Invisible War: North Korean Hackers Have Infiltrated 20% of Encryption Companies

Author: Pedro Solimano, DL News

Compiled by: Deep Tide TechFlow

Pablo Sabbatella, a member of SEAL and the founder of the Web3 auditing company opsek.

Source: Pedro Solimano

North Korean agents have infiltrated 15%-20% of cryptocurrency companies.

According to a SEAL member, 30%-40% of job applications in the crypto industry may come from North Korean agents.

The cryptocurrency industry is criticized for having “operational security ( opsec ) being the worst in the entire computer industry,” said Pablo Sabbatella.

North Korea's penetration into the cryptocurrency industry far exceeds people's awareness.

Pablo Sabbatella, founder of the Web3 auditing firm Opsek and current member of the Security Alliance, dropped a bombshell at the Devconnect conference in Buenos Aires: North Korean agents may have infiltrated up to 20% of cryptocurrency companies.

“The situation in North Korea is much worse than everyone imagines,” Sabbatella said in an interview with DL News. He shockingly pointed out that 30%-40% of job applications in the crypto industry might come from North Korean agents trying to infiltrate relevant organizations.

If these estimates are accurate, their potential destructiveness would be incredible.

More importantly, North Korea's infiltration is not just about stealing money through hacking techniques, although they have already siphoned off billions of dollars through complex malware and social engineering methods. The bigger issue is that these agents are being hired by legitimate companies to gain system access and manipulate the infrastructure that supports major crypto companies.

According to a report by the U.S. Treasury Department last November, North Korean hackers have stolen over $3 billion in cryptocurrency in the past three years. These funds have subsequently been used to support Pyongyang's nuclear weapons program.

How North Korean agents infiltrate the cryptocurrency industry?

North Korean workers usually do not apply for positions directly, as international sanctions prevent them from participating in the recruitment process under their real identities.

On the contrary, they will look for unsuspecting global remote workers to act as “agents.” Some of these agents have even transformed into recruiters, helping North Korean operatives use stolen identities to hire more overseas collaborators.

According to a recent report by the Security Alliance, these recruiters are reaching out to individuals around the world through freelance platforms such as Upwork and Freelancer, primarily targeting Ukraine, the Philippines, and other developing countries.

Their “transactions” are very simple: provide verified account credentials or allow North Korean agents to remotely use your identity. In return, collaborators can receive 20% of the income, while North Korean agents keep 80%.

Sabbatella stated that many North Korean hackers target the United States.

“Their approach is to find Americans as their 'front end,'” Sabbatella explained, “They pretend to be people from China who cannot speak English and need someone to help them with the interview.”

Next, they will infect the computers of “front-end” personnel with malware to obtain US IP addresses, allowing them to access more internet resources than they could while in North Korea.

Once hired, these hackers are usually not dismissed, as their performance satisfies the company.

“They are highly efficient, work long hours, and never complain,” Sabbatella said in an interview with DL News.

Sabbatella provided a simple test method: “Ask them if they think Kim Jong-un is a freak or if there is anything wrong with him.” He said, “They are not allowed to say anything bad.”

Security vulnerabilities in operations

However, North Korea's success relies not only on sophisticated social engineering.

Crypto companies—and users—make it all easier.

“The cryptocurrency industry may have the worst operational security (opsec) in the entire computer industry,” Sabbatella said. He criticized that founders in the cryptocurrency industry are “fully doxxed, perform poorly in protecting private keys, and are easily victimized by social engineering.”

Operational Security (OPSEC) is a systematic process used to identify and protect critical information from adversarial threats.

The lack of operational security can lead to a high-risk environment. “Almost everyone’s computer will be infected by malware at least once in their lifetime,” Sabbatella said.

Update Notes

Update: This article has been updated with clarification from Sabbatella, who pointed out that North Korea does not control 30%-40% of cryptocurrency applications; the aforementioned ratio actually refers to the proportion of North Korean agents in cryptocurrency industry job applications.