top of page
S Pettigrove and L Misthos

Security Alliance exposes North Korean operatives posing as IT workers



The Security Alliance (SEAL), the non-profit security research group behind a number of initiatives aimed to enhance security in Web3, has launched a new initiative to combat North Korean operatives posing as IT contractors, attempting to infiltrate blockchain projects and companies.


According to SEAL's Information Sharing and Analysis Centre (ISAC), IT experts, dispatched by the Democratic People’s Republic of Korea (DPRK), navigate freelance platforms and professional networks with crafted personas to gain contracts and generate foreign revenue—a critical means for the DPRK to circumvent sanctions and fund their weapons program. Their genuine abilities enable operatives to pass technical interviews and gather actual references in order to deceive prospective employers.


The threat of North Korean hackers targeting crypto jobs has been well publicized. Crypto firms are prime targets, not only for revenue generation but also for potential cyber exploits that could expose critical security gaps. While the allure of cryptocurrency as “untraceable” has often been debunked by law enforcement and cybersecurity experts, the pseudo-anonymity and remote nature of these roles make the blockchain sector especially vulnerable.


According to SEAL-ISAC, the threat poses unique challenges:

To effectively detect when a North Korean IT worker is using fake identities to apply for a job, most companies would need to gather and analyze various types of information to verify their identity, work history and education, digital footprint, patterns in code comments or documentation, and links to sanctioned entities. Unfortunately, that’s beyond the scope of most companies, even some well-resourced ones

In response, SEAL-ISAC has launched a tool to assist companies in spotting malicious actors. Leveraging a dedicated threat intelligence feed, SEAL-ISAC compiles shared intelligence about known DPRK tactics and identities, accessible to member companies. Using STIX (Structured Threat Information eXpression) standards, members can submit and search intelligence on suspect applicants, including fabricated documents and identifiers associated with North Korean operative.

Awareness of this threat isn’t new, but the increasing sophistication and resources backing DPRK IT workers underscore the need for more advanced vetting processes. With increasing demand for blockchain talent, companies may feel pressed to fill roles, inadvertently inviting these “wolves in sheep’s clothing.” SEAL-ISAC's new initiative encourages a coordinated, multi-factor approach to identity verification to protect industry participants from these threats.


By Steven Pettigrove and Luke Misthos


Piper Alderman is an advisor to the Security Alliance alongside leading blockchain and cyber security lawyers, including Gabriel Shapiro, the Lexpunk coalition, Debevoise & Plimpton LPP, and the policy teams at Paradigm and A16Z Crypto, among many others.

Comments


bottom of page