By Sam Kessler, Coindesk
Compiled by Joy, PANews
Article highlights:
CoinDesk found more than a dozen cryptocurrency companies that unknowingly hired IT workers from North Korea, including well-known blockchain projects such as Injective, ZeroLend, Fantom, Sushi, Yearn Finance and Cosmos Hub.
The employees used fake IDs, successfully interviewed, passed qualification checks, and provided real work history.
Hiring North Korean workers is illegal in the United States and other countries that have imposed sanctions on North Korea. This also poses security risks, and CoinDesk has found that several companies have been hacked after hiring North Korean IT workers.
"Everyone is trying to screen these people out," said Zaki Manian, a prominent blockchain developer who said he inadvertently hired two North Korean IT workers in 2021 to help develop the Cosmos Hub blockchain.
In 2023, cryptocurrency company Truflation was still in its infancy when founder Stefan Rust unknowingly hired his first North Korean employee.
“We were always looking for a good developer,” Rust said from his home in Switzerland. Unexpectedly, “this developer found us.”
“Ryuhei” sent his resume via Telegram, claiming to be working in Japan. Soon after he was hired, strange inconsistencies began to surface.
At one point, “I was on the phone with this guy, and he said he had an earthquake,” Laster recalled. But there hadn’t been any recent earthquakes in Japan. Then the employee started missing calls, and when he showed up, “it wasn’t him,” Laster said. “It was someone else.” Whoever it was had dropped the Japanese accent.
Rust soon learned that “Ryuhei” and four other employees (more than a third of his team) were North Korean. Rust had inadvertently fallen into an organized North Korean plot to provide its employees with remote overseas work and remit the earnings back to Pyongyang.
U.S. authorities have recently stepped up warnings that North Korean IT workers, who earn up to $600 million a year for North Korea, are infiltrating tech companies, including cryptocurrency employers, and using the proceeds to fund the country’s nuclear weapons program, according to a 2024 United Nations report.
Hiring and paying workers — even unintentionally — violates United Nations sanctions and is illegal in the United States and many other countries. It also poses a serious security risk, as North Korean hackers have been known to target companies by secretly hiring employees.
A CoinDesk investigation revealed how aggressively and frequently North Korean job seekers target cryptocurrency companies — successfully interviewing, passing background checks and even demonstrating an impressive history of code contributions on the open-source software repository GitHub.
CoinDesk spoke to more than a dozen cryptocurrency companies that said they had inadvertently hired IT workers from North Korea.
These interviews with founders, blockchain researchers, and industry experts suggest that North Korean IT workers are far more prevalent in the crypto industry than previously thought. Nearly every hiring manager interviewed for this article admitted that they had interviewed suspected North Korean developers, hired them without knowing it, or knew someone who had done so.
“In the entire crypto industry, the proportion of resumes, job seekers or contributors from North Korea may be more than 50%,” said Zaki Manian, a well-known blockchain developer. He said that he accidentally hired two North Korean IT employees in 2021 to help develop the Cosmos Hub blockchain. “Everyone is trying to screen out these people.”
Among the unwitting North Korean employers CoinDesk found were several well-known blockchain projects, such as Cosmos Hub, Injective, ZeroLend, Fantom, Sushi and Yearn Finance.“This is all happening behind the scenes,” Manian said.
The investigation is the first time the companies have publicly acknowledged they have inadvertently hired North Korean IT workers.
In many cases, North Korean workers perform their jobs like regular employees; so, in a sense, employers essentially get what they pay for. But CoinDesk found evidence that these employees then wired their salaries to blockchain addresses associated with the North Korean government.
CoinDesk’s investigation also uncovered several cases where crypto projects that hired North Korean IT employees were later hacked. In some of these cases, it was possible to directly link the theft to suspected North Korean IT employees on the company’s payroll. This was the case with Sushi, a well-known DeFi protocol that lost $3 million in a 2021 hack.
The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) and the Justice Department began publicizing North Korea’s attempts to infiltrate the U.S. cryptocurrency industry in 2022. CoinDesk found evidence that North Korean IT workers began working at cryptocurrency companies under false identities long before that, at least as early as 2018.
“I think a lot of people have made the mistake of thinking this is something that just happened,” Manian said. “These people have GitHub accounts and other things going back to 2016, 2017, 2018.” (GitHub, owned by Microsoft, is the online platform many software organizations use to host code and allow developers to collaborate.)
CoinDesk used a variety of methods to connect North Korean IT workers to companies, including blockchain payment records, public GitHub code contributions, emails from U.S. government officials and direct interviews with target companies. One of the largest North Korean payment networks investigated by CoinDesk was discovered by blockchain investigator ZachXBT, who published a list of suspected North Korean developers in August.
