We identified a North Korean hacker who tried to get a job
250 comments
·May 1, 2025donnachangstein
bri3d
> On the surface it seems the "security" industry is lacking in the most basic of security processes when hiring.
They found this person at the top of the funnel, before they even started the process, and then chose to go through with it out of curiosity / for advertising. I personally think it's silly (I don't think the advertising or learning about some comically basic TTP like "interview coaching" was worth their team's time) but it's not a lack of basic process in this case.
I will say that hiring for remote jobs has gotten to be a gigantic time waste lately. Even though even moderate background checking can filter these candidates out, it's quite time consuming and with the rise of generative AI, these type of candidates (whether state-sponsored malicious actors or overemployment shops) are appearing in every industry and every role constantly by the hundreds. I disagree completely with other posts claiming only crypto and finance are being targeted; while it's hard to confirm and the North Korean operation specifically may be more tailored, fake candidates are rampant throughout the tech industry now.
ryandrake
> I will say that hiring for remote jobs has gotten to be a gigantic time waste lately.
Not sure why this would be any different for remote jobs. All job interview processes (remote and in-office) I've ever done have had an in-person step, and that should be enough to filter these fake candidates, no? Are companies really doing 100% remote interviews, as in: you sign the offer letter without even meeting a single person in person??
Also, the in-person step is usually at the end, which means yes, you can waste a lot of time phone- and Zoom-chatting with fake candidates, but that is equally true for in-office vs. remote roles. Nobody starts with the in-person, on-site interview.
prmoustache
Last company that hired me did everything remotely. This was in a company that only hired people living in countries where it had offices and no b2b contract so there are a number of things that needed to be local: - local ID or work permit - physical address in the country - bank account in same country - social security number
Stuff can be forged but that needs local spy level of skills to make it work.
They were also hiring a company specialized in background checks, I literally had to fill up a form with the 14 places I had been living in all my life with dates of entry and exit, super annpying given the UI was slow as hell and that I had low recollection of addresses and date of my early years, I had to ask my parents. I may have been able to cheat probably but I didn't try.
I am also seeking a new position and I have realized that most b2b / work from anywhere jobs you could apply for were for cryptocurrencied / blockchain related companies so they surely make it easier for malicious remote applicants. I think it means they are kind of desperate / have difficulty to find talents. In other areas most companies only hire people who live in same juridiction they have an office and hr department.
xp84
Yes, my fully remote company has been hiring for the past 3 months, I've conducted at least 70 first-round interviews, and we hire without in-person meetings.
hibikir
If your position is remote, and the coat of every in person interview includes two way flights, per diem and a hotel room, it's very tempting to skip the in person step, especially if you expect to fail a lot of in person candidates. Imagine paying that much when your interview to offer rate is 25%, and offer to hire is 50%. That $8k $10k extra per hire, on top of the normal cost of the funnel
RajT88
I did not get hired without in-person interview, but a number of my team members (certainly people I interviewed and recommended for hire) did.
bluGill
10 years ago all interviews were in person. With the pandemic they all went 100% remote. We proved that 100% remote positions can work and so there is temptation to continue doing 100% remote interviews for people that will be working remote anyway.
Though we have been burned by someone we believe (but cannot prove) was 100% remote and working two jobs at the same time (they were laid off in a recent downsizing before we could get enough evidence, but they didn't seem as productive as we would expect). So I expect even if you apply for a 100% remote position you will need to do one round of interviews onsite. (though who knows if this will protect us)
MartinodF
Yes, I am in a hybrid role, went through 5 interviews and several more check-ins, and the first time anyone saw me in person was on the first day when I picked up my laptop at the local office (which wasn't even required, I had the option of having it shipped at my home address)
null
squigz
All interview processes I've went through have indeed been 100% remote. When considering this, you should keep in mind the amount of developers that aren't earning top 1% incomes or being offered stock in companies. Things are probably a lot more casual than you may be used to.
hnlmorg
> I disagree completely with other posts claiming only crypto and finance are being targeted; while it's hard to confirm
I can definitely confirm it’s not just finance and crypto being targeted.
