Here's How to Protect Yourself and the Crypto World From North Korean IT Workers
Documents provided as part of the "fake" KYC process conducted with a suspected DPRK IT worker. Source: ketman.org
As North Korean hackers are blamed for billions stolen from the cryptoasset industry, new research showcases complex schemes of how this country's IT workers try to infiltrate legitimate projects—and how you can protect yourself and the wider ecosystem.
0xfigo, information security officer and investigator, and blackbigswan, software engineer and security researcher, have published their findings on Ketman, an active investigation and threat actor monitoring platform specializing in fake developer campaigns and supply chain threats in the open-source ecosystem.
The authors of the report said they've uncovered Democratic People's Republic of Korea (DPRK) developers, such as 0xExp-po and bestselection18, active on GitHub, who managed to infiltrate blockchain projects built on Build on Stellar and Starknet. These actors are said to be working under different handles and have infiltrated multiple projects.
"What was more worrying was that after a deeper scan, we discovered bestselection18 was actually getting frequently paid for his contributions to multiple repositories hosted on the onlyDust platform," the report said, adding that bestselection18 was connected to multiple other North Korean IT workers outside of the onlyDust platform.
The investigators began engaging with the North Korea-linked accounts and set up a video call with motokisauo/kirbyAttack, who was suspected to be the same person as bestselection18. During the call, the developer was asked to introduce himself in Japanese.
"However, the candidate’s response was to remove their headset and leave the call, confirming our hypothesis that he is a DPRK IT worker," the investigators said.
Therefore, according to them, the lesson here is to set up a video call verification for any remote worker having access to potentially sensitive code.
"It often doesn’t take much effort. A simple video call that follows up on the actor’s claimed experience (or nationality, as in the case of motokisauo) can save your company from the DPRK IT Worker threat," the report urged, stressing that any files or code run by legitimate developers—if received from DPRK IT workers—should be treated as malicious until proven otherwise.
Moreover, Ketman's investigators have emphasized that by harboring DPRK IT workers, projects endanger the broader ecosystem, because they allow the credibility of those workers to grow—thus helping them infiltrate more projects and putting them at risk.
What’s more, DPRK IT workers are said to often work closely with DPRK hacking teams.
"We frequently observe crossover with campaigns like 'Contagious Interview', where the DPRK IT worker serves as an entry point to deliver a malicious payload to an established contact—in this case, maintainers of projects hosted on OnlyDust, grant operators, and funding teams," the investigators concluded.