from Hacker News

We identified a North Korean hacker who tried to get a job

by 2bluesc on 5/1/25, 2:53 PM with 290 comments

  • by donnachangstein on 5/1/25, 3:24 PM

    They used their leet "OSINT" skillz to ask the most basic of questions and background checks that nearly any traditional interview process would immediately uncover, then think it's so novel it's worthy of a blog post.

    On the surface it seems the "security" industry is lacking in the most basic of security processes when hiring.

    I don't think I've ever worked anywhere that could accidentally hire a North Korean without uncovering it somewhere in the hiring process, and all my jobs have been especially uninteresting.

    What bothers me more is there are talented people sitting on unemployment right now that can't find a job, yet fake people are getting hired left and right. Something in the industry as a whole is quite broken.

  • by Multiplayer on 5/1/25, 3:28 PM

    Here's a heretical thought: Remote hiring is a massive achilles heel.

    I've been duped simply by hiring a great engineering candidate who then farmed out the actual work to remote workers in Pakistan and India. We caught on fairly quickly thanks to one of them forgetting to login to one of our backend systems via vpn a few times. No idea how many companies he was "working for" but I'd bet we were one of many.

    Remote work has amazing upsides and tremendous security implications.

  • by stavros on 5/1/25, 3:27 PM

    This is an interesting article, but doesn't this:

    > our Red Team launched an investigation using Open-Source Intelligence gathering (OSINT) methods.

    basically mean "some guys in the company googled him"?

  • by orbital-decay on 5/1/25, 4:11 PM

    I don't see anything about the guy being North Korean in the article. It's pure clickbait full of bragging about "our DNA".

    > Their resume was linked to a GitHub profile containing an email address exposed in a past data breach.

    How is it an indicator of anything? Any actively used e-mail address that is older than a few years will be listed on haveibeenpwned.

  • by noitpmeder on 5/1/25, 3:47 PM

       Before this interview, industry partners had tipped us off that North Korean hackers were actively applying for jobs at crypto companies.
   We received a list of email addresses linked to the hacker group, and one of them matched the email the candidate used to apply to Kraken.
    This doesn't sound so impressive?

    This single red flag should invalidate the candidate immediately, end of story.

  • by codecraze on 5/1/25, 6:08 PM

    In 2024 i’ve conducted a lot of interviews to recruit some frontend and backend engineers in full remote roles.

    And at one point i was getting a lot of candidates with european names, no picture, good resume.

    And when I met them over a call it was very strange: they were all asian(with really typical nordic names), they were like clones in the way they talked and answered questions exactly the same. They also claimed to be from Sweeden/Finland/Norway for most of them but yet they had a strong asian accent. Not nordic at all.

    This was really fishy and since the fit wasn’t there I stopped the interview without thinking about it too much. but the more I think about it, the more i tend to lean on North Corean candidates.

  • by anonymousiam on 5/1/25, 4:09 PM

    Commenting on the events, CSO Nick Percoco, said:

    “Don’t trust, verify. This core crypto principle is more relevant than ever in the digital age. State-sponsored attacks aren’t just a crypto, or U.S. corporate, issue – they’re a global threat. Any individual or business handling value is a target, and resilience starts with operationally preparing to withstand these types of attacks.”

    It's funny to see the CSO of a crypto firm say this. It's the opposite of the whole way crypto works. In crypto, the transaction is processed (trusted) if all the credentials and keys are correct, regardless of who's behind it.

  • by Dachande663 on 5/1/25, 3:23 PM

    From somewhere in the depths of an old reddit thread, someone recommended asking candidates "How fat is Kim Jong Un?" Instant hang-up.

  • by ianhawes on 5/1/25, 4:26 PM

    This is pretty boring. Let me know when you drop an implant on their host device and move laterally to other attackers devices or engage in a long-con and get them to travel to a US-extraditable country.

  • by rvz on 5/1/25, 3:11 PM

    > Not all attackers break in, some try to walk through the front door.

