Unchained - How North Koreans Infiltrated the Crypto Industry to Fund the Regime - Ep. 715
Episode Date: October 8, 2024The crypto community is facing a new kind of threat—North Korean devs are infiltrating crypto companies to steal millions and funnel funds back to the regime in order to bypass sanctions. In this ...episode, Sam Kessler, CoinDesk’s deputy managing editor for tech and protocols, and Taylor Monahan, security at MetaMask, explain how North Korea has embedded its operatives into the crypto space, the red flags companies should watch for, and what these hackers are doing once inside crypto firms. Plus, they share their most interesting stories about how these hackers have gotten hired at crypto companies and the red flags the industry should know about. Show highlights: What Sam found in his investigation about North Koreans infiltrating the industry How Taylor has found that this is a recurring issue Why Sam and Taylor refer to these infiltrated workers as ‘IT’ workers The most interesting stories that Sam and Taylor have discovered The trends in the hiring process that lead to North Koreans being hired and also what the big red flags are How “easy it is to de-anonymize” addresses and transactions in blockchains What assets and networks these workers often use to get paid How, after infiltrating a company, those projects get hacked How to deal with a situation in which you’ve already hired North Koreans How to protect a protocol from another type of North Korean hack: by hacking groups Whether the industry is getting better at security Visit our website for breaking news, analysis, op-eds, articles to learn about crypto, and much more: unchainedcrypto.com Thank you to our sponsors! Polkadot Mantle Guests: Sam Kessler, CoinDesk's deputy managing editor for tech and protocols CoinDesk: How North Korea Infiltrated the Crypto Industry Taylor Monahan, Co-Founder of MyEtherWallet Previous appearances on Unchained: The QuadrigaCX Case: Taylor Monahan on What We Know From the Blockchain MyCrypto's Taylor Monahan on Why She's Not a Fan of ICOs Links Previous coverage of Unchained on North Korea: Why North Korea Is Interested in Cryptocurrency Yeonmi Park on Why Doing Business With North Korea Is Like Buying a Ticket to a Concentration Camp Others: DL News: North Korean hackers are infiltrating crypto job boards in a ‘quiet war’ that rakes in $600m FBI PSA: North Korea Aggressively Targeting Crypto Industry with Well-Disguised Social Engineering Attacks Chainalysis: 2024 Crypto Crime Mid-year Update Part 1: Cybercrime Climbs as Exchange Thieves and Ransomware Attackers Grow Bolder Funds Stolen from Crypto Platforms Fall More Than 50% in 2023, but Hacking Remains a Significant Threat as Number of Incidents Rises Russian and North Korean Cyberattack Infrastructure Converge: New Hacking Data Raises National Security Concerns ZachXBT: How Lazarus Group laundered $200M from 25+ crypto hacks to fiat from 2020–2023 Timestamps: 00:00 Intro 01:59 Sam's findings on North Korean workers infiltrating crypto projects 04:04 Taylor on the recurring nature of the issue 09:05 Why they’re referred to as ‘IT’ workers 16:17 Most interesting infiltration stories 34:16 Hiring trends and red flags for North Korean operatives 44:02 How easy it is to de-anonymize blockchain transactions 51:05 Assets and networks used for payment 54:06 How infiltrated companies end up getting hacked 58:36 What to do if you've already hired North Korean operatives 1:00:21 How to protect a protocol from being hacked 1:06:22 Is the industry improving in security? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
What I'm concerned about is that this has been going on for years and years and years.
And I really do think it's incumbent upon every crypto protocol to, if they're not sure, and if they haven't done an audit and a specific audit with an eye to these sorts of problems, do that audit and make sure their code is safe because it's very possible that some of these exploits, whether it be malware on a personal machine,
whether it be a tainted smart contract, has laid dormant for a very long time and just hasn't been
attacked. That doesn't mean that the attack isn't, you know, ready, ready to happen.