I can also confirm it’s not just state sponsored North Korean agents too. Sometimes it’s just individuals trying to fake it until they make it.
However I dont agree with your conclusion that remote interviews are not dead because of this. Yes it’s annoying and time consuming filtering out these culprits, but the interview process already was an annoying and time consuming process to begin with. So I wouldn’t be so quick to throw the baby out with the bath water.
andy99
I will say that hiring for remote jobs has gotten to be a gigantic time waste lately. Even though even moderate background checking can filter these candidates out, it's quite time consuming and with the rise of generative AI...
herculity275
Do you want the industry to go back to only hiring from the top ~20 schools and by word-of-mouth networking? Coz that's the only viable alternative to the current interview process.
dilyevsky
If you think this is going to lead to better treatment of candidates in the industry then i got really bad news for you
mingus88
Hate to say it but jobs are commodities for the employee too. Why would it be any different the other way around?
So many roles are basically interchangeable and I’ll choose whichever one looks best on my resume or gives me some other tangible benefit. And I am prepared to bounce as soon as my vesting schedule drops. We all game this system too.
The days of us loyally working at any firm for 20 years, singing the corporate cheer songs and retiring with a pension are stuff of a different age.
bko
I think its useful to test as to what questions they are and aren't prepared for. In the future you won't necessarily know they were an imposter, so it's good to devise and test certain captcha like questions to tease out the fake from the real candidates.
corytheboyd
> yet fake people are getting hired left and right.
Hate to be that person, but what are you reading that makes you think this is true?
Agree that the article is pretty dumb though, especially the OSINT and Crypto “don’t trust, verify” comments. Feels like content marketing that didn’t really hit.
ta1243
They're getting interviews left and right
https://www.theregister.com/2025/04/29/north_korea_worker_in...
According to Crowdstrike (the company that wiped out most of global technology last year) at least
> My favorite interview question, because we've interviewed quite a few of these folks, is something to the effect of 'How fat is Kim Jong Un?' They terminate the call instantly
ductsurprise
> My favorite interview question, because we've interviewed quite a few of these folks, is something to the effect of 'How fat is Kim Jong Un?' They terminate the call instantly
I'm sure there were a lot of false positives with that question.
If I was not reading HN and a few other sources I would likely hang up the phone too.
Thinking that it couldn't be a real job,... some phishing scam or hoax, asking ridiculous questions like that.
Depending on the job, it is quite likely the real talent would not be able to take the interview seriously after hearing suck a question.
Seriously weird times...
eunos
> How fat is Kim Jong Un
Ha if I got asked that during an interview, I'd think either I went to the wrong interview or the interview is a red flag.
jwilber
Hired left and right != interviewed left and right != interviewed quite a few at Crowdstrike.
Maybe you’re contributing to the narrative with the posts like above. It’ll certainly drive engagement.
cj
80% of our recruiter's time is spent trying to figure out which candidates are real and which are fake.
It's really, really bad. We post a role, get 500 applicants, and nearly all of them are not legitimate. They all look amazing, really great resume, impressive LinkedIn, etc... but when you dig a little deeper, it's not that hard to find a bunch of red flags (LinkedIn profile create < 3 months ago, VOIP number, using VPN to submit job application, etc). You really have to know what signs to look for. They're very convincing fakes.
We're extremely vigilant about this issue as a company, yet we've had people get through 2 or 3 rounds before someone realized something was off (some people are really, really good at faking it).
I feel bad for small companies trying to hire. For us, it got to the point where we literally couldn't open a role unless we had a full time recruiter to sift through all the international candidates pretending to live in the US.
Edit: We've been dealing with this for a couple years now, and there still isn't a great solution. Unfortunately the only surefire "solutions" we can think of are also things that would make the interview process less enjoyable for real candidates, which sucks. (One idea was to ask candidates to show us photo ID during the video interview, but something about making a candidate do that just doesn't feel good - although we have tried it, and it has effectively stopped a few fake people from getting through)
fc417fc802
Don't you have to ask for ID at the end anyway? So the only question is avoiding behavior that makes it look like you're a fake job listing harvesting PII or something.
