Unmasking a North Korean Hacker's Job Hunt
Every day, our dedicated security and IT teams successfully repel a wide range of attacks from various bad actors. From our years of experience, we know how vast the attack vectors of any major company are. And as we’re disclosing today, they can include unexpected areas, such as the company’s recruitment process.
Last week, our teams recently identified a North Korean hacker’s attempts to infiltrate our ranks by applying for a job at Kraken. What started as a routine hiring process for an engineering role quickly turned into an intelligence gathering operation, as our teams carefully advanced the candidate through our hiring process to learn more about their tactics at every stage of the process.
This is an established challenge for the crypto community, with estimates indicating that North Korean hackers stole over $650 million from crypto firms in 2024 alone. We’re disclosing these events today as part of our ongoing transparency efforts and to help companies, both in crypto and beyond, to strengthen their defenses.
From the outset, something felt off about this candidate. During their initial call with our recruiter, they joined under a different name from the one on their resume, and quickly changed it. Even more suspicious, the candidate occasionally switched between voices, indicating that they were being coached through the interview in real time.
Before this interview, industry partners had tipped us off that North Korean hackers were actively applying for jobs at crypto companies. We received a list of email addresses linked to the hacker group, and one of them matched the email the candidate used to apply to Kraken. With this intelligence in hand, our Red Team launched an investigation using Open-Source Intelligence gathering (OSINT) methods.
Several of the names had previously been hired by multiple companies, as our team identified work-related email addresses linked to them. One identity in this network was also a known foreign agent on the sanctions list.
As our team dug deeper into the candidate’s history and credentials, technical inconsistencies emerged. This evidence was clear, and our team was confident that this wasn’t just a suspicious job applicant, but a state-sponsored infiltration attempt.
Instead of tipping off the applicant, our security and recruitment teams strategically advanced them through our rigorous recruitment process – not to hire, but to study their approach. This meant putting them through multiple rounds of technical infosec tests and verification tasks, designed to extract key details about their identity and tactics.
The final round interview? A casual chemistry interview with Kraken’s Chief Security Officer (CSO) Nick Percoco and several other team members. What the candidate didn’t realize was that this was a trap – a subtle but deliberate test of their identity.
"Don’t trust, verify. This core crypto principle is more relevant than ever in the digital age. State-sponsored attacks aren’t just a crypto, or U.S. corporate, issue – they’re a global threat. Any individual or business handling value is a target, and resilience starts with operationally preparing to withstand these types of attacks.”
The next time a suspicious job application comes through remember: Sometimes, the biggest threats come disguised as opportunities.