North Korean spy slips up, reveals ties in fake job interview

Technology
North Korean crypto attacks rising in sophistication, actors — Paradigm
0


For months, Cointelegraph took part in an investigation centered around a suspected North Korean operative that uncovered a cluster of threat actors attempting to score freelancing gigs in the cryptocurrency industry.

The investigation was led by Heiner Garcia, a cyber threat intelligence expert at Telefónica and a blockchain security researcher. Garcia uncovered how North Korean operatives secured freelance work online even without using a VPN.

Garcia’s analysis linked the applicant to a network of GitHub accounts and fake Japanese identities believed to be associated with North Korean operations. In February, Garcia invited Cointelegraph to take part in a dummy job interview he had set up with a suspected Democratic People’s Republic of Korea (DPRK) operative who called himself “Motoki.”

Ultimately, Motoki accidentally exposed links to a cluster of North Korean threat actors, then rage-quit the call.

Here’s what happened.

Suspected North Korean crypto spy posed as a Japanese developer

Garcia first encountered Motoki on GitHub in late January while investigating a cluster linked to a suspected DPRK threat actor known as “bestselection18.” This account is widely believed to be operated by an experienced DPRK IT infiltrator. It was part of a broader group of suspected operatives who had infiltrated the crypto gig economy through freelancing platforms such as OnlyDust.

Most North Korean state actors don’t use a human face photo in their accounts, so Motoki’s profile, which had one, hooked Garcia’s attention. 

“I went straight to the point and just wrote to him on Telegram,” Garcia told Cointelegraph, explaining how he created an alter ego as a headhunter for a company looking for talent. “It was pretty easy. I didn’t even say the company name.”

On Feb. 24, Garcia invited Cointelegraph’s South Korean reporter to join an upcoming interview for his fake company — with the hope of speaking to the suspected DPRK operative in Korean by the end of the call.

We were intrigued; if we could meet with an operative, we had the opportunity to learn just how effective these tactics were and, hopefully, how they can be counteracted.

On Feb. 25, Garcia and Cointelegraph met Motoki. We kept webcams off, but Motoki did not. During the interview, conducted in English, Motoki often repeated the same responses for different questions, turning the job interview into an awkward and stilted conversation.

Motoki displayed questionable behavior inconsistent with that of a legitimate Japanese developer. For one, he couldn’t speak the language.

Related: From Sony to Bybit: How Lazarus Group became crypto’s supervillain

We asked Motoki to introduce himself in Japanese. The screenlight reflecting off his face suggested he was frantically searching through tabs and windows to find a script to help him answer.

There was a long, tense silence.

“Jiko shōkai o onegaishimasu,” Cointelegraph repeated the request, this time in Japanese.

Motoki frowned, threw off his headset, and left the interview.

Motoki sensed something was off moments before leaving the interview.

Compared to bestselection18, Motoki was sloppy. He revealed key details by sharing his screen in the interview. Garcia theorized that Motoki is likely a lower-level operative working with bestselection18.

Motoki had two calls with Garcia, one of which was with Cointelegraph. In the two calls, his screenshare revealed access to private GitHub repositories with bestselection18 for what Garcia calls a defunct scam project.

“That’s how we linked the whole operation and the whole cluster… He shared his screen and revealed he was working with [bestselection18] in a private repo,” Garcia said.

Linguistic clues point to North Korean origins

In a 2018 study, researchers observed that Korean males tend to have wider, more prominent facial structures than their East Asian neighbors, while Japanese males typically have longer, narrower faces. While broad generalizations, in this case, Motoki’s appearance aligned more closely with the Korean profile described in the study.

“Okay, so let me introduce myself. So, I am an experienced engineer in blockchain and AI with a focus on developing innovation and impactful products,” Motoki said during the interview, his eyes scanning from left to right as if reading a script.

An ID card submitted to Garcia by Motoki in his job application. Source: Ketman

Motoki’s English pronunciation offered more clues. He frequently pronounced words beginning with “r” as “l,” a substitution common among Korean speakers. Japanese speakers also struggle with this distinction but tend to merge the two sounds into a neutral flap.

He seemed more relaxed during personal questions. Motoki said he was born and raised in Japan, had no wife or children, and claimed native fluency. “I like football,” he smiled, pronouncing it with a strong “p” sound — another hint more typical of Korean-accented English.

Related: The whale, the hack and the psychological earthquake that hit HEX

Motoki unveils one more North Korean tactic

About a week after the interview with Cointelegraph, Garcia attempted to prolong the charade. He messaged Motoki and claimed that his boss had fired him due to the dubious interview.

That led to three weeks of private message exchanges with Motoki. Garcia continued to play along, pretending Motoki was a Japanese developer.

Garcia later asked Motoki for help finding a job. In response, Motoki offered a deal that provided additional insight into some of North Korea’s operational methods.

“They told me they would send me money to buy a computer so they could work through my computer,” Garcia said.

The arrangement would allow the operator to remotely access a machine from another location and carry out tasks without needing a VPN connection, which can trigger issues on popular freelancing platforms.

Japan, North Korea, Spying, Features
Motoki attempts to access a US-based PC through remote applications like AnyDesk. Source: Ketman

Garcia and his partner published their findings on the cluster of suspected DPRK operatives tied to bestselection18 on April 16 on open-source investigative platform Ketman.

A few days later, Cointelegraph received a message from Garcia: “The guy we interviewed is gone. All his socials changed. All the chats and everything around him has been deleted.”

Motoki has not been heard from since.

Suspected DPRK operatives have become a recurring problem for recruiters across tech industries. Even major crypto exchanges are targeted. On May 2, Kraken reported it identified a North Korean cyber spy attempting to land a job at the US crypto trading platform.

A United Nations Security Council report estimates that North Korean IT workers generate up to $600 million annually for the regime. These spies are able to funnel consistent wages back to North Korea. The UN believes those funds help finance its weapons program — which, as of January 2024, is thought to include more than 50 nuclear warheads.

Magazine: Lazarus Group’s favorite exploit revealed — Crypto hacks analysis



Source link

You might also like
Technology

Frictionless flows are Ethereum’s path to economic dominance

Technology

Singapore’s Grab taps Solana DePIN project Natix to ‘reshape mapping’

Technology

Binance founder CZ says Bitcoin could hit $500K–$1M this cycle

Technology

Citi and SDX partner to tokenize traditional private markets

Leave A Reply

Your email address will not be published.

bitcoin
Bitcoin (BTC) $ 95,032.46
ethereum
Ethereum (ETH) $ 1,785.37
tether
Tether (USDT) $ 1.00
xrp
XRP (XRP) $ 2.14
bnb
BNB (BNB) $ 601.57
solana
Solana (SOL) $ 144.76
usd-coin
USDC (USDC) $ 1.00
dogecoin
Dogecoin (DOGE) $ 0.168947
cardano
Cardano (ADA) $ 0.663216
tron
TRON (TRX) $ 0.245407