Is the issue skilled candidates that are misrepresenting where they live, unqualified candidates with fake resumes trying to land the position anyway, or something else?
What have you tried?
If they trip enough red flags and it's an international issue, you could just be up front that you're suspicious (including why) and ask them to go outside and take a video of themselves in front of wherever they live. Then you check it against street view, scrutinize the vegetation, that sort of thing. Require the rest of the interview process to be via video call with a wide view of the room to ensure it's the same person. That solution is respectful of their time since it's quick and easy for them. They also presumably already shared their address with you so it's not particularly invasive.
aleph_minus_one
> We post a role, get 500 applicants, and nearly all of them are not legitimate. They all look amazing, really great resume, impressive LinkedIn, etc... but when you dig a little deeper, it's not that hard to find a bunch of red flags (LinkedIn profile create < 3 months ago, VOIP number, using VPN to submit job application, etc). You really have to know what signs to look for. They're very convincing fakes.
To me, what you call "red flags" rather looks like a description of often outstanding programmers who are quite privacy-conscious (think into the direction of "somewhat cypherpunky").
atrettel
Thank you for posting this. It definitely gives a lot of perspective about what is going on right now.
tough
maybe leave the photo id ask for when there's suspicion only is fine
hibikir
As the last interviewer in a loop, I have caught fake candidates. This means they are getting through earlier rounds in my own employer, and makes me think I don't have a 100% success rate.
unsupp0rted
There's always that guy on X who posts about having n remote jobs at the same, waiting to be fired from each so that he can replace its slot with another.
Then next year it's a different guy, same schtick.
mingus88
I’ve also seen some claim that they will do that and simply sub-contract the work out to cheaper labor
If the employer is satisfied with the employees output, who is being harmed?
sanktanglia
I mean the article did point out that there were some official emails for other companies mixed in with the info for this user suggesting they or others have gotten hired and official emails at other companies
klodolph
The fake people are sometimes backed by entire teams (the article alludes to this). It’s easier to do well in your job when you’re supported by a team of people, maintaining the fiction that you’re one person.
This isn’t happening left and right. It’s an attack against specific industries, like crypto and finance. It’s one part of a broader pattern of attacks.
ash-ali
last years falcon (crowdstrike specific conference) they for the first time every showed live the interviews of 3 north koreans trying to get a job in software engineering positions at some forture 500 companies. i was baffled at every 'security' question to validate the person is actually in the US gets glossed over like: "my ID is at my home right now, and im in my office so i don't have that with me".
tekla
I mean you see that here on HN right? People claiming that any arbitrary question is something they have no idea about, like the color of their front door.
kelseyfrog
If this harms the crypto industry even a little I'm not sure I'd feel even a twinge of sympathy. Is there anything I can do to assist NK in these affairs?
klodolph
“These people (crypto industry) are bad people so it is justified to ignore the rule of law when hurting them” is a classic bad take. What you can do is regulate crypto into oblivion and make people feel bad about working in crypto.
If you assist NK, then you’re hurting crypto but you’re funding NK operations (e.g. NK soldiers assisting Russia against Ukraine).
danielvf
It used to be only against specific industries, but now it's evolving. Now they have groups just going after remote IT jobs regardless of industry.
nradov
Beyond just the salary, once they have access to the corporate network they can execute other attacks to steal from company accounts and infiltrate connected business partners. Most organizations still have very weak protection against insider threats.
thephyber
> there are talented people sitting on unemployment right now that can't find a job, yet fake people are getting hired left and right. Something in the industry as a whole is quite broken.