    Now made even easier for fraudsters and including state actors thanks to Generative AI. Also:

    > Generative AI is making deception easier, but isn’t foolproof. Attackers can trick parts of the hiring process, like a technical assessment, but genuine candidates will usually pass real-time, unprompted verification tests.

    This is why Leetcode / Hackerrank and other (online assessments) OA in the technical interview is unfit for use in the age of AI.

    > In the modern era, it’s an organizational mindset.

    Security is a way of life for this company, but it would have easily fooled a less security-oriented company and it will just only get worse.

  • by rs186 on 5/1/25, 4:02 PM

    > asking the candidate to verify their location, hold up a government-issued ID, and even recommend some local restaurants in the city they claimed to be in.

    I don't know, if I run into these questions in a job interview, especially with a small, less known company, I would be having serious questions about what this company is doing

  • by TheGCMadeMeDoIt on 5/1/25, 3:41 PM

    I fail to understand the whole "advancing the candidate through the interview to learn more about how they do this" plan.

    They already knew the candidate's name, email, and GitHub were all part of past beaches. I could understand if they were fishing for more information to contribute to a shared list, but it seems like they knew virtually everything they needed to know.

    Asking the candidate to justify the inconsistencies outright would've been just as helpful as the final interview IMO.

    Is there something I'm missing there?

  • by iJohnDoe on 5/1/25, 4:18 PM

    There are so many talented people trying to get their first or second job in the cybersecurity industry. Legit, honest, hard-working individuals want to get their chance in cybersecurity. So many posts from cybersecurity companies saying, "Meet us at conferences! Write content! Get to know us, then we'll hire you!" Then in their article they write this. Companies that are even letting these resumes or candidates get a second look are disgraceful. Companies need to get their shit together.

    What happened to standard procedures? 1. Phone interview. 2. Video interview. 3. In-person interview. 4. Job offer and hired. Heck, even standard was 1. Phone interview. 2. In-person interview. 3. Job offer and hired.

    > From the outset, something felt off about this candidate. During their initial call with our recruiter, they joined under a different name from the one on their resume...

  • by ThinkBeat on 5/1/25, 3:43 PM

    Someone said that North Koreas are trying to get jobs. Ok

    Then they had a candidate who was trying to cheat the systemeat

    How did they establish and verify that the candidate was North Korean? Are North Koreans the only ones who try to remote work byt lying about their whereabouts?

    Not at all.

    If you live in a country outside of the US and you see the money software poeple make in the US it is mighty tempting to land a gig.

    The fact that the persdon made simple mistakes and needed to be coached does not sound like a North Korean state operation.

    If someone had told them Russian hackers are trying to get jbos.

    Would they have asummed the person was Russian?

  • by mystraline on 5/1/25, 3:34 PM

    Its quite saying, that in order to get interviews, you have to basically lie your way with various generative AI.

    Whereas, I've been looking for quite a while, with very few bites. And nobody so far on HN Who's hiring responds, except for a place that seems to want 60h/week and pay for 40h/week.

    Being genuine and truthful in the age of generative AI, LLMs, quiet quitting, /r/overemployed (on the sly working multiple 40h week jobs).... Being honest in this environment seems to be a losing endeavor.

  • by ninjazee124 on 5/1/25, 3:50 PM

    This is pretty common stuff I saw with just even regular startups with remote applicants -- I take their claim that it was NK hacker with a grain of salt.

  • by danielvf on 5/1/25, 3:45 PM

    North Korea's efforts have been evolving.

    In the past, they just tried to break into bank computers, then into crypto company's computers. For the last two years, they've been working on getting people into crypto companies.

    But now they appear to have enough people to spare than they also have groups working on "honest" employment as remote workers, who may not even have theft as the first thing on their mind.

    Here's a federal case where a US woman was convicted of helping North Korea steal the identities of 70 people, and then remote in as them, to do remote work:

    https://www.justice.gov/usao-dc/pr/arizona-woman-pleads-guil...