Many of the employers who previously remained silent for fear of unwanted publicity or legal consequences are now speaking out in response to a trove of payment records and other evidence unearthed by CoinDesk, sharing their stories for the first time and shedding light on the massive success and scale of North Korea’s infiltration of the cryptocurrency industry.
Forged documents
After hiring Ryuhei, who was ostensibly from Japan, Rust’s Truflation was flooded with new applications. Within a few months, Rust had unknowingly hired four more North Korean developers who said they were based in Montreal, Vancouver, Houston, and Singapore.
The crypto industry is particularly vulnerable to disruption by North Korean IT workers. The crypto industry’s workforce is very global, and crypto companies are often more willing to hire fully remote (even anonymous) developers than other companies.
CoinDesk reviewed job applications for North Korea that cryptocurrency companies received from a variety of sources, including messaging platforms like Telegram and Discord, cryptocurrency-specific job boards like Crypto Jobs List and recruiting sites like Indeed.
“Where they’re most likely to be hired is from these really fresh, newly minted teams that are willing to hire from Discord,” said Taylor Monahan, product manager at crypto wallet app MetaMask, who frequently publishes security research related to North Korean crypto activity. “They don’t have processes in place to hire people who have gone through background checks. They’re willing to pay in cryptocurrency a lot of times.”
Rust said he did background checks on all new Truflation employees. “They sent us their passports and IDs, gave us their GitHub repositories, did some testing, and then we basically hired them.”
An applicant who is suspected of being a North Korean citizen submitted a Texas driver's license as identification to cryptocurrency company Truflation. CoinDesk is withholding some details because North Korean IT workers have a history of using stolen IDs. (Image courtesy of Stefan Rust)
To the layperson, most forged documents are indistinguishable from authentic passports and visas, but experts told CoinDesk that professional background check services would likely spot the forgeries.
One of the suspected North Korean IT employees identified by ZachXBT, “Naoki Murano,” provided the company with a seemingly authentic Japanese passport. (Photo courtesy of Taylor Monahan)
While startups are less likely to use professional background investigators, "we do see North Korean IT personnel at large companies, either as actual employees or at least contractors," Monahan said.
Hiding in plain sight
In many cases, CoinDesk found IT workers at North Korean companies working with publicly available blockchain data.
In 2021, blockchain developer Manian needed some help with his company, Iqlusion. He was looking for freelance programmers who could help with a project to upgrade the popular Cosmos Hub blockchain. He found two new hires; they performed exceptionally well.
Manian had never met the freelancers, “Jun Kai” and “Sarawut Sanit,” in person. They had previously collaborated on an open-source software project funded by the closely related blockchain network THORChain, and they told Manian they were in Singapore.
“I’ve been talking to them almost every day for a year,” Manian said. “They’ve done their job. And frankly, I’m very pleased.”
Two years after the freelancers completed their work, Manian received an email from an FBI agent who was investigating token transfers that appeared to come from Iqlusion and were being sent to suspected North Korean crypto wallet addresses. The transfers in question turned out to be payments from Iqlusion to Kai and Sanit.
Left: An FBI agent (name removed) asks Zaki Manian for information about two blockchain payments from his company, Iqlusion. Right: Manian tells the agent the transactions were between Iqlusion and multiple contractors.
The FBI never confirmed to Manian that the developers he contracted were North Korean agents, but a CoinDesk review of Kai and Sanit’s blockchain addresses showed that during 2021 and 2022 they wired revenue to two individuals on the OFAC sanctions list: Kim Sang Man and Sim Hyon Sop.
According to OFAC, Sim was a representative of North Korea’s Kwangson Bank, which laundered IT workers’ funds to help “finance North Korea’s weapons of mass destruction and ballistic missile programs.” Sarawut appears to have funneled all of his earnings into Sim and other blockchain wallets associated with Sim.
Blockchain records from April to December 2022 show that “Sarawut Sanit” sent all of his wages to a wallet associated with OFAC-sanctioned North Korean agent Sim Hyon Sop. (A selection of Ethereum wallets tracked by CoinDesk. Asset prices estimated by Arkham.)
Meanwhile, Kai wired nearly $8 million directly to Kim, who, according to the 2023 OFAC advisory, was a representative of the North Korean-run Chinyong Information Technology Partnership, which “employed delegations of North Korean IT workers working in Russia and Laos through companies it controlled and its representatives.”
