Kraken Uncovers North Korean Spy Attempting to Infiltrate Engineering Team

Kraken, a prominent cryptocurrency exchange, recently uncovered a North Korean spy attempting to infiltrate their engineering team. The applicant, who initially seemed suspicious, joined an online interview under a different name than the one on his resume and frequently changed his intonation, suggesting real-time instructions from an external source. Industry partners had previously warned Kraken about the possibility of encountering spies among potential employees and provided a list of email addresses linked to North Korean hackers. One of these addresses was used by the applicant, raising further suspicions.

An investigation by Kraken's specialists revealed a network of fake identities and aliases used by the hacker to secure positions in various companies within the crypto industry and other sectors. The hacker's attempts to hide his location and forge documents with other people's data were also uncovered. To gain more insight into the hacker's identity and tactics, Kraken subjected the spy candidate to several rounds of interviews and background checks. During the final online meeting, the hacker was asked to show his ID and recommend local establishments, which he was unable to do convincingly.

Nick Percoco, Kraken's head of security, emphasized the importance of the core crypto principle "don’t trust, verify" in the digital age. He highlighted that state-sponsored attacks are a global threat targeting anyone handling value, and resilience starts with operational preparedness to withstand such attacks. Kraken specialists also noted the increasing importance of a holistic proactive approach to maintaining security in the face of evolving cyber threats, advocating for a "culture of productive paranoia."

In a related incident, a group linked to the North Korean hacking organization Lazarus, known as Contagious Interview, has been using fake companies to distribute malware. The firms BlockNovas, Angeloper Agency, and SoftGlide have been registered to deceive users through fake interviews. These companies are registered in the United States and use AI-generated images and stolen photos of real people to enhance their credibility. Hackers find victims through fake job ads on platforms like GitHub and freelancing sites, leading them to download malware during "interviews." The malware, including programs like BeaverTail, InvisibleFerret, and Otter Cookie, aims to steal information such as cryptocurrency wallet keys. This campaign has been active since 2024, with the FBI liquidating the firm Blocknovas and identifying well-known public users as victims.

In another cybersecurity incident, Jake Gallen, the head of the NFT platform Emblem Vault, reported losing over $100,000 in cryptocurrency due to attackers using ZoomZM--. During a video call with a supposed crypto community member, scammers installed GOOPDATE malware on Gallen's computer, compromising several cryptocurrency wallets. The Security AllianceAENT-- (SEAL) determined that the ELUSIVE COMET group, known for using social engineering to install malware and steal cryptocurrencies, was responsible. The attackers exploited Zoom's default setting that allows guests to request remote access to the computer. SEAL experts confirmed that the platform's default settings facilitated the attack, and the hackers later gained access to Gallen's X account and Ledger hardware wallet. The ELUSIVE COMET group is linked to Aureon Capital, which has been responsible for "millions of dollars in stolen funds" and poses a significant risk to users due to its elaborate tactics.