Hi, everyone. Welcome to Unchained. You're no hype resource for all things crypto. I'm your host,
Laura Shin, author of The Cryptopians. I started covering crypto nine years ago, and as a senior editor of
Forbes was the first mainstream meter porters to cover cryptocurrency full-time. This is the October 8th,
24 episode of Unchained.
Pocodot is the original and leading layer zero blockchain with over 2000 plus developers,
and the Pocodot 2.0 upgrade will be a massive accelerator for the ecosystem,
making it faster, more secure, and adaptable.
Perfect for GameFi and Defi to build, grow, and scale.
Join the community at Pocodot.network slash ecosystem slash community.
Mantles Ameth is now the fourth largest LST with $1.3 billion in TVL.
Ameth offers holders cumulative incentives and airdrops in addition to native ETH POS yields.
This includes exclusive rewards like Eigen and Cook. Check it out at mith.meth.mantle.xy slash campaigns.
Today's topic is how North Korean hackers have infiltrated the crypto industry.
Here to discuss are Sam Kessler, Coindusk's deputy managing editor for Tech and Protocols, and Taylor Monaghan, Security at Metamask.
Welcome, Sam and Taylor.
Thanks for having us.
Yeah, excited to talk about this.
Sam, you published a bombshell of an article last week about how North Korean IT workers are infiltrating the crypto industry.
Can you tell us what you found?
Yeah. Thanks for calling out a bombshell. And also thanks. I mean, this is the first time I've talked to Taylor, you know, face to face since this all happened.
And she was a great source for this article, too, which is why I'm excited for this conversation.
But long story short, for a while now, you know, at least since 2018.
we found in our article in our investigation.
North Korean IT workers have been using fake identities, resumes, and so on, to infiltrate
essentially tech companies, namely crypto companies, which was the focus of this article,
to extract revenues that get sent back to Pyongyang to theoretically fund the missile program,
according to the United States authorities and UN.
That's kind of at a very high level what's going on here.
the idea being that getting revenues back to North Korea's very heavily sanctioned regime
is difficult using traditional employees when you're so sanctioned.
So you've got to find other means to get money there.
And how widespread is this in the crypto industry?
And that was the, I guess, the bombshell part that you were referring to.
It's quite widespread.
So in this article, we named, I don't know the exact number that we ultimately named.
There are around a dozen, but Taylor knows even more examples.
I think I individually independently identified 12 examples of companies in the crypto industry
that have unwittingly hired these North Korean developers who said they were from Japan,
Malaysia, Singapore, the United States, Canada, and so on.
And they were some big companies too, which is part of what this investigation sought out
to show people.
It's not just companies and projects that you haven't heard of,
but it's big name protocols that people listening to this podcast may know,
Cosmos Hub, Injective.
There's a project from Yerin Finance.
Sushi, there's a lot.
So, yeah.
Yeah, I know.
It was quite eye-opening.
So, Taylor, as Sam mentioned,
you've also published frequently on North Korean workers infiltrating crypto over the years.
And you have some really crazy stories with screenshots of whole conversations
that devs have had with North Koreans and all kinds of,
things. But yeah, why don't you just explain what it is that you've found over the years?
Yeah. So historically, I've, you know, sort of looked at the more, I guess, well-known or like
the big hacks, Ronan being like the biggest, I guess, are the most well-known. And then there was
like Harmony and then there was like the string of centralized exchanges and on and on. The IT workers
are sort of like adjacent to those big, big, big hacks. They,
operate like slightly differently but they have overlaps sort of like in the final stages of the of the
money laundering and I don't know exactly when it like we sort of always knew that there were these
these dudes like working for these protocols but it was in the last I think year or two where it's it's really
it's really become I guess obvious how prevalent it is and specifically we were we found a couple
wallets where basically all the funds go from, I guess, like the individual employee's payroll address.
They get sort of like consolidated every couple weeks to an address. And then they like are laundered
via these networks. And so you have like it's sort of like a big funnel to a single point.