Throughout 2021, “Jun Kai” sent $7.7 million worth of cryptocurrency directly to blockchain addresses on the OFAC sanctions list associated with Kim Sang Man. (A selection of Ethereum wallets tracked by CoinDesk. Asset prices estimated by Arkham.)
Iqlusion’s salary to Kai accounted for less than $50,000 of the nearly $8 million he gave Kim, with the rest of the money coming in part from other cryptocurrency companies.
For example, CoinDesk found that the Fantom Foundation, which develops the widely used Fantom blockchain, made payments to “Jun Kai” and another developer with ties to North Korea.
“Fantom did confirm that two external individuals were implicated with North Korea in 2021. However, the developers involved were involved in an external project that was never completed and never deployed,” a spokesperson for the Fantom Foundation told CoinDesk.
According to the Fantom Foundation, "the two employees involved have been fired. They have never contributed any malicious code, never accessed Fantom's code base, and Fantom users have not been affected." The spokesperson said that a North Korean employee had attempted to attack Fantom's servers but failed due to lack of necessary access rights.
According to the OpenSanctions database, Kim’s blockchain address associated with North Korea was not published by the government until May 2023, more than two years after the Iqlusion and Fantom payments.
Allow room for maneuver
The United States and the United Nations imposed sanctions on the employment of North Korean IT workers in 2016 and 2017, respectively.
Whether you know it or not, it is illegal to pay North Korean workers in the United States - a legal concept known as "strict liability."
Nor does it matter where the company is located: Hiring North Korean workers poses legal risks for any company doing business in a country that has imposed sanctions on North Korea.
However, the United States and other UN member states have yet to prosecute encryption companies that employ North Korean IT workers.
The U.S. Treasury Department opened an investigation into U.S.-based Iqlusion, but Manian said the probe ended without any penalties.
U.S. authorities have been lenient about bringing charges against the companies — an acknowledgment, in part, that they were the victims of an unusually sophisticated and complex identity fraud at best, or a most humiliating and long-running scam at worst.
In addition to the legal risks, MetaMask’s Monahan explained that paying North Korean IT workers is also “bad because you’re paying people who are essentially being exploited by the regime.”
According to the 615-page UN Security Council report, North Korean IT workers are only allowed to keep a small portion of their wages. "Low-income earners keep 10%, while high-income earners can keep 30%," the report states.
While those salaries may still be high relative to North Korean averages, “I don’t care where they live,” Monahan said. “If I’m paying someone and they’re forced to send their entire paycheck to their boss, that makes me very uncomfortable. And if their boss is the North Korean regime, that makes me even more uncomfortable.”
CoinDesk contacted several suspected North Korean IT workers during the reporting process but has not yet received a response.
future
CoinDesk has identified more than 20 companies that may employ North Korean IT workers by analyzing blockchain payment records from OFAC-sanctioned entities. Twelve companies that submitted relevant records confirmed to CoinDesk that they had previously found suspected North Korean IT workers on their payrolls.
Some declined to comment further for fear of legal consequences, but others agreed to share their stories in the hope that others can learn from their experiences.
In many cases, North Korean employees are easier to identify once they are hired.
Eric Chen, CEO of Injective, a project focused on decentralized finance, said he signed a freelance developer in 2020 but quickly fired him for poor performance.
“He didn’t last long,” Chen said. “He wrote bad code and it didn’t work well.” Chen didn’t know the employee had ties to North Korea until last year, when a U.S. “government agency” contacted Injective.
Several companies told CoinDesk they fired an employee before they learned of any ties to North Korea — citing substandard work quality.
'Several months of payroll'
However, North Korean IT workers are similar to typical developers, with varying abilities.
On one hand, you have employees who “come in, go through the interview process, and make a few months’ salary,” Manian said. “And then on the other hand, when you interview these people, you find out that their actual technical skills are really strong.”
Rust recalls meeting "a really great developer" while at Truflation who claimed to be from Vancouver, but turned out to be from North Korea. "He was a really young guy," Rust said. "It felt like he was fresh out of college. Kind of green, very enthusiastic, very excited to have the opportunity to work."
In another example, DeFi startup Cluster fired two developers in August after ZachXBT provided evidence that the two developers had ties to North Korea.
“It was incredible how much these people knew,” Cluster’s pseudonymous founder z3n told CoinDesk. In retrospect, there were some “obvious red flags.” For example, “they would change the payment address every two weeks, and they would change their Discord name or Telegram name every month or so.”
Webcam Off
In conversations with CoinDesk, many employers said they noticed something unusual when they learned their employees might be North Korean, which made more sense.
Sometimes these cues are subtle, such as an employee’s work hours not matching their proper work location.