An entire country has dedicated significant resources to getting some of their hackers hired. Those talented people you mention are likely trying to get hired by themselves. It’s not an industry problem so much as a coordinated attack.
tlhorsu
The whole situation makes me as a job seeker even more paranoid. I had an initial interview scheduled over video but I had a power outage and had no choice but to use my phone. It's the dumbest coincidence ever and hasn't happened again, and if it makes me look suspicious, so be it. For some reason none of my phone cameras worked with Google Meet because Google engineering sucks and the interviewer kept asking me questions why my camera was off. I answered honestly that I had a power outage and this was my only device I had available on such short notice, that Google Meet wasn't working, etc. I even talked to the hiring manager half an hour over schedule since we clicked so well, submitted my code exam but was rejected without any explanation.
Because I got no explanation the potential reasons for my rejection rolled over in my head. I finished the exam to the best of my ability - was my ability just not good enough? If I went to e.g. the library or something to hunt for a station with webcams in time would I have not come off so suspect?
Since then I've gotten no other interview offers elsewhere and feel like a moron for blowing my one chance last month over such a stupid coincidence, if it really was the case they rejected me for thinking I was some kind of corporate spy. It really was the definition of "too good to be true." I will now pay way more attention to how I appear to the interviewer from now on, and carry extra devices/webcams in case the worst happens.
data4lyfe
You really have to just ask dumb interview questions. Testing them on answering questions while putting their hand over their face or their hands covering their eyes now. It's really dumbi-fied our interview processes (see https://datastream.substack.com/p/my-foolproof-interview-que...)
duxup
I know some folks good folks who work in the security industry.
It seems like there's a very WIDE range of quality people / companies, and an awful lot of compete FRAUDS.
For whatever reason "security" seems to have attracted a lot of carpetbaggers.
The good folks are very sensitive about it.
donnachangstein
Absolutely! It's probably 90/10.
Nothing gives someone away as a poser as much as bragging about OSINT as if it's some sort of tradecraft meanwhile they're executing the same skills your average wine aunt does stalking her ex-boyfriend on Facebook.
sam-cop-vimes
This sounds unnecessarily dismissive. It was a quick and interesting read, and there are some useful data points for every company that is hiring to improve their processes.
bravoetch
Given the stakes, it was an inexpensive way to remain calibrated against this kind of attack. Sharing the information is also great. People seem to be expecting cyber-thriller level heist antics here, when it's often much simpler.
Multiplayer
Here's a heretical thought: Remote hiring is a massive achilles heel.
I've been duped simply by hiring a great engineering candidate who then farmed out the actual work to remote workers in Pakistan and India. We caught on fairly quickly thanks to one of them forgetting to login to one of our backend systems via vpn a few times. No idea how many companies he was "working for" but I'd bet we were one of many.
Remote work has amazing upsides and tremendous security implications.
causal
So that's probably a sign that your team culture and management isn't the best... Healthy teams communicate a lot and really get to know each other, whether in person or remote. Ideally with regular in-person meetups to reinforce those working relationships.
If you're just throwing work over the fence and it takes network analysis to figure out who's doing it...then maybe you should just be hiring a contractor anyway.
sanderjd
Yeah I similarly find this baffling. This very flatly would not work in any job I've had, whether in person or remote.
skippyboxedhero
I have worked in places where this would work...all terrible places that usually had someone with a "maverick" view of how organizations worked derived from reading Warhammer books or something.
qingcharles
I had a colleague doing this in 2006, and he wasn't remote. He would just sit playing games on his phone all day yet he would check in code. I could never figure it out, so I just asked him and he showed me the chat window to his friend back in the Czech Republic that he paid 25% of his wages to each month.
ryandrake
I'm not sure I'm really against this! --IF-- the company is happy with the results and code being delivered, and the compensation they are paying for that code, what is the actual, meaningful business difference between whether your colleague wrote it or the Czech guy wrote it?
I'm not asking what the moral or ethical difference is. They're paying for engineering output, and if they are getting that output, why does it really matter whose fingers are typing it in?
herculity275
I can think of a few reasons, most obviously that it's a security nightmare - you've got a non-employee accessing and modifying your company's code and possibly having access to customer data. Some shops might not care about this, but it's ridiculously irresponsible in principle.
sally_glance
Ironically if he told management that he's able to manage a remote team which provides the same amount of work for 25% cost there's a good chance they give him a raise and promotion to outsourcing manager /s
mattlondon
Yep. It started with COVID where understandably 100% of interviews were remote.