And historically we all always just sort of like, you know, you'd get one report from one
company and sort of be just like one little node on this big funnel graph.
And then at some point we realized that, like, this is all IT workers.
And so working with Zach XPT, Nick from Unciphered, Josh from Crypto Forensics.
And can you say their last names?
Nick Bax from Unciphered. Josh, I don't think he has last name.
And Zach, Zach, XBT.
Well, the investigators are, I don't know, they're not, there's only a few that not, not,
go and talk about this stuff publicly.
There's actually like a long tail of people at companies that, you know, are sort of responsible
for hiring or the, you know, the folks that are like Indeed or crypto jobs list or stuff
like that, you know, they have like these, these, this firsthand knowledge of it.
So anyways, yeah, in the last couple of years, we really about like the last year, we, we,
we just noticed that, you know, these were, they were ever.
And there was like a lot of money. And so in August, we discovered like a new consolidation
address and we had, I guess, more confirmation than we usually did that these were like going
to be all IT workers funneling the money into this one address. And then Zach actually was the one
who just went to town as he does. And I think he reached out to maybe like 20 or 30 different
companies in August and spoke to them and got confirmation in terms of like.
Like this was a payroll address.
He got their IDs.
He got their GitHub profiles, their Discord handles.
He got screenshots.
And it was like, it was just like a wild experience.
And hearing the same story again and again and again was, I think, quite eye-opening.
And what is that story that you're hearing again and again?
I mean, really it's completely unwitting.
Like they have no idea that these are like North Koreans.
some companies, there's sort of like two reactions.
One is if the person's been there for a bit and like is maybe underperforming or the company has already noticed some odd things, maybe like their location has changed or like, yeah, just little weird things that they picked up on when we approach them and tell them like, hey, we think that this is, you know, in North Korean, IT worker.
sometimes they're like oh yeah okay um yeah that makes sense and we're like what but it's like
that final like thing clicks into place and it explains all this past behavior that they've been
observing quietly the other one is that they're just like yeah it's just it's out of left field
and they're they're just like they have no idea what that is or how and we usually will sit down and
go through all of their, all of the people that they've hired in like a similar manner or other
employees that the first employee referred because it's, it's quite common that a single company
will have two or three or four or even five people on payroll by the time we, we talk to them.
My gosh. So one thing I was curious about, you know, both of you keep describing these people
as IT workers. And that's actually not a phrase that people use commonly in the crypto index.
So, like, how is that different from a blockchain coder or a dev? Like, what are they, what tasks are
they doing? Or, yeah, it's just, it's literally something that I associate with, you know, when I work
at a full-time place and it's the person who brings me my laptop and, like, fixes the, you know,
whatever. But I don't know what that means when it comes to a crypto project.
I think we've kind of adopted the language that U.S. authorities and the U.N. have sort of used to
describe this phenomena of IT workers.
quote unquote, coming to not only the crypto industry, but industries more broadly and embedding
themselves with companies. I think outside of the crypto industry, from what I understand,
frequently it is IT workers because there's two sides of this. One of the sides is just collecting
wages and higher wages than one would earn in North Korea and then funneling those wages,
like I mentioned before, back to the North Korean government. So that means just doing your job,
often an IT job is a good remote job that one can get to do this.
But the other reason why it's quote-unquote IT workers is because of the hacking side.
Frequently what you'll see happening is companies, particularly in crypto, which is what my report was about.
And Taylor has done a lot of research on.
A lot of these companies ultimately get exploited.
Chainalysis, a investigations firm in the space, so I know I've been on this podcast.
They've found that since 2024 started North Korea, which is behind all the largest crypto hacks, basically.
I'm generalizing here about how.
of those big North Korean attacks were perpetrated or at least aided by North Korean,
quote unquote, IT workers. But the work that they're doing, at least in the crypto industry,
is very generally developer work. You know, the same sorts of developers that you see,
not from North Korea, you know, those are the workers from North Korea.
