North Koreans are plagiarising online résumés and pretending to be from other countries to get remote work at cryptocurrency firms to aid illicit money-raising efforts for the government, cybersecurity researchers say.
The fraudsters lift details they find on legitimate profiles on LinkedIn and Indeed for their resumes to get work at US cryptocurrency firms, according to security researchers at Mandiant Inc.
One applicant identified by Mandiant on July 14 claimed to be an “innovative and strategic thinking professional” in the tech industry and an experienced software developer. “The world will see the great result from my hands,” the jobseeker added in a cover letter. Nearly identical language was found in another user’s profile.
The evidence detected by Mandiant reinforces allegations made by the US government in May. The United States warned that North Korean IT workers are trying to obtain freelance employment abroad while posing as non-North Korean nationals, in part to raise money for government weapons development programmes. The IT workers claim to have the kinds of skills necessary for complex work like mobile app development, building virtual currency exchanges and mobile gaming, according to the US advisory.
The North Korean IT workers were primarily located in China and Russia, with a smaller number in Africa and Southeast Asia, according to the US. They also target freelance contracts in wealthier nations, including in North America and Europe, and in many cases, present themselves as being South Korean, Japanese or even US-based teleworkers, according to the US warning.
According to the Mandiant researchers, by collecting information from cryptocurrency companies, North Koreans can gather intelligence about coming cryptocurrency trends. Such data – about topics such as the Ethereum virtual currency, nonfungible tokens and potential security lapses – could give the North Korean government an edge in how to launder cryptocurrency in a way that helps Pyongyang avoid sanctions, said Joe Dobson, a principal analyst at Mandiant.
“It comes down to insider threats,” Dobson said. “If someone gets hired onto a crypto project, and they become a core developer, that allows them to influence things, whether for good or not.”
The North Korean government has consistently denied involvement in any cyber-enabled theft.
Other suspected North Koreans have fabricated job qualifications, with some users claiming on job applications to have published a white paper about the Bibox digital currency exchange, while another posed as a senior software developer at a consultancy focused on blockchain technology.
Mandiant researchers said they had identified multiple suspected North Korean personas on employment sites that have successfully been hired as freelance employees. They declined to name the employers.
“These are North Koreans trying to get hired and get to a place where they can funnel money back to the regime,” said Michael Barnhart, a principal analyst at Mandiant.
In addition, North Korean users, claiming to have programming skills, have posed questions on the coding site GitHub Inc., where software developers publicly discuss their findings, about larger trends in the cryptocurrency world, according to the Mandiant researchers.
North Korean IT workers “target freelance contracts from employers located in wealthier nations,” according to the US’s 16-page advisory released in May. In many instances, the North Korean workers present themselves as South Korean, Chinese, Japanese or Eastern European and US-based teleworkers, according to the US advisory.
In April, Jonathan Wu, an executive at Aztec Network, a blockchain company, described the experience of conducting a job interview with a possible North Korean hacker as leaving him “a little shaken”. “Terrifying, hilarious and a reminder to be paranoid and triple-check your OpSec practices,” he wrote, in a Twitter thread. Neither Wu nor the company responded to messages seeking comment.
In a related tactic, suspected North Korean hackers have replicated Indeed.com and used it to gather information on website visitors, according to Alphabet Inc.’s Google. By setting up websites that appear to be real, spies can dupe jobseekers into sending their résumés, thus beginning a conversation that could enable hackers to breach their machine or steal their data, according Ryan Kalember, executive vice-president at the email security firm Proofpoint Inc.
Other fake domains, created by suspected North Korean operators, impersonated ZipRecruiter, a Disney careers page and a site called Variety Jobs, according to Google.
“We see a torrent of this every day,” said Kalember. “Their ability to come up with convincing cover companies is getting better and better.”
In February, the security firm Qualys Inc. said it detected a phishing campaign in which the so-called Lazarus Group, a name that the US government sometimes uses to describe Pyongyang-backed hackers, targeted job applicants who applied for roles at Lockheed Martin Corp.
The hackers sent individual messages that appeared to be from Lockheed Martin, using email attachments that appeared to include information from the company but in fact contained malicious software. The ruse followed similar efforts in which attackers posed as BAE Systems Plc and Northrop Grumman Corp., according to Qualys.
“If you look at the job listings, they’re appealing to people’s ego and the desire for money,” said Adam Meyers, senior vice-president of intelligence at CrowdStrike Holdings Inc. “They’re capitalising on that, but the fake job listings are an opening gambit for their broader cyberattacks and espionage.”
North Korea’s focus on stealing cryptocurrency comes after the country’s hackers spent years stealing money from the global financial system, Mandiant researchers said. After a notorious 2016 heist on Bangladesh Bank, where the US accused North Korean thieves of trying to steal close to US$1 billion, global banks added safeguards meant to stop such breaches.
“The market has changed where banks are more secure, and cryptocurrency is a totally new market,” Dobson said. “We’ve seen them go after end users, crypto exchanges and now the crypto bridges.”