Every day, our dedicated security and the IT teams successfully repel a wide range of attacks from various bad players. Since our years of experience, we know how large vectors are vast from any large business. And as we disclose today, they may include unexpected areas, such as the company’s recruitment process.
Our teams recently identified attempts at North Korean hacking to infiltrate our ranks by applying for a job at Kraken.
https://www.youtube.com/watch?v=2vxhlnjkbbi
Look at the complete cbs news coverage on how Kraken identified – then strategically interacted with – a North Korean pirate who tried to get a job at Kraken
What started as a process of routine hiring for an engineering role quickly turned into an information collection operation, as our teams carefully advanced the candidate through our hiring process to find out more about their tactics at each stage of the process.
This is a challenge established for the cryptographic community, with estimates indicating that the North Korean pirates have stolen more than $ 650 million to cryptographic companies in 2024 only. We disclose these events today as part of our current transparency efforts and to help companies, both in crypto and beyond, to strengthen their defenses.
The candidate’s red flags
From the start, something felt about this candidate. During their first call with our recruiter, they joined a different name from that on their CV, and quickly changed it. Even more suspicious, the candidate has sometimes passed between the voices, which indicates that he was trained by the interview in real time.
Before this interview, the industry partners had caused us to flow that North Korean hackers were actively applying for jobs in cryptographic companies. We have received a list of email addresses linked to the pirate group, and one of them equaled the email that the candidate had used in Kraken.
With this intelligence in hand, our red team has launched an investigation using open source information collection methods (OSINT). A method was to analyze violation data, which hackers often use to identify users with low or reused passwords. In this case, we discovered that one of the emails associated with the malicious candidate was part of a larger network of false identities and alias.
This meant that our team had discovered a hacking operation where an individual had established several identities to apply for roles in cryptographic space and beyond. Several of the names had already been hired by several companies, because our team has identified email addresses linked to the work linked to them. An identity of this network was also a foreign agent known on the list of sanctions.
While our team has deepened the story and references of the candidate, technical inconsistencies have emerged
- The candidate used remote -off mac offices but interacted with other components via a VPN, a commonly deployed configuration to hide the location and network activity.
- Their CV was linked to a GitHub profile containing an e-mail address exposed in a past data violation.
- The candidate’s main form of identification seemed to be modified, probably using stolen details in an identity flight case two years before.
At this point, the evidence was clear, and our team was convinced that it was not only a suspicious work seeker, but an attempted infiltration sponsored by the state.
Turn the tables – how our team responded
Instead of switching the applicant, our security and recruitment teams strategically advanced them thanks to our rigorous recruitment process – not to hire, but to study their approach. This meant bringing them into several cycles of infosc technical tests and verification tasks, designed to extract the key details from their identity and their tactics.
The final interview of the Round? An occasional interview in chemistry with Kraken Security Director (OSC) Nick Percoco and several other team members. What the candidate did not achieve is that it was a trap – a subtle but deliberate test of their identity.
Between standard interview issues, our team has slipped two factors authentication prompts, such as asking the candidate to check their location, maintain an identity document issued by the government and even recommend local restaurants in the city in which they claimed to be.
At this point, the candidate collapsed. Attour of the job and caught off guard, they fought with the basic verification tests and could not respond convincingly on real -time questions about their city of residence or the country of citizenship. At the end of the interview, the truth was clear: he was not a legitimate candidate, but an impostor trying to infiltrate our systems.
Commenting on events, CSO Nick Percoco, said:
“Do not trust, check. This basic crypto principle is more relevant than ever in the digital age.
Key dishes to remember
- Not all attackers enter, some try to cross the front door. As cyber players are evolving, our security strategies must also. A holistic and proactive approach is essential to protect an organization.
- The generative AI facilitates disappointment, but is not infallible. The attackers can deceive parts of the hiring process, such as a technical assessment, but authentic candidates will generally pass from verification tests in real time and non -abundant. Try to avoid models in the types of verification questions that job managers use.
- A productive paranoia culture is essential. Security is not only IT responsibility. In the modern era, it is an organizational state of mind. By actively engaging this individual, we have identified areas to strengthen our defenses against future infiltration attempts.
The next time a suspicious job application will be noted: sometimes the greatest threats are disguised as opportunities.