So they're like what in the crypto industry we would call devs or blockchain coders,
like their actual crypto. Oh, interesting.
Okay, I didn't, that was something I, just from the reading of it, I was like, oh, wait, maybe they're doing like other functions or, okay, wow.
Sometimes they will. Sometimes they will. But frequently it's just devs. Well, that's even scarier.
Yeah. So I think the reason that we call them IT workers is, yeah, as Sam said, it's the numbing nature that, you know, someone started somewhere, probably in government. But it does distinguish between.
Like there's a few different sort of like the rent actor groups in North Korea that are targeting crypto companies.
And so for example, like the really big Ronin Harmony ones, we call those the Trader Trader ones.
Because originally they would always use these malicious trading apps.
Yeah.
And that's Trater Trader.
Yeah.
Yeah.
It's clever.
But keep going.
And so like that's like sort of like this one cluster of activity.
And it's like the on-chain activity and also like the malware that they use and their ammo and their tooling and their infrastructure and all of that.
And then the IT workers are just like another cluster of activity that was they didn't they didn't come up with a club name like Trader, traitor, trader.
It's the IT workers.
And the sort of like the big hackers and the money launderers, I think one one important distinction is like those guys are actually in North Korea and they operate more like, like, like,
an army, like a regimented army, and they're sitting there in North Korea doing whatever
the hierarchy establishes, right? And we see them like start the activity at certain times,
and they follow certain patterns and all of that. On the IT worker side, it's much more, like,
the indicators that we see, like IP addresses and user agents and stuff, they're sort of like more
all over the map, and they don't necessarily like look the same as the big.
hackers. And a lot of them we've found are actually maybe not always in North Korea. Sometimes they're in
China and sometimes they're in Russia in these like more call center type areas and they're operating
like slightly more independently or in like maybe like smaller clusters than like the primary
hacker army guys that are that are back home. Okay. Yeah, but just to be clear for the audience and
correct me if I'm wrong, all of this is.
coordinated by the North Green regime or the dictator should because, yeah, like there's only,
like when you talk about the North Koreans, it's literally just the one entity because if any
individual in North Korea were to go off on their own and do their own thing, they would
probably be sent to a gulag or killed. So, you know, the regime, if you live there,
most people not by choice, you know, if you're born into that regime, then essentially you have
to follow what the government does. If you have any independent action or thought, even it is very
bad for you and your family and even your descendants.
Yeah. Oh, if I can interject there, part of the way that this extends, this influence that you
have from the government extends to this IT worker, as we call it, space, is that at least according
the UN, only 10 to 30 percent of the wages that these IT workers earn or developers or whatever
you want to call them go to those actual workers. A majority, the rest of the funds, and you can
see this happening on chain go back to the North Korean, presumably the regime itself. The U.S.
says it's for weapons development, so does the U.N. So this is kind of like a form of, you know,
slave labor or indentured servitude. On one hand, you do have wages, even at those 10 to 30 percent
rates that are probably higher than one would earn from a conventional North Korean job and might
afford one a good standard of living. But on the other hand, you know, these wages, I actually have
a quote from Taylor, I think, in my article about how if you're paying most of your wages back to
another person, you know, just on a moral level as an employer, that probably shouldn't feel
good if those are the folks that you're hiring. It really does resemble some of those old systems
that we've seen. Yeah, yeah, I think, honestly, so I'm on one side of my family. I'm of North Korean descent,
so I've actually, well, interestingly, I was never interested in it through my family. It's like a
friend of mine when I was really quite old, like maybe in my 30s or something, he's just like an
American person and he gave me this book about North Korea. And then after that, I became very
obsessed. And then, you know, when I understood the family connection, I became even more obsessed.
But the point is that I am even amazed, like, given my background knowledge of North Korea,
that the government is allowing them to retain any portion for themselves because, you know,
it's not like, you know, as you point out, just in North Korea, like, you know, not.
very many people live well.