But now with COVID a thing of the past, for "fairness" reasons (DEI?) we still do 100% remote interviews, but now have the ludicrous situation where we're asking interviewers to do absurd things like look for the reflections in the candidates' eyes/glasses to see if they're using ChatGPT, ask the candidate to swing the webcam around to make sure there are not other people in the room, ask them to hold their hands up to the camera to show they're not typing a prompt (which is even more stupid than it sounds because voice recognition is amazing these days), or ask them not to look away from the camera when answering questions (so not reading answers from another monitor) and other stupid things. How ridiculous.
The sooner we get back to in-person interviews the better. Get them to come to the office (which they'll need to do one day if they get the job) and sit next to them while they code on a work laptop).
Sorry to all those folks who want 100% remote, but this is why we can't have nice things.
sanderjd
And similarly forbid them from using AIs while they code on that work laptop in person? Are employees forbidden from using AIs for work? If not, why require that during evaluation? If it's not required during evaluation in person, why require it remotely?
(I don't know the answers to how to interview in this brave new world, but I'm increasingly skeptical of forbidding tools that people will be using for the job.)
suzzer99
Because job interviews don't test real-world programming skills, which is a whole other issue.
willcipriano
I think the best interview question, and really the only one you need to determine technical ability is ask someone to describe a http request in as much detail as possible.
To write code (even with the benefit of AI) effectively you need a mental model of the systems you work with, reading the chatGPT response doesn't prove you have that.
emchammer
If you want to work as a clerk at Target, the video is not even an interview, it’s a one-way audition you record to be judged anonymously.
Espressosaurus
My suspicion is that it's purely monetary and driven by the finance people.
a) Don't have to pay to fly candidates out, pay for their hotel, etc.
b) Don't have to pay relocation
c) Get access to a larger pool of candidates, so can price the wages lower than local wages would require
My last company there was a top down directive that in-person interviews were straight up not allowed, everything had to be over Zoom. Even for local candidates, for a job that was supposed to be in-person! Completely crazy IMO.
sanderjd
The advantage of a larger pool of candidates is not mostly a financial benefit, IMO. The benefit is mostly the ability to hire from a larger pool of people especially with a specialized skillset, and also to have less of an echo chamber.
But yes, that directive to interview local candidates over zoom does seem very silly.
eloisant
Only a) is valid, as you can fly candidates for interviews and have them go back to their home city to work remotely.
exhilaration
Yeah after a disastrous remote hire I started requiring in-person 2nd round interviews. Company policy is that all future hires are hybrid only (not that we or anyone else is hiring these days...) so it just makes sense.
For developers I share my screen on MS Teams so everyone can watch, then hand them my laptop with Visual Studio. They've got 90 minutes to complete a small assignment while we look at them code - Google is allowed, so is copying and pasting from Stack Overflow, and we'll probably allow Copilot as well. The code needs to run and return the expected results. One candidate said, "this was great, it felt like real work".
For cloud admins, our Devops lead creates a new resource group, hands over his laptop, and we ask them to create a few resources and do the network and authentication to make them talk to each other. Most candidates can't do that anymore - we're finding they've become Terraform operators that don't know how the underlying technology works.
tehjoker
COVID isn't in the past, just no one doing anything about it. :)
sam-cop-vimes
Totally agreed. The number of "engineers" who try to cheat their way through interviews, juggle multiple jobs without disclosing them makes it a total nightmare.
beezlebroxxxxxx
I've heard through the grapevine of some designers (one who worked at Shopify) getting caught using Fiverr (or something similar) to farm out all of their work.
