious job applicant, but a state-sponsored infiltration attempt.
Turning the tables – how our team responded
Instead of tipping off the applicant, our security and recruitment teams strategically advanced them through our rigorous recruitment process – not to hire, but to study their approach. This meant putting them through multiple rounds of technical infosec tests and verification tasks, designed to extract key details about their identity and tactics.
The final round interview? A casual chemistry interview with Kraken’s Chief Security Officer (CSO) Nick Percoco and several other team members. What the candidate didn’t realize was that this was a trap – a subtle but deliberate test of their identity.
Between standard interview questions, our team slipped in two-factor authentication prompts, such as asking the candidate to verify their location, hold up a government-issued ID, and even recommend some local restaurants in the city they claimed to be in.
At this point, the candidate unraveled. Flustered and caught off guard, they struggled with the basic verification tests, and couldn’t convincingly answer real-time questions about their city of residence or country of citizenship. By the end of the interview, the truth was clear: this was not a legitimate applicant, but an imposter attempting to infiltrate our systems.
Commenting on the events, CSO Nick Percoco, said:
“Don’t trust, verify. This core crypto principle is more relevant than ever in the digital age. State-sponsored attacks aren’t just a crypto, or U.S. corporate, issue – they’re a global threat. Any individual or business handling value is a target, and resilience starts with operationally preparing to withstand these types of attacks.”
Key takeaways
Not all attackers break in, some try to walk through the front door. As cyber threats evolve, so must our security strategies. A holistic, proactive approach is critical to protect an organization.
Generative AI is making deception easier, but isn’t foolproof. Attackers can trick parts of the hiring process, like a technical assessment, but genuine candidates will usually pass real-time, unprompted verification tests. Try to avoid patterns in the types of verification questions that hiring managers use.
A culture of productive paranoia is key. Security isn’t just an IT responsibility. In the modern era, it’s an organizational mindset. By actively engaging this individual, we identified areas to strengthen our defenses against future infiltration attempts.
The next time a suspicious job application comes through remember: Sometimes, the biggest threats come disguised as opportunities.
The post appeared first on Kraken Blog.