Other employers, such as Truflation, have noted that multiple employees may be posing as one person, and that employees hide this by turning off their webcams. (They are almost always men.)
This quirk makes more sense when a company hires an employee who attends meetings in the morning but seems to forget everything discussed later in the day, even though she has spoken to many people before.
When Rust expressed his concerns about the “Japanese” employee, Ryuhei, to an investor with experience tracking criminal payment networks, the investor quickly identified four other suspected North Korean IT workers on Truflation’s payroll.
“We cut ties immediately,” Rust said, adding that his team conducted a security audit of its code, enhanced its background check process and changed some policies. One of the new policies required remote workers to turn on their webcams.
$3 million hack
Many employers CoinDesk consulted mistakenly believe North Korean IT workers operate independently of the country’s hacking arm, but blockchain data and conversations with experts suggest North Korean hacking and IT workers are often linked.
In September 2021, MISO, a platform built by Sushi for issuing crypto tokens, lost $3 million in a theft. CoinDesk found evidence that the attack was linked to Sushi's hiring of two developers whose blockchain payment records were linked to North Korea.
At the time of the hack, Sushi was one of the most closely watched platforms in the emerging DeFi space. More than $5 billion had been deposited into SushiSwap, which primarily functions as a “decentralized exchange” for people to trade cryptocurrencies without an intermediary.
Joseph Delong, then Sushi’s chief technology officer, traced the MISO theft to two freelance developers who worked on the platform: They used the names Anthony Keller and Sava Grujic. Delong said these developers (who he now suspects are the same person or group) injected malicious code into the MISO platform, transferring funds to wallets they controlled.
When Keller and Grujic were hired by Sushi DAO, the decentralized autonomous organization that manages the Sushi protocol, they provided credentials that were typical and even impressive for entry-level developers.
Keller uses the alias “eratos1122” in public, but when he applied for a job at MISO, he used what appeared to be his real name, “Anthony Keller.” In a resume Delong shared with CoinDesk, Keller claimed to live in Gainesville, Georgia, and graduated from the University of Phoenix with a bachelor’s degree in computer engineering. (The university did not respond to a request to confirm whether it has a graduate with the same name.)
“Anthony Keller” claims to live in Gainesville, Georgia, and his resume lists his work experience at the popular decentralized finance app Yearn.
Keller’s resume does mention previous work. The most impressive of these was Yearn Finance, a very popular crypto investment protocol that offers users a way to earn interest through a range of investment strategies. Banteg, a core developer at Yearn, confirmed that Keller worked on Coordinape, an application developed by Yearn to help teams collaborate and facilitate payments. (Banteg, said Keller’s work was limited to Coordinape and he did not have access to Yearn’s core codebase.)
According to Delong, Keller introduced Grujic to MISO and the two claimed to be "friends." Like Keller, Grujic provided a resume with his real name, not his online pseudonym "AristoK3." He claims to be from Serbia and graduated from the University of Belgrade with a bachelor's degree in computer science. His GitHub account is active and his resume lists his work experience in several smaller crypto projects and gaming startups.
In his resume, "Sava Grujic" lists five years of programming experience and claims to be based in Belgrade, Serbia.
Rachel Chu, a former core developer at Sushi who worked closely with Keller and Grujic before the theft, said she had been “suspicious” about the pair before the hack.
Despite the distance between them, Grujic and Keller had “the same accent” and “the same way of texting,” Chu said. “Every time we talked, they had some background noise, like they were in a factory,” she added. Chu recalled that she had seen Keller’s face but never Grujic’s. According to Chu, Keller’s camera was “zoomed in” so she couldn’t see what was behind him.
Grujic and Keller ultimately stopped contributing to MISO around the same time. “We thought they were the same person,” Delong said, “so we stopped paying them.” It was the height of the COVID-19 pandemic, and it wasn’t uncommon for remote cryptocurrency developers to impersonate multiple people to earn extra income off the payroll.
After Grujic and Keller were fired in the summer of 2021, the Sushi team neglected to revoke their access to the MISO codebase.
On Sept. 2, Grujic, using his online handle “Aristok3,” submitted malicious code to the MISO platform that transferred $3 million to a new cryptocurrency wallet, according to a screenshot obtained by CoinDesk.
"Sava Grujic" submitted tainted code to Sushi's MISO using the pseudonym AristoK3. (Screenshot courtesy of Joseph Delong)
CoinDesk’s analysis of blockchain payment records suggests a possible connection between Grujic, Keller, and North Korea. In March 2021, Keller posted a blockchain address in a now-deleted tweet. CoinDesk found multiple payments between that address, Grujic’s hacker address, and Keller’s address on file with Sushi. According to Delong, Sushi’s internal investigation ultimately concluded that the address belonged to Keller.