Despite all the weird crazy dog and pony show and jumping through hoops that most companies do now, most companies are abysmal at hiring.
criddell
What can you do during the hiring process to know that this amazing person, who aces every part of the interview, will farm out their work to cheap subcontractors?
darepublic
Nothing I guess? Except that they will continue to be vetted after being hired for the quality of their work.
just spitballing but even if someone has a remote computer after getting hired, and is onboarded they should not have access to sensitive systems. So while you can't completely prevent the possibility of hiring a malicious actor security should not simply be on/off. The register article mentioned how after these devs were hired they were immediately able to kick off their plans. I think security is not structured properly if that is the case.
qingcharles
It's hard. I mentioned in another comment I had a work colleague in 2006 who farmed out all his work. He was capable of doing the job, but it was simply more enjoyable for him to play video games all day while someone else did the work for 25% of his salary.
sanderjd
The thing I'm always curious about with this is: What is the actual bad thing happening here?
Is the subcontracted work not good enough? Well, then the problem is that the work is not good enough.
Is the person not contributing in other ways that you want them to contribute because they have other jobs? (eg. chat conversations, meetings, team building, etc.) Well, then the problem is that they aren't making those contributions.
Or is it just that you're paying them more than you would have to pay the subcontractors if you found and managed them yourself? Well, then you are totally free to skip the middleman and do that yourself. But there is, actually, value in finding and managing freelance work. I certainly don't want to do that myself! If someone is good at doing that, and the quality of the work they are managing is acceptable to me, then it seems like they might be earning their paycheck?
I do get that the dishonesty element is bad in and of itself, but I honestly wonder whether, if this is a problem a firm is having, they should consider hiring the work out to subcontractors, without any subterfuge.
ryandrake
I don't think this has anything to do with remote vs. onsite work. It has more to do with remote vs. onsite interviews. A thorough onsite interview should catch all of these fake candidates. Companies should be doing at least one onsite interview regardless of whether the role itself is remote or onsite.
hughes
A very easy way to verify a remote candidate's identity is to buy them a plane ticket to an in person interview.
If they cannot board a plane using their claimed identity from their claimed city of origin, you can stop there.
bluGill
Only if they are 100% fake as opposed to farming out work to someone else. I can turn up to an interview in person no problem. When hired I just have the person in India use my name/picture and do the work.
Of course if they hire me as opposed to that person in India directly there is likely a reason they wanted someone in the US. Often those reasons are legal and somewhere a law is being broken.
alexandre_m
Easy, but expensive way.
Are you really going to do this for all candidates that make it to the final round of interview?
Are you also going to compensate the time for the candidate if he doesn't get selected?
Unless what you're proposing is more a formality, and that unless the person doesn't show up he's guaranteed to get the job.
vunderba
A friend of mine's company is completely remote only, but they use a shared workspace to conduct interviews for exactly this reason.
ferguess_k
Some people did this with in-office too I think, some years ago. Some people actually had two jobs, both sort of in-office. It's still possible to pull the tricks.
financypants
The rate of this happening has got to be so low it's negligible.
ferguess_k
I agree. It's kinda hard to pull this off. Just saying.
woah
The funny part is that in these stories about fake candidates using a whole team of people, it sounds like they are actually successful in doing the work, something that had not been achieved in software dev outsourcing before
InitialLastName
It's only "successful" because there's an alternative, presumably-nefarious funding stream from a third party who wants to gain access to IP/user data/influential functionality.
It's essentially a subsidy heavily distorting a very specific market.
bluGill
Are they? I suspect someone I used to work with was outsourcing. They did great on the interview but their on the job performance wasn't nearly as good.
codecraze
In 2024 i’ve conducted a lot of interviews to recruit some frontend and backend engineers in full remote roles.
And at one point i was getting a lot of candidates with european names, no picture, good resume.
And when I met them over a call it was very strange: they were all asian(with really typical nordic names), they were like clones in the way they talked and answered questions exactly the same. They also claimed to be from Sweeden/Finland/Norway for most of them but yet they had a strong asian accent. Not nordic at all.