  • by fracus on 5/1/25, 6:46 PM

    "During their initial call with our recruiter, they joined under a different name from the one on their resume, and quickly changed it."

    The article could have been this short.

    This article also helps the Korean hackers by providing in depth commentary on how they were caught and how to improve.

  • by stackedinserter on 5/1/25, 4:07 PM

    I would hire this person, set up a very basic work environment, forced him to run a spyware, learn something about them and made more interesting blogpost.

    Actually, that's a job for counter-intelligence agencies (NSA? RCMP?), but I guess they will just laugh you call them.

  • by abhisek on 5/1/25, 5:07 PM

    This is happening with high value crypto companies with large security teams. Imagine what happens when OSS maintainers are asked to work on GitHub repositories with malicious code as part of fake job interviews?

    If its not insider access then might as well hack an OSS maintainer and publish malicious open source package that everyone depends on to reach your target organization.

  • by aussieguy1234 on 5/1/25, 4:18 PM

    Apparently they're white brainwashed around Kim Jong Un and simply can't process any discussions that are even remotely negative about their dear leader.

    Use this to your advantage during the interview process to weed them out: https://news.ycombinator.com/item?id=43853382

  • by lmeyerov on 5/1/25, 4:13 PM

    We had similar earlier on at Graphistry. It was pretty obvious, especially by the time of video screens. We are still unsure if whether a hacker or just someone avoiding their history/nationality

    - online history was sparse and somewhat mismatching, and weird profile image reuse

    - unexpectedly strong accent in calls, does not show video

    - background reference checks a mess

  • by wslh on 5/1/25, 4:35 PM

    In my lesser known company, we've been receiving leads who share their codebase repositories which contain malware or buggy dependencies, even though we offer cybersecurity services.

    If I were able to predict the future I would say that soon GitHub, GitLab and others will release inproved security sensors.

  • by s-mon on 5/1/25, 4:08 PM

  • by iagooar on 5/1/25, 7:41 PM

    > We received a list of email addresses linked to the hacker group, and one of them matched the email the candidate used to apply to Kraken.

    Sounds like you had to really push the boundaries of what is humanly possible to uncover this one.

  • by eunos on 5/1/25, 5:15 PM

    > The candidate used remote colocated Mac desktops but interacted with other components through a VPN, a setup commonly deployed to hide location and network activity.

    How can Kraken found this out based only on Videocall?

  • by ecocentrik on 5/1/25, 4:08 PM

    I'm surprised it wasn't the government sanctioned haircut.

  • by sltr on 5/1/25, 3:35 PM

    Reminds me of the Lazarus Heist [1]

    [1] https://www.bbc.co.uk/programmes/w13xtvg9

  • by nikcub on 5/1/25, 5:23 PM

    The North Korean efforts are amateur compared to government intel ops either placing or recruiting employees at large tech firms.

  • by Jcampuzano2 on 5/1/25, 3:30 PM

    If people are hiring this sort of applicant I'm of the opinion they kind of deserve to be "pwned". The most basic of process should have weeded this dude out instantly at any modern company.

    I'm sure this wasn't a case of the most advanced/sophisticated attempt from North Korea and other bad actors, and probably just a case of them casting a wide net. But regardless based off of this writeup and the video shown dude should have never been given the time of day.

  • by g42gregory on 5/1/25, 7:02 PM

    And his name was Jimmy…

    On a serious note, as a Kraken customer, I am very happy that they take security issues seriously. Reassuring.

  • by yieldcrv on 5/1/25, 3:54 PM

    All you have to do is ask them to say "Fuck Kim Jong Un"

    this is a tongue in cheek test in crypto circles for like a year now

  • by Geee on 5/1/25, 4:30 PM

    Seems like they wanted to be obvious. At the same time they got their real hacker in. Typical diversion tactic.