Blockchain addresses tied to Keller and Grujic sent most of the funds to wallets associated with North Korea between 2021 and 2022. (A selection of Ethereum wallets tracked by CoinDesk. Asset prices estimated by Arkham.)
CoinDesk found that the address sent most of the funds to “Jun Kai” (the Iqlusion developer who sent money to OFAC-sanctioned Kim Sang Man) and another wallet that appeared to act as a proxy for North Korea (because it also paid Kim).
Sushi’s internal investigation found that Keller and Grujic frequently operated from Russian IP addresses, lending credence to the notion that they were North Korean. OFAC says North Korean IT workers are sometimes based in Russia. (The U.S. phone number on Keller’s resume is no longer in service, and his “eratos1122” Github and Twitter accounts have been deleted.)
CoinDesk also found evidence that Sushi hired another suspected North Korean IT contractor at the same time as Keller and Grujic. ZachXBT calls this developer "Gary Lee," who coded under the pseudonym LightFury and wired revenue to "Jun Kai" and another proxy address associated with Kim.
From 2021 to 2022, Sushi also employed another apparent North Korean contractor named “Gary Lee.” The worker wired his 2021-2022 earnings to blockchain addresses associated with North Korea, including a wallet used by Iqlusion’s “Jun Kai.” (A selection of Ethereum wallets tracked by CoinDesk. Asset prices estimated by Arkham.)
Grujic returned the stolen funds after Sushi publicly attributed the attack to Keller’s pseudonym “eratos1122” and threatened to involve the FBI. While it seems counterintuitive that North Korean IT workers would care about protecting fake identities, North Korean IT workers appear to reuse certain names and build their reputations by contributing to many projects, perhaps to gain the trust of future employers.
One might argue that protecting the alias Anthony Keller is more profitable in the long run: In 2023, two years after the Sushi incident, a person named "Anthony Keller" applied to Stefan Rust's company Truflation.
CoinDesk attempted to contact “Anthony Keller” and “Sava Grujic” for comment but was unsuccessful.
North Korean-style robbery
North Korea has stolen more than $3 billion in cryptocurrency through hacking over the past seven years, according to the United Nations. Blockchain analysis firm Chainalysis tracked 15 hacking attacks linked to North Korea in the first half of 2023, “about half of which involved thefts involving IT workers,” said Madeleine Kennedy, a spokeswoman for the company.
North Korea’s cyberattacks don’t resemble the Hollywood version of hacking, with hoodie-wearing programmers using complex computer codes and black-and-green computer terminals to break into mainframes.
North Korean-style attacks are decidedly low-tech. They typically involve some form of social engineering, where the attacker gains the trust of a victim who holds system keys, and then extracts those keys directly through something as simple as a malicious email link.
"We've never seen a real attack from North Korea so far," Monahan said. "They always do social engineering first, then they compromise the device, then they steal the private key."
IT workers are well suited to contribute to North Korea’s heists, either by obtaining personal information that can be used to compromise potential targets or by directly accessing software systems that are awash with digital cash.
A series of coincidences
On Sept. 25, just as this article was about to go to press, CoinDesk arranged a video call with Truflation’s Rust. The plan was to verify some of the details he had previously shared.
A panicked Rust joins the call 15 minutes late. He’s just been hacked.
CoinDesk contacted more than 20 projects that appear to have been duped into hiring North Korean IT workers. In the last two weeks alone, two of them were hacked: Truflation and a cryptocurrency lending app called Delta Prime.
It is too early to tell whether the two hacking incidents are directly linked to the unintentional hiring of North Korean IT employees.
Delta Prime was first hacked on Sept. 16 after CoinDesk uncovered payments and code contributions between Delta Prime and Naoki Murano, one of the developers promoted by anonymous blockchain sleuth ZachXBT as having ties to North Korea.
The project lost more than $7 million, which the official explanation was that “private keys were leaked.” Delta Prime did not respond to multiple requests for comment.
Less than two weeks later, the Truflation hack followed. About two hours before speaking to CoinDesk, Rust noticed a flow of funds out of his crypto wallet. He had just returned from a business trip to Singapore and was trying to figure out what he had done wrong. “I just don’t know how it happened,” he said. “I had my laptops locked in a wall safe at the hotel. I had my phone with me at all times.”
As Rust spoke, millions of dollars were flowing out of his personal blockchain wallet. "I mean, this is really bad. This is money for my kids' tuition and my pension."
Truflation and Rust ultimately lost about $5 million, with officials determining the cause of the loss was the theft of private keys.