This was really fishy and since the fit wasn’t there I stopped the interview without thinking about it too much. but the more I think about it, the more i tend to lean on North Corean candidates.
stainablesteel
their strategy honestly says a lot of crazy things about their worldview
woutersf
What do you mean by this (genuinely curious).
stavros
This is an interesting article, but doesn't this:
> our Red Team launched an investigation using Open-Source Intelligence gathering (OSINT) methods.
basically mean "some guys in the company googled him"?
spacebanana7
You can go further. Reach out to data brokers and see whether they've got any information from ad tracking / leaks.
stavros
Is that OSINT, at that point? I guess maybe if you get a free trial, but isn't that stretching the definition a bit?
42lux
Sophisticated.
orbital-decay
I don't see anything about the guy being North Korean in the article. It's pure clickbait full of bragging about "our DNA".
> Their resume was linked to a GitHub profile containing an email address exposed in a past data breach.
How is it an indicator of anything? Any actively used e-mail address that is older than a few years will be listed on haveibeenpwned.
layer8
The establishing link was this:
> We received a list of email addresses linked to the [North Korean] hacker group, and one of them matched the email the candidate used to apply to Kraken.
udev4096
> Any actively used e-mail address that is older than a few years will be listed on haveibeenpwned.
Which is why everyone needs to switch to passkeys. It's crazy that we still use passwords for authentication
moshegramovsky
100%. There is a bragging tone that felt completely unwarranted. Like being on a date with someone who is really insecure.
anonymousiam
Commenting on the events, CSO Nick Percoco, said:
“Don’t trust, verify. This core crypto principle is more relevant than ever in the digital age. State-sponsored attacks aren’t just a crypto, or U.S. corporate, issue – they’re a global threat. Any individual or business handling value is a target, and resilience starts with operationally preparing to withstand these types of attacks.”
It's funny to see the CSO of a crypto firm say this. It's the opposite of the whole way crypto works. In crypto, the transaction is processed (trusted) if all the credentials and keys are correct, regardless of who's behind it.
udev4096
Apart from that, he is running a crypto exchange which is completely against the whole ideology of bitcoin and other notable crypto. The guy is a fucking joke. Every crypto exchange has been extremely shady, from coinbase to binance to tether. Kraken is no different
gouggoug
Not to mention the silliness of this statement: "This core crypto principle is more relevant than ever in the digital age"
I wonder what crypto-currency looked like before the digital age...
Edit: added -currency suffix to crypto :p
arandomhuman
One time pads, enigma machines, Caesar ciphers :p
noitpmeder
Before this interview, industry partners had tipped us off that North Korean hackers were actively applying for jobs at crypto companies.
We received a list of email addresses linked to the hacker group, and one of them matched the email the candidate used to apply to Kraken.
This single red flag should invalidate the candidate immediately, end of story.
sam-cop-vimes
The article explains why they didn't invalidate the candidate immediately. They wanted to learn how they operate.
Dachande663
From somewhere in the depths of an old reddit thread, someone recommended asking candidates "How fat is Kim Jong Un?" Instant hang-up.
arduanika
In the depths of an old reddit thread, OR in a different thread that happens to appear today, alongside this one, on HN front page!
Capricorn2481
I'm with others: This is a silly anecdote from Crowdstrike of all companies. If I was asked how fat Kim Jong Un was, I would probably wait for some kind of "I'm kidding," and hang up if I didn't get it.
I don't believe they are earnestly identifying spies, even if they believe it. Not that they need spies to hack our system anyway, they managed to bring half the country to a halt by themselves.
the_af
Why would this work? Spies are trained to behave like the host country would expect, why wouldn't hackers?
If hackers have access to the outside world (something they would need to be effective), they'd know the world thinks Kim is fat.
"He's very fat, haha!", end of story.
Edit: wait, or better yet: "how on earth would I know, and why are you asking this in a job interview? Is this because I'm Korean? I'd like to file a complaint with HR, what was your name again?"
danielvf
These aren't spies first. They are often children of well to do, high loyalty group North Koreans. It's just a privileged job.
The skill and IQ level varies widely, from super smart to super unskilled. And these roughly get sorted out into different groups with different MO's. North Koreans aren't some uniformly skilled group. You could be targeted by a team of world class bytecode exploit geniuses who rehearses every move, or by the equivalent of Milton from Office Space.
