Beware! North Korean hackers' new tactic: hiring "European agents" to infiltrate encryption company recruitment processes.

Key Points:

• North Korean hackers used "European agents" to pass the first round of interviews, exposing their true identities in subsequent stages;
• Over $2.2 billion in cryptocurrency** was stolen in 2024, with North Korean hacker groups accounting for as much as 61% (**$1.34 billion);
• Hackers exploit false identities, third-party intermediaries, and remote work opportunities to penetrate Web3 security defenses;
• Recruitment fraud is escalating, with the rise of AI resume fabrication and interview cheating tools increasing the difficulty of identification;
• Cryptocurrency companies are tightening their hiring, relying on internal referrals, with a surge in demand for on-chain security and identity verification.

Interview Scam: North Korean Hackers Behind European Faces

A few months ago, the UK identity verification startup Cheqd conducted a software developer interview. In the first round of interviews, the candidate, who is said to be in Europe, performed exceptionally well: strong technical skills, rich experience, and fluent English.

However, during the second round of interviews and the on-site coding test, the situation changed dramatically: the other party's accent noticeably became more like that of an Asian person, the network was severely lagging, and the camera could not be turned on. What raised even more alarm was that when the Cheqd team reviewed the screen recordings of the coding test, they found that the candidate frequently switched between tabs and pages containing Korean characters.

Fraser Edwards, the CEO and founder of Cheqd, revealed to Decrypt that this person is just one of about 5 suspicious North Korean individuals that the team discovered trying to join the company in the past year. Although North Korea's infiltration of technology and cryptocurrency companies to carry out hacking attacks has been ongoing for several years, companies and recruiters report that the country may now hire foreigners as "front agents" to help them through the initial recruitment screening.

Edwards pointed out: "Almost without exception, the first round of calls that sound like a European person will later become obviously sounding like they are from somewhere in Asia."

On-chain losses are severe: North Korean hackers become the number one threat in crypto

According to Chainalysis data, hackers stole over $2.2 billion from crypto platforms in 2024, a 21% increase from the previous year. Of this, as much as 61% (approximately $1.34 billion) of the stolen funds were attributed to North Korean state-sponsored hacking groups.

The company emphasized in its annual report: "Cryptocurrency attack incidents from North Korea seem to be becoming more frequent. Some of these incidents appear to be related to North Korean IT workers, who are increasingly infiltrating cryptocurrency and Web3 companies, compromising their networks, operations, and integrity." The report noted that these workers often employ complex tactics, techniques, and procedures (TTPs), such as: false identities, third-party recruitment agencies, and manipulating remote work opportunities to gain access.

Industry Alert: Multiple Crypto Companies Targeted by Intrusion Attempts

Cheqd is not an isolated case. In recent years, North Korean operatives have attempted (and sometimes succeeded) to infiltrate several cryptocurrency companies. Earlier this year, the cryptocurrency exchange Kraken disclosed that they too had been targeted, fortunately recognizing the threat before hiring.

Owen Healy, the director of Owen Healy Blockchain Talent, a blockchain recruitment company in Ireland, stated that using candidates primarily from Europe as proxies in the early stages of interviews is a tactic he has only started to observe in recent months. He has considerable experience in identifying North Korean infiltrators, having encountered them multiple times over the past few years, and has posted detailed identification and removal advice on LinkedIn.

"Some simple tricks," Healy said. For example, he would try to chat with candidates about pop culture or the situation in the area they claim to live in—he noticed that a disproportionate number claim to live in Toronto, Canada. "The goal is to get them off their preset script, and then it becomes apparent that they are not who they claim to be." But he worries that this new strategy may reduce the effectiveness of such methods. "It seems to be their next target: to hire agents from legitimate countries to represent them, ultimately outsourcing the work to North Korea."

Healy is more concerned that this will affect the company's attitude towards remote recruitment, especially multinational recruitment, and may lead to genuine applicants being mistaken for North Korean workers simply because they are located in Asia.

Recruitment Dilemma: AI Fabrication and Cheating Tools Intensify Risks

At the same time, technology is profoundly changing the recruitment landscape. A recruiter from outside the crypto field complained to Decrypt that the abuse of AI has led to a flood of "AI junk"—filled with ChatGPT clichés, unedited AI-generated resumes and cover letters. Their company has found candidates misrepresenting skills they do not possess and exaggerating language abilities, forcing the company to implement stricter verification processes to test candidates' qualifications, significantly increasing the workload.

Verifying specific skills (such as coding or language abilities) is particularly difficult, requiring recruiters themselves to possess these skills. Even skill tests have evolved into a "cat-and-mouse game" due to new technologies.

Just as Cheqd implemented real-time programming tests to ensure that developers possess genuine skills without the assistance of AI, a former Columbia University student in the U.S. raised $5.3 million for his startup Cluely, which aims to help users cheat in job interviews, exams, and sales calls. Its promotional video shows founder Chungin Lee using the technology to fake interest and gain advice on a date.

Such tools will undoubtedly help North Korean IT workers bypass the company’s "cultural background checks" and other screening methods, and hiring non-North Koreans to assist in job acquisition strategies will also make them harder to detect.

Crypto companies respond: tighten hiring, strengthen internal networks

For Cheqd, the current task is to consider how to strengthen its recruitment process. The company is about to hire several new positions, and Edwards believes that the process of identifying fraud and scam attempts will be more difficult than ever.

His primary strategy is to rely more on existing personal networks, seeking recommendations from acquaintances. "We may even stop public hiring altogether, which is bad because if you don't have that kind of network, you're basically out of options when looking for a job," he admitted. This reflects the urgent need for on-chain security and reliable identity verification solutions in the current threat environment, with recruitment becoming a key front line in Web3 security defenses.