The Security Alliance (SEAL), the leading non-profit security research group behind a number of initiatives aimed to enhance security in Web3, has launched a new initiative to combat North Korean operatives posing as IT contractors, attempting to infiltrate blockchain projects and companies.
According to SEAL's Information Sharing and Analysis Centre (ISAC), IT experts, dispatched by the Democratic People’s Republic of Korea (DPRK), navigate freelance platforms and professional networks with crafted personas to gain contracts and generate foreign revenue—a critical means for the DPRK to circumvent sanctions and fund their weapons program. Their genuine abilities enable operatives to pass technical interviews and gather actual references in order to deceive prospective employers.
The threat of North Korean hackers targeting crypto jobs has been well publicized. Crypto firms are prime targets, not only for revenue generation but also for potential cyber exploits that could expose critical security gaps. While the claim that cryptocurrency is “untraceable” has often been debunked by law enforcement and cybersecurity experts, the pseudo-anonymity and irreversibility of transactions, coupled with the remote nature of these IT roles make the blockchain sector especially attractive to the regime.
According to SEAL-ISAC, the threat poses unique challenges:
To effectively detect when a North Korean IT worker is using fake identities to apply for a job, most companies ... need to gather and analyze various types of information to verify [the applicant's] identity, work history and education, digital footprint, patterns in code comments or documentation, and links to sanctioned entities. Unfortunately, that’s beyond the scope of most companies, even some well-resourced ones...
In response, SEAL-ISAC has launched a tool to assist companies in spotting malicious actors. Leveraging a dedicated threat intelligence feed, SEAL-ISAC compiles shared intelligence about known DPRK tactics and identities, accessible to member companies. Using STIX (Structured Threat Information eXpression) standards, members can submit and search intelligence on suspect applicants, including fabricated documents and identifiers associated with North Korean operative.
As this cat and mouse (or is it seal and fish?) battle continues, the increasing sophistication and resources backing DPRK IT workers underscore the need for more advanced vetting processes, even with the limitations noted above. With increasing demand for blockchain talent and IT workers, companies may feel pressed to fill roles, inadvertently inviting these “wolves in sheep’s clothing” into the flock of their business. SEAL-ISAC's new initiative encourages a coordinated, multi-factor approach to identity verification to protect industry participants (and non-blockchain industries as well) from these threats.
By Steven Pettigrove, Michael Bacina and Luke Misthos
Disclosure: Piper Alderman is an advisor to the Security Alliance alongside leading blockchain and cyber security lawyers, including Gabriel Shapiro, the Lexpunk coalition, Debevoise & Plimpton LPP, and the policy teams at Paradigm and A16Z Crypto, among many others.
Comments