  • by crorella on 5/1/25, 5:46 PM

    I think they detected instead of identified, as far as I know they didn't get the identity of the hacker.

  • by aryan14 on 5/1/25, 9:08 PM

    Cross checked known malicious mail list with applicants, found a match and made a blog about it lol

  • by koliber on 5/1/25, 4:50 PM

    I’ve had 4 such people interview. These guys were much easier to spot than the one at Kraken. I wrote up an article about how to spot these fake North Korean devs.

    https://koliber.com/articles/how-to-avoid-hiring-a-north-kor...

  • by Aloisius on 5/1/25, 6:38 PM

    This level of applicant checking at a financial institution does not inspire confidence.

    At a previous remote job for a financial institution, they required a full background check with fingerprinting, reference checking, past employment verification, drug testing and in-person verification of identity and employment authorization. This was done for everyone, not just people they found "suspicious."

    Frankly, the laws against applicant discrimination also makes having different processes or demanding different information from candidates because of national origin/ancestry/accent/etc. legally questionable.

  • by Havoc on 5/1/25, 4:02 PM

    Is there an uptick in this feels like there are suddenly multiple stories about it

  • by paradite on 5/1/25, 3:45 PM

    I wonder what if this is just a decoy to get the more sophisticated candidate in.

  • by dabber21 on 5/1/25, 3:37 PM

    I wonder if something like eIDAS could help here (at least in EU countries)

  • by tke248 on 5/1/25, 8:42 PM

    Congratulations you just provided source material to deepfake your staff.

  • by sjs382 on 5/1/25, 8:35 PM

    > From the outset, something felt off about this candidate. During their initial call with our recruiter, they joined under a different name from the one on their resume, and quickly changed it. Even more suspicious, the candidate occasionally switched between voices, indicating that they were being coached through the interview in real time.

    > Before this interview, industry partners had tipped us off that North Korean hackers were actively applying for jobs at crypto companies. We received a list of email addresses linked to the hacker group, and one of them matched the email the candidate used to apply to Kraken.

    Unless you were working in conjunction with law enforcement (with some guarantee re: the security of customer assets), it should have ended there. Going further may have piqued your interest, but...

    > Instead of tipping off the applicant, our security and recruitment teams strategically advanced them through our rigorous recruitment process – not to hire, but to study their approach.

    ... you likely gave them more actionable data than they gave you.

    This behavior was reckless, amateurish and I'd be pulling out my assets right away if someone acting as a custodian to my finances acted like this.

  • by lawgimenez on 5/1/25, 4:52 PM

    The lack of proof is disturbing, a redacted screenshot would be nice.

  • by ForOldHack on 5/1/25, 6:31 PM

    "A candidates Red Flags..." These guys are funny.

  • by tough on 5/1/25, 5:31 PM

    Just ask them to badmouth their leader on interview.

  • by wnevets on 5/1/25, 3:35 PM

    Thanks to AI this problem will only get much worse.

  • by wakeywakeywakey on 5/1/25, 3:41 PM

    This is cool, but we'd be naive to think the other side is not also learning from this operation. The "gotcha" questions that foiled them at the end will likely make it into their playbook for next go around, and these attacks are going to be more sophisticated.

  • by joejoo on 5/1/25, 3:50 PM

    These elite state hackers seemed a little careless from the start, to say the least…

  • by notlive on 5/1/25, 3:42 PM

    The article says they received a list of known NK hackers' emails in advance and the hacker used one of those addresses to apply. Pretty big red flag there if you ask me. Is it really unfair to halt the process at that point?

  • by seasluggy on 5/1/25, 4:56 PM

    OSINT?

    So basic HR processes?

  • by babuloseo on 5/1/25, 3:47 PM

    I got interviewed by Kraken lol

  • by tsukikage on 5/1/25, 4:40 PM

    TLDR: "We received a list of email addresses linked to the hacker group, and one of them matched the email the candidate used to apply to Kraken."