And since some of them do apparently live abroad,
that does give them kind of way more freedom than I realize the government
was willing to give its own people.
But anyway, so, you know, just because, like, when I was doing the research,
I just realized that there's so many stories here that are so interesting.
I would love for each of you to tell one particular story
involving North Koreans infiltrating the industry that you think is, like,
particularly wild or interesting for people to hear.
just because there were just so many.
I just felt like my eyeballs were practically falling out of my head, reading some of this material.
So, you know, each of you just wants to tell a story, like, end to end with, like, the crazy details of, like, the conversations and stuff.
I think people would really understand how this works and be fascinated.
I can start.
Yeah, you start.
So you have many more, so I'm sure your head is kind of cycling through them all.
It's sort of why, honestly.
But let's go with this one.
So my story starts with an anecdote around this company called Truflation that was kind enough to speak to me.
Their founder, Stefan Rust.
And in general, I should say, I'm not picking on these companies.
It's technically illegal to hire workers from North Korea, whether you know it or not.
But companies, at least in the United States, prosecuted, a lot of other UN countries that, you know, affect those sanctions, haven't prosecuted people, so on and so forth.
It was very brave for these companies to speak to me.
Anyway, let's talk about Stefan Russ from Trufflation.
The way that he describes it, he hired an employee from what he thought was Japan named Ruehai.
Riuhei was a pretty good developer, but things started, you know, becoming kind of weird with this employee.
There's certain things that he noticed.
One thing that he noticed was he just started, he being Riuhei, this Japanese employee, started missing calls at one point.
He gave the excuse eventually that there was an earthquake one day.
But Stefan has another employee who is definitely in Tokyo, and there was.
was no earthquake in Tokyo or Japan. So that was definitely kind of weird, but a theme to all
these stories that you hear, people aren't thinking North Korea, North Korea, or anything like this.
So it's just, you know, maybe this is a weird person or a weird anecdote that they'd give.
Anyway, just you don't think of North Korea. But then things get odder. And the oddest thing
is that this Japanese employee ultimately drops his accent just from one day to the next.
So this suggests this is probably a different person than the Japanese employee that Stefan
thought he was speaking to. So eventually Stefan and Truflation go to one of their investors
who's done a company that's done a lot of research in the space. And this investor finds that
Riuhei is in fact a North Korean agent. But not only is Riuhei an agent, but for other employees
of Truflation, which is like a 12 or 15 person. It was kind of vague. I think it was 12 was the number
I was given. 12 person company, Truflation or project, four of them, five total when you account
Rueh, were North Korean IT workers, developers. A really interesting part of the trufflation story
to me is not only just the scale of this, the fact that all of these workers that Stefan had hired
within around a two-month period, he said, ended up being North Korean.
But another anecdote he gave me, aside from the Ruei-Wan,
is that one of his employees said that, I believe it was Vancouver,
said he was from Vancouver.
And the way that Stefan, like, you could tell that he really liked this guy,
even as Stefan was talking to me after he knew that this person was North Korean.
Like, he was a really good developer.
He seemed like he was right out of college.
There's some quotes in the piece.
If people want to, you know, check that out where I explain this a little bit more at length.
But apparently this was a really good developer.
which is a story that you hear all the time. Some of the developers were good, some weren't.
This one was really great, eventually left and recruited somebody else. And one of the five was
somebody who had replaced this Vancouver employee. The new employee was not quite as good. But,
you know, that's another thing that sticks out to me is, you know, he said that he was like,
you know, a little green behind the years. Like, this was a good developer. He was contributing
actively. He was talking to him every week. Every day, it sounds like at some points. But I could
go on and on. That's one of the most interesting anecdotes.
I came across.
Yeah, that's a, yeah, it's not, not uncommon because they, when they get fired,
they just, they just go in a little circle with the new username and they're like, oh,
and they know that you need help, right?
They know that you just off-worded someone and therefore are like, you know, willing to
hire another person.
Not to interrupt.