Dissing Kim is something that is not currently widely permitted in NK. Just isn't worth personally.
Not saying no one from NK never will, but so far almost everyone will immediately stop the conversation at this point. There are plenty of crypto people who have monthly or weekly encounters with NK job applicants.
the_af
I find this answer highly implausible, not the least because maintaining cover doesn't count as dissing ("I infiltrated the org by telling them the lies they wanted to hear" is hacking 101). Also, North Koreans aren't dumb.
I find some people's attitude to NK hackers slightly schizophrenic: either they are a credible threat or they are amateurs. Which one is it?
> Dissing Kim is something that is not currently widely permitted in NK
This wouldn't be "widely", this would be a specific interaction with a hostile foreigner for the purpose of infiltrating them. It's not the same as being allowed to say this to fellow North Koreans.
> Not saying no one from NK never will, but so far almost everyone will immediately stop the conversation at this point.
Legitimate candidates would at this point too, so as a tactic this is useless.
smallnix
Not sure some rank and file 50ct army "hacker" wants to take the risk to insult their god-dictator.
the_af
If he's acting under NK command, this wouldn't be insulting, it's just doing a hacker's work.
Besides, you cannot have it both ways: either North Korean hackers are a "50ct army" or they are a credible threat. Most seem to be arguing they are a credible threat.
Also, he can always take the second option: "why are you asking about this in a job interview?", something many legitimate Korean candidates could ask.
ianhawes
This is pretty boring. Let me know when you drop an implant on their host device and move laterally to other attackers devices or engage in a long-con and get them to travel to a US-extraditable country.
iagooar
> We received a list of email addresses linked to the hacker group, and one of them matched the email the candidate used to apply to Kraken.
Sounds like you had to really push the boundaries of what is humanly possible to uncover this one.
fracus
"During their initial call with our recruiter, they joined under a different name from the one on their resume, and quickly changed it."
The article could have been this short.
This article also helps the Korean hackers by providing in depth commentary on how they were caught and how to improve.
TheGCMadeMeDoIt
I fail to understand the whole "advancing the candidate through the interview to learn more about how they do this" plan.
They already knew the candidate's name, email, and GitHub were all part of past beaches. I could understand if they were fishing for more information to contribute to a shared list, but it seems like they knew virtually everything they needed to know.
Asking the candidate to justify the inconsistencies outright would've been just as helpful as the final interview IMO.
Is there something I'm missing there?
klodolph
Dollars to donuts the NK team is reading this article and adapting their strategies. IMO, rather than ask candidates to justify inconsistencies, you should forward the information to law enforcement and tell the candidate you’re hiring somebody else.
TheGCMadeMeDoIt
Well they claim the final interview involved asking the candidate very specific questions about the town they claimed to be living in, and hold up government issued ID to the camera.
My assumption based on this was they weren't certain it was someone malicious and they were double checking their own conclusion. If not it makes no sense to tip the candidate off that you're suspicious about them.
At that point I'd say asking the candidate outright is better than playing a weird game of "Name 5 restaurants not on Google maps in the town you live in".
But if they were sure, then yeah, skip the interview altogether and forward the information to law enforcement.
CharlieDigital
> Name 5 restaurants not on Google maps in the town you live in".
renewiltord
Right, so if you have a tell-tale sign, you concoct a story around other things instead. Parallel construction. They fix all the silly things but you still have the tell-tale.
cosmicgadget
> our security and recruitment teams strategically advanced them through our rigorous recruitment process – not to hire, but to study their approach.
They used their leet "OSINT" skillz to ask the most basic of questions and background checks that nearly any traditional interview process would immediately uncover, then think it's so novel it's worthy of a blog post.
On the surface it seems the "security" industry is lacking in the most basic of security processes when hiring.
I don't think I've ever worked anywhere that could accidentally hire a North Korean without uncovering it somewhere in the hiring process, and all my jobs have been especially uninteresting.
What bothers me more is there are talented people sitting on unemployment right now that can't find a job, yet fake people are getting hired left and right. Something in the industry as a whole is quite broken.