The hiring team at Kraken, a U.S-based crypto exchange, noticed immediately that something was off about “Steven Smith,” a would-be IT worker who applied for a software engineering job in early October. But it wasn’t until they compared Smith’s email to a list of those suspected to be part of a hacker group that their suspicions were confirmed: Smith was a North Korean operative.
Kraken could have just tossed the application. Instead, Kraken’s chief security officer, Nick Percoco, decided to take a closer look at Steven Smith. He saw this as an opportunity to learn more about the infiltration tactics of North Korea, which have robbed billions from crypto companies, and how he could prevent that from happening at Kraken.
Percoco decided to advance Smith through the hiring process, having him speak with a recruiter and perform a technical test before setting up an interview. “We said this is going to be a get to know you, sort of, cultural interview.” Percoco told Fortune. “That’s where he really failed. I don’t think he actually answered any questions that we asked him.”
Smith was claiming to have received a bachelor’s degree in computer science from New York University, according to a copy of his resume reviewed by Fortune. He also claimed to have more than 11 years of experience as a software engineer at U.S-based companies like Cisco and Kindly Human.
The interview was scheduled for Halloween, a classic American holiday—especially for college students in New York—that Smith seemed to know nothing about.
“Watch out tonight because some people might be ringing your doorbell, kids with chainsaws,” Percoco said, referring to the tradition of trick or treating. “What do you do when those people show up?”
Smith shrugged and shook his head. “Nothing special,” he said.
Smith was also unable to answer simple questions about Houston, the town he had supposedly been living in for two years. Despite having listed “food” as an interest on his resume, Smith was unable to come up with a straight answer when asked about his favorite restaurant in the Houston area. He looked around for a few seconds before mumbling, “nothing special here.”
Here is the clip from the interview where Smith was asked about his favorite restaurant.
When asked to produce a physical ID, Smith said he didn’t have access to one at the moment but after a few minutes he shared a photo of a driver’s license with his name and photo. The address listed on the ID was over 300 miles away from Houston.
Smith’s job application is part of a growing threat facing American companies as thousands of supposed IT workers with ties to North Korea try to get hired for remote work in foreign countries. The network of operatives is part of an effort to fund the country’s weapons of mass destruction program by working multiple jobs at once and gaining access to companies to steal money from inside.
A growing threat
Kraken may have dodged a bullet but some companies haven’t been so lucky. The United Nations estimates that North Korea has generated between $250 million to $600 million per year by tricking overseas firms to hire its spies. A network of North Koreans, known as Famous Chollima, were behind 304 individual incidents last year, cybersecurity company CrowdStrike reported, predicting that the campaigns will continue to grow in 2025.
Crypto has proven to be particularly vulnerable to this type of social engineering. The Lazarus Group, another network of North Koreans, has been linked to some of the largest crypto heists in history including the record-breaking $1.5 billion hack of crypto exchange ByBit in February and the theft of $540 million from the Ronin Network blockchain in 2022.
While Percoco doesn’t know exactly what Smith’s intentions were, he assumes the operative intended to steal funds at some point. “They would get our company equipment, they would get access to some internal systems,” Percoco said. “What they would do after that, we don’t know but most likely try to steal funds.”
This story was originally featured on Fortune.com
