North Korean Spy Slips Up, Reveals Ties in Fake Job Interview

A North Korean crypto spy recently made a grave mistake during a fake job interview set up as part of a sting operation. Cointelegraph was involved in an investigation led by cyber threat intelligence expert Heiner Garcia, which uncovered a cluster of threat actors attempting to score freelancing gigs in the cryptocurrency industry. The investigation revealed that North Korean operatives were able to secure freelance work online without using a VPN, and Garcia's analysis linked the applicant to a network of GitHub accounts and fake Japanese identities believed to be associated with North Korean operations.

Garcia first encountered the suspected Democratic People’s Republic of Korea (DPRK) operative, who called himself “Motoki,” on GitHub in late January while investigating a cluster linked to a suspected DPRK threat actor known as “bestselection18.” Motoki's profile, which included a human face photo, caught Garcia's attention. Garcia created an alter ego as a headhunter for a company looking for talent and invited Cointelegraph to join an upcoming interview with the hope of speaking to the suspected DPRK operative in Korean by the end of the call.

The fake job interview was conducted on February 25, during which Motoki displayed questionable behavior inconsistent with that of a legitimate Japanese developer. He couldn't speak the language fluently and repeatedly repeated the same responses for different questions, turning the job interview into an awkward and stilted conversation. Motoki also revealed key details by sharing his screen in the interview, including access to private GitHub repositories with bestselection18.

According to Garcia, Motoki is likely a lower-level operative working with bestselection18. The linguistic clues from Motoki's English pronunciation and facial features suggested that he was of North Korean origin. His appearance aligned more closely with the Korean profile described in a 2018 study, which noted that Korean males tend to have wider, more prominent facial structures than their East Asian neighbors.

During the interview, Motoki also offered insight into some of North Korea’s operational methods. He told Garcia that his operators would send him money to buy a computer so they could work through his computer remotely, allowing them to access tasks without needing a VPN connection. This arrangement would enable the operator to carry out tasks without triggering issues on popular freelancing platforms.

After the interview, Cointelegraph received messages from Garcia indicating that Motoki had disappeared and all his socials had changed. The chats and everything around him had been deleted. Motoki has not been heard from since. The incident highlights the growing concern of suspected DPRK operatives posing as freelancers in the tech industry.

Recruiters across tech industries have become a target for these operatives, even major crypto exchanges are targeted. A United Nations Security Council report estimates that North Korean IT workers generate up to $600 million annually for the regime. These spies are able to funnel consistent wages back to North Korea, which is believed to help finance its weapons program.

The incident serves as a reminder of the need for vigilance in detecting and preventing cyber threats from North Korea. As the threat landscape continues to evolve, it's essential for individuals and organizations to be aware of these tactics and take steps to protect themselves against such attacks.