How to identify North Korean hackers disguised as developers applying for jobs?

Written by: Deep Tide TechFlow

On March 27th, bad news came from Blast, with Web3 game platform Munchables being hacked for over 17,000 ETH, worth $62.5 million.

Blockchain detective ZachXBT suggested that Munchables was hacked by North Korean hackers disguised as developers. SlowMist founder Yu Xian also stated, "This is at least the second DeFi project we have encountered in this situation. The core developer disguised himself and gained the trust of the entire team for a long time, then struck mercilessly when the time was right."

When you are a founder of a crypto project interviewing remote developers, encountering North Korean hackers may not be uncommon.

Monad founder Keone once revealed on X in 2022 that they posted many job postings for Solidity developers and received many resumes... but they believed many of them were North Korean and summarized some common characteristics:

• They seem to prefer GitHub users like SuperTalentedDev726 or CryptoKnight415;

• They also seem to like using numbers in their email and GitHub usernames, perhaps as a way to track their identities when applying?

• They tend to choose Japanese identities (perhaps Koreans are too obvious) and often claim to have studied at top schools in Japan, Hong Kong, or Singapore (National University of Singapore, Nanyang Technological University, University of Hong Kong, Hong Kong University of Science and Technology);

• They often (though not always) steal code repositories on GitHub, taking existing projects and regenerating commit messages to use their usernames;

• They also tend to use multiple email addresses to apply for the same job multiple times, with different email addresses;

• They claim to have Solidity/EVM experience too early (like in 2015).

According to the latest developments, GitHub user Werewolves0493 is reportedly the North Korean hacker behind the Munchables attack, with his email address on GitHub being [email protected], which aligns with Monad founder Keone's description.

In 2022, Jonwu, a staff member of the privacy protocol aztecnetwork, also encountered North Korean hackers during the interview process and described the scene of the online interview. Here is his account:

First, we at aztecnetwork were recruiting and received an application for "Bobby Sierra - Solidity Engineer" on @Greenhouse.

After internal review, I was assigned an online interview.

Scanning through the resume roughly.

Name: Bobby Sierra

Applying for: Solidity Engineer

Location: Ontario

Languages: English and some Chinese

Experience: F2pool, with some DAO and NFT projects on the resume.

Remember this, it will be relevant later.

Then I looked at the cover letter, which started with: "I am a blockchain developer with over 6 years of rich experience."

Then there was a bunch of vague information, some generic self-praise, but understandable, not everyone is good at writing cover letters.

Finally, he wrote on the cover letter: "The world will see great achievements in my hands."

...

I immediately thought, this guy sounds like a Bond villain.

I'm imagining a guy whose arm is actually a laser cannon, and his eyeballs are made of plutonium or something.

"The world will see great achievements in my hands"??? Who the hell talks like that?

Normal people don't speak like that, damn it.

This is unsettling, so I went to check his GitHub, 12 commits in the past 12 months? That's not "rich experience".

Also, the projects he's involved in seem random:

BoredBunnies

PantherSwap

MetaverseDAO

Forget it, I told myself, Crypto is a strange and interesting space, full of strange and interesting people! Maybe Bobby is just a quirky guy.

Then, I started the interview!

Hi, this is Jon from Aztec, is this Bobby?

"Yes. This is...Bobby Sierra."

I observed a few things:

His camera was off;

There were more than 5 people talking loudly in the background;

A distinct Korean accent;

I asked him why it was so loud.

"Oh, I'm in the office."

WTF, but why are there another 5 people speaking a mix of Korean and English?

You might ask, how did I know he was Korean?

Hehe, some of my good friends are Korean, so I'm very familiar with the Korean accent, but this wasn't the usual Korean-American or Korean-Canadian accent, or any Korean accent.

"Bobby" can of course speak English, but not the usual English: stiff, formal, and almost incomprehensible.

So, "Bobby, introduce yourself."

"I have been involved in many blockchain development and token issuance projects, with many successful projects, very successful, many blockchain经

"Okay, they all have very good results. Okay?" Let's analyze it briefly: 1) The first part is just nonsense, and based on that alone, I wanted to disqualify him from the interview. 2) "Okay." This expression made me sure that this guy is Korean. How do I know? Because my friend's mom always says this crap to me before they give me a bowl of hot rib soup. "It's delicious, eat it while it's still hot, okay?" Now the alarm bells are ringing. I know about the recent frequent North Korean hacker attacks. I decided to dig deeper. Where are you based, Bobby? Bobby: "Based?" Yes, where are you right now? "Oh, Hong Kong." "Hong Kong? Where did you last work?" "Oh, Ateke." What is that? "A German company, or a French company. I don't know." Your resume says you worked for F2pool, can you tell me about F2pool? "Um, can you wait a moment?" Then he put me on mute for 5 minutes. When Bobby came back, he seemed like a different person. "Hello, are you there?" Yes, Bobby, I'm here. "I am an experienced blockchain developer, I am looking for a new job, I am very experienced, can bring value to your company, I now want an engineer job. Okay?" Regardless of the truth, I hung up the phone. We know that North Korean hackers like Lazarus Group are attacking major protocols and individuals. Ronin was stolen 600 million dollars; Arthur0x, Mgnr, and countless other well-known accounts were attacked. I don't know what the attack vector is. Shall we download a corrupted .docx resume? Have someone share the screen and navigate to Metamask? Gain access to our codebase and push a malicious change? I leave it to the internet to speculate. In fact, I don't know if these people are North Korean hackers. Bobby may just be a very incompetent guy, but every fiber of my being says this is not the case. Apart from fear and entertainment, I learned a lot from this strange interaction. 1) Our whole world is built on trust. If someone shows us their resume and Github, we believe it. The risks of smart contracts are overestimated, anything can be a vector for attack: recruitment, events, travel, and so on. Don't download attachments at will, isolate your wallet on your own machine, and so on. Later, "Bobby" updated his Github, which now points to a brand new account with more code commits. I believe these people are learning, adapting, and getting smarter. Fortunately, they cannot solve how disconnected and incompetent they are. We just need to stay sharp."