North Koreans are plagiarizing online resumes and pretending to be from other countries to get remote work at cryptocurrency firms to aid illicit money-raising efforts for the government, cybersecurity researchers say following a U.S. warning on a similar scheme in May.
The fraudsters lift details they find on legitimate profiles on LinkedIn and Indeed for their resumes to get work at U.S. cryptocurrency firms, according to security researchers at Mandiant. One applicant identified by Mandiant on July 14 claimed to be an “innovative and strategic thinking professional” in the tech industry and an experienced software developer. “The world will see the great result from my hands,” the job seeker added in a cover letter.
Nearly identical language was found in another user’s profile.
The evidence detected by Mandiant reinforces allegations made by the U.S. government in May. The U.S. warned that North Korean IT workers are trying to obtain freelance employment abroad while posing as non-North Korean nationals, in part to raise money for government weapons development programs. The IT workers claim to have the kinds of skills necessary for complex work like mobile app development, building virtual currency exchanges and mobile gaming, according to the U.S. advisory.
The North Korean IT workers were primarily located in China and Russia, with a smaller number in Africa and Southeast Asia, according to the U.S. They also target freelance contracts in wealthier nations, including in North America and Europe, and in many cases, present themselves as being South Korean, Japanese or even U.S.-based teleworkers, according to the .w.arning.
According to the Mandiant researchers, by collecting information from crypto companies, North Koreans can gather intelligence about upcoming cryptocurrency trends. Such data — about topics like Ethereum virtual currency, nonfungible tokens and potential security lapses — could give the North Korean government an edge in how to launder cryptocurrency in a way that helps Pyongyang avoid sanctions, said Joe Dobson, a principal analyst at Mandiant.
“It comes down to insider threats,” he said. “If someone gets hired onto a crypto project, and they become a core developer, that allows them to influence things, whether for good or not.”
The North Korean government has consistently denied involvement in any cyber-enabled theft.
Other suspected North Koreans have fabricated job qualifications, with some users claiming on job applications to have published a white paper about the Bibox digital currency exchange, while another posed as a senior software developer at a consultancy focused on blockchain technology.
Mandiant researchers said they had identified multiple suspected North Korean personas on employment sites that have successfully been hired as freelance employees. They declined to name the employers.
“These are North Koreans trying to get hired and get to a place where they can funnel money back to the regime,” said Michael Barnhart, a principal analyst at Mandiant.
In addition, North Korean users, claiming to have programming skills, have posed questions on the coding site GitHub, where software developers publicly discuss their findings, about larger trends in the cryptocurrency world, according to the Mandiant researchers.
In April, Jonathan Wu, an executive at Aztec Network, a blockchain company, described the experience of conducting a job interview with a possible North Korean hacker as leaving him “a little shaken.” “Terrifying, hilarious and a reminder to be paranoid and triple-check your OpSec practices,” he wrote, in a Twitter thread. Neither Wu nor the company responded to messages seeking comment.
In a related tactic, suspected North Korean hackers have replicated Indeed.com and used it to gather information on website visitors, according to Alphabet Inc.’s Google. By setting up websites that appear to be real, spies can dupe job-seekers into sending their resume, thus beginning a conversation that could enable hackers to breach their machine or steal their data, according Ryan Kalember, executive vice president at the email security firm Proofpoint Inc.
Other fake domains, created by suspected North Korean operators, impersonated ZipRecruiter, a Disney careers page and a site called Variety Jobs, according to Google.
“We see a torrent of this every day,” said Kalember. “Their ability to come up with convincing cover companies is getting better and better.”
In February, the security firm Qualys Inc. said it detected a phishing campaign in which the so-called Lazarus Group, a name that the US government sometimes uses to describe Pyongyang-backed hackers, targeted job applicants who applied for roles at Lockheed Martin.
The hackers sent individual messages that appeared to be from Lockheed Martin, using email attachments that appeared to include information from the company but in fact contained malicious software. The ruse followed similar efforts in which attackers posed as BAE Systems and Northrop Grumman, according to Qualys.
“If you look at the job listings, they’re appealing to people’s ego and the desire for money,” said Adam Meyers, senior vice president of intelligence at CrowdStrike Holdings Inc. “They’re capitalizing on that, but the fake job listings are an opening gambit for their broader cyberattacks and espionage.”
North Korea’s focus on stealing cryptocurrency comes after the country’s hackers spent years stealing money from the global financial system, Mandiant researchers said. After a notorious 2016 heist on Bangladesh Bank, where the US accused North Korean thieves of trying to steal close to $1 billion, global banks added safeguards meant to stop such breaches.
“The market has changed where banks are more secure, and cryptocurrency is a totally new market,” Dobson said. “We’ve seen them go after end-users, crypto exchanges and now the crypto bridges.”