North Korean Cyber Threats to Cryptocurrency
In a recent interview, Jimmy Su, the chief security officer of Binance, divulged that the cryptocurrency exchange is bombarded with fraudulent job applications every day, which are suspected to originate from North Korean cyber operatives. These would-be attackers, he believes, pose the greatest risk to the cryptocurrency sector currently. Su noted that for nearly the entire eight-year history of Binance, North Korean hackers have been a persistent threat, but their activities have recently intensified with a focus on cryptocurrency theft.
Hacking Tactics and Incidents
Su pointed out that significant hacking incidents tied to North Korea often involve the use of fake employee resumes to facilitate cyberattacks. He specifically mentioned the Lazarus Group, a notorious hacking outfit from the Democratic People’s Republic of Korea (DPRK), which has garnered a reputation for its sophisticated and successful exploits targeting the crypto industry. One of their most infamous operations was the Bybit hack in March, which resulted in a staggering loss of $1.4 billion, making it the largest cryptocurrency hack on record according to the FBI.
Binance’s Hiring Measures
To combat these threats, Binance adopts stringent measures when reviewing job applications. Su indicated that the exchange routinely discards suspicious resumes, which are often crafted using identifiable templates. If an application manages to pass initial scrutiny, the next step involves a video interview where Binance tries to determine the applicant’s authenticity—a task that has become increasingly complicated with advancements in artificial intelligence. Today, applicants may feign identities, even portraying candidates from Europe and the Middle East, employing voice changers and deepfake technology during interviews.
Su explained that a common telltale sign of these deceptive applicants is their sluggish internet connectivity, potentially due to the software they are using to disguise their identities, which causes delays during conversations. Binance employs various detection techniques, such as instructing candidates to obscure their faces, which often disrupts the deepfake technology.
Identifying Potential Threats
In addition to internal hiring processes, some companies in the industry have found success by asking applicants to critique North Korean leader Kim Jong Un, which is against the law in North Korea, as a way to identify potential agents. Despite claiming that they have never employed state-sponsored actors, Binance remains vigilant, monitoring existing staff for anomalous behavior—an essential practice among financial institutions.
Interestingly, Su’s findings suggest that North Korean employees, should they evade detection, tend to excel in their roles. This may be explained by the fact that multiple individuals could be performing the same job in varying time zones, leading to unusual work patterns. Continuous tracking of employee schedules and productivity allows Binance to flag potential red flags, such as someone who appears not to need sleep.
Counteracting Hacking Methodologies
Regarding hacking methodologies, Su identified two other prevalent tactics employed by North Korean operatives: injecting malicious code into publicly available Node Package Manager (NPM) libraries, and creating counterfeit job offers to lure crypto professionals. NPM libraries are essential for developers, as they contain reusable code. If malicious code is inserted into these libraries, it can lead to serious security breaches.
To counteract these risks, Binance conducts thorough code audits and collaborates with other major exchanges via Telegram and Signal groups to share intelligence on potential vulnerabilities and the latest North Korean tactics.
Deceptive Recruiting Strategies
Moreover, the DPRK is known to engage in deceptive recruiting strategies, often presenting themselves as a legitimate DeFi project or investment firm. During fake interviews, these operatives will exploit technical issues as a ruse to entice candidates into downloading malicious software disguised as a necessary update for video conferencing applications like Zoom.
Binance has imposed training on its workforce to be vigilant against phishing attempts. Su reported an uptick in phishing incidents, indicating that North Korean hackers are actively targeting Binance employees through platforms like LinkedIn. A recent report from Chainalysis highlighted that the DPRK stole approximately $1.34 billion across 47 crypto-related incidents last year, with estimates suggesting that they have already taken $1.6 billion this year alone through the issuance of bogus IT job offers.
Conclusion
Su summarized the profound impact of North Korean threats, noting that the Lazarus Group has shifted its focus more intently on cryptocurrency in the past few years, drawn by the industry’s substantial financial stakes.
