Kraken, a prominent cryptocurrency exchange, uncovered a sophisticated infiltration attempt by a North Korean hacker posing as a job candidate.
The security and recruiting teams advanced the candidate in the hiring process. The goal was to study their strategies and obtain crucial information.
How a North Korean hacker attempted to infiltrate Kraken
Kraken detailed the incident in a recent blog post on May 1. The hacker applied for an engineering position at the exchange, initially appearing to be a legitimate candidate, supposedly named Steven Smith. However, several red flags arose during the hiring process.
“What began as a routine hiring process for an engineering position quickly turned into an intelligence-gathering operation, as our teams carefully advanced the candidate through our hiring process to learn more about their tactics at each stage,” Kraken reported.
The candidate used a different name during the interview and kept changing their voice, suggesting guidance. They applied using an email linked to North Korean hackers.
Additionally, the open-source intelligence (OSINT) investigation revealed the candidate's involvement in a network of false identities.
“This meant our team had uncovered a hacking operation where an individual had established multiple identities to apply for positions in the crypto space and beyond. Several of the names had already been hired by various companies, as our team identified work-related email addresses linked to them. One identity in this network was also a known foreign agent on the sanctions list,” the blog stated.
Furthermore, technical inconsistencies in their setup, such as the use of remote and colocated Mac desktops accessed via VPN and altered IDs, pointed to an infiltration attempt. This information confirmed that the candidate was likely a state-sponsored hacker.
In a final interview with the candidate, Kraken's Chief Security Officer, Nick Percoco, and several team members confirmed the company's suspicions. The candidate's inability to verify their location or answer questions about their city and citizenship revealed them as an impostor.
“Their job is to start working to steal intellectual property, steal money from these companies, get paid, and do this broadly,” Percoco told CBS about the hackers.
FinCEN proposes banning the Huione Group for ties to North Korea
Meanwhile, in another development, the U.S. Financial Crimes Enforcement Network (FinCEN) proposed banning the Cambodia-based Huione Group from the U.S. financial system. The department identified Huione as a key facilitator for North Korean hacker groups, including those involved in cyber heists and cryptocurrency scams known as “pig butchering.”
“The Huione Group has established itself as the market of choice for malicious cyber actors like the DPRK and criminal syndicates, who have stolen billions of dollars from everyday Americans,” Treasury Secretary Scott Bessent stated.
FinCEN accused the group of laundering over $4 billion in illicit funds between August 2021 and January 2025. According to the department, Huione's network, including Huione Pay, Huione Crypto, and Haowang Guarantee, is a preferred market for cryptocurrency criminals, offering services such as payment processing and an illicit online marketplace.
“The action proposed today will cut off the Huione Group's access to the correspondent bank, degrading the ability of these groups to launder their illicit gains. The Treasury remains committed to stopping any attempts by malicious cyber actors to secure revenue for or from their criminal schemes,” added Bessent.
These incidents highlighted a pattern of North Korean cyberattacks in the cryptocurrency sector. In 2024, hackers stole more than $659 million from crypto companies.
According to a joint statement from the United States, Japan, and South Korea, North Korean hackers targeted the industry using tactics like social engineering and malware (e.g., TraderTraitor, AppleJeus). Moreover, North Korean IT workers have been identified as insider threats to private sector companies.
Previously, reports from BeInCrypto highlighted the notorious Lazarus Group, a North Korean state-sponsored hacking collective involved in the Bybit and Upbit thefts. Additionally, hacking groups from the country were also behind the hack of Radiant Capital and the exploit of DMM Bitcoin.
In fact, recently, on-chain investigator ZachXBT uncovered significant North Korean involvement in decentralized finance (DeFi) protocols, with some of them relying on nearly 100% of their monthly volume/fees from the Democratic People's Republic of Korea (DPRK).
The article Kraken exposes North Korean hacker posing as job candidate in infiltration attempt was first seen on BeInCrypto Brazil.
