The fraudsters are plundering job listings on LinkedIn and Indeed, incorporating details they find on legitimate profiles into their own resumes in order to try getting hired at US cryptocurrency firms, according to security researchers at Mandiant Inc. One suspected North Korean job seeker recently claimed to be an “innovative and strategic thinking professional” in the tech industry, according to Mandiant, and added, “The world will see the great result from my hands.” The job applicant’s account, which Mandiant identified on July 14, claimed to be from an experienced software developer. But researchers found nearly identical language in another person’s profile.
By collecting information from crypto companies, the researchers said, North Koreans can gather intelligence about upcoming cryptocurrency trends. Such data – about topics like Ethereum virtual currency, nonfungible tokens and potential security lapses – could give the North Korean government an edge in how to launder cryptocurrency in a way that helps Pyongyang avoid sanctions, said Joe Dobson, a principal analyst at Mandiant.
“It comes down to insider threats,” he said. “If someone gets hired onto a crypto project, and they become a core developer, that allows them to influence things, whether for good or not.”
The North Korean government has consistently denied involvement in any cyber-enabled theft.
Other suspected North Koreans have fabricated job qualifications, with some users claiming on job applications to have published a white paper about the Bibox digital currency exchange, while another posed as a senior software developer at a consultancy focused on blockchain technology.
Mandiant researchers said they had identified multiple suspected North Korean personas on employment sites that have successfully been hired as freelance employees. They declined to name the employers.
“These are North Koreans trying to get hired and get to a place where they can funnel money back to the regime,” said Michael Barnhart, a principal analyst at Mandiant.
In addition, North Korean users, claiming to have programming skills, have posed questions on the coding site GitHub Inc., where software developers publicly discuss their findings, about larger trends in the cryptocurrency world, according to the Mandiant researchers.
The evidence detected by Mandiant reinforces allegations made by the US government in May. The US warned that North Korean IT workers are trying to obtain freelance employment abroad while posing as non-North Korean nationals, in part to raise money for government weapons development programs. The IT workers claim to have the kinds of skills necessary for complex work like mobile app development, building virtual currency exchanges and mobile gaming, according to the US advisory.
North Korean IT workers “target freelance contracts from employers located in wealthier nations,” according to the US’s 16-page advisory released in May. In many instances, the North Korean workers present themselves as South Korean, Chinese, Japanese or Eastern European and US-based teleworkers, according to the US advisory.
In April, an executive at Aztec Network, a blockchain company, described the experience of conducting a job interview with a possible North Korean hacker as leaving him “a little shaken.” “Terrifying, hilarious and a reminder to be paranoid and triple-check your OpSec practices,” he wrote, in a Twitter thread. The executive didn’t respond to a message seeking comment.
In a related tactic, suspected North Korean hackers have replicated Indeed.com and used it to gather information on website visitors, according to Alphabet Inc.’s Google. By setting up websites that appear to be real, spies can dupe job-seekers into sending their resume, thus beginning a conversation that could enable hackers to breach their machine or steal their data, according Ryan Kalember, executive vice president at the email security firm Proofpoint Inc.
Other fake domains, created by suspected North Korean operators, impersonated ZipRecruiter, a Disney careers page and a site called Variety Jobs, according to Google.
“We see a torrent of this everyday,” said Kalember. “Their ability to come up with convincing cover companies is getting better and better.”
In February, the security firm Qualys Inc. said it detected a phishing campaign in which the so-called Lazarus Group, a name that the US government sometimes uses to describe Pyongyang-backed hackers, targeted job applicants who applied for roles at Lockheed Martin Corp.
The hackers sent individual messages that appeared to be from Lockheed Martin, using email attachments that appeared to include information from the company but in fact contained malicious software. The ruse followed similar efforts in which attackers posed as BAE Systems Plc and Northrop Grumman Corp., according to Qualys.
“If you look at the job listings, they’re appealing to people’s ego and the desire for money,” said Adam Meyers, senior vice president of intelligence at CrowdStrike Holdings Inc. “They’re capitalizing on that, but the fake job listings are an opening gambit for their broader cyberattacks and espionage.”
North Korea’s focus on stealing cryptocurrency comes after the country’s hackers spent years stealing money from the global financial system, Mandiant researchers said. After a notorious 2016 heist on Bangladesh Bank, where the US accused North Korean thieves of trying to steal close to $1 billion, global banks added safeguards meant to stop such breaches.
“The market has changed where banks are more secure, and cryptocurrency is a totally new market,” Dobson said. “We’ve seen them go after end-users, crypto exchanges and now the crypto bridges.”