I just realized I left out the most interesting part of the true.
Oh, yeah, the heck.
Oh, yeah.
I don't want to laugh because it's like, you know, I forgot.
So that's funny.
But it's very unfortunate.
So I get on the phone with Stefan as I am fact-checking for this story.
As Laura knows, to put out a story like this, you've got to really rigorously check everything.
And so I get on the phone with Stefan.
He's actually 15 minutes late, which was, you know, uncharacteristic from the other times I'd
talked to him.
And he just seems flustered.
And pretty immediately off the bat, he tells me I was just hacked, I being him.
He was just hacked.
And literally, while we're on this call, you're seeing money flow out of his blockchain wallet,
stuff that he wasn't able to get before the hackers could because it was like staked in different
protocols.
And it's a million dollars flowed out of his wallet, like, you know, within the span of us
talking to one another and the, the hour or two before, ultimately $5 million, you know,
got drained from trufflation.
And this was two weeks after another company that actually Taylor and Zach XPT's research unveiled
some employees had worked at.
Delta Prime, which is a crypto borrowing app,
they had also lost $7 million.
In either the crypto borrowing apps case,
Delta Primes or Truflations, is it clear what happened here?
But, you know, it's a coincidence.
And yeah, I guess we can leave it at that.
Yeah, and yeah, when you say that, you're saying,
the investigation hasn't been completed,
so we're not sure that North Korea hacked these companies.
But, yeah, it does look like one of the,
common threads, you know, in these stories is that you hire these employees and then sometime
later you get hacked. And, you know, it's they, because it's this like social engineering
type hack, they'll like gain your trust. They'll, you know, compromise your system,
but they won't act right away. They're like gathering information, just biding their time,
whatever, just trying to create more of a disconnect between when they hacked you and, and,
sorry, when they compromised you and then when they actually steal the funds.
Yeah.
Yeah, exactly.
Before Taylor tells her story, I also wanted to just say one thing when Sam was talking
about how brave it was for the companies to come forward and tell their story.
I noticed that when the FBI released their little PSA about North Koreans' infiltrating
companies, they actually talked about the companies more as victims.
So, yeah, even though technically it's a violation of OFAC.
that was just the language that they were using.
So I think you're right that they're not probably going to go after these companies.
I think they recognize them as victims.
Yeah.
And I mean, part of the reason why they were motivated to come forward and the way that, you know,
our discussions went, maybe this is like some inside baseball stuff.
But for them, you know, it's still dangerous.
You know, when something's legal, something's legal, even if you're not going after, you know,
somebody or even if the government's not going after these companies for this sort of behavior,
there's not much incentive, you know, for you to unveil.
hey, your investors don't want to see that you hired North Korean IT workers, wittingly or not.
But my goal with this article was to kind of shed some light on the fact that this is so ubiquitous,
not only in terms of more than 50 percent, according to some measures, of applications coming in
being North Korean. It's ubiquitous in terms of the firms that are actually inadvertently hiring
these workers. And I didn't want to publish this story until I had a critical mass of, you know,
by no means the exhaustive list. Taylor has many more examples, I'm sure, just running around in her
brain. But I didn't publish this until I had enough to kind of show that story because it wouldn't
have been fair to just name one or two companies. Yeah. Yeah. And, you know, kudos to you for also
getting some of the bigger name protocols to participate as well, because it shows that it doesn't
necessarily reflect anything about your reputation. Like you can still be a quality crypto project.
but it's like, you know, just the social engineering tactics, whether you're in crypto or any other space, can be, yeah, they're they basically prey on people's trust.
So, you know, because we have an open society. We have that kind of trust. But yeah, they're obviously a bad actor.
Anyway, Taylor, what about what story? What do you want to share?
Yeah, I mean, I have so many stories. I think that one of the most interesting things is not like a, I guess,
a specific tale, but it's, you know, one way that we sort of like collectively track these is,
you know, those people that are sort of, you know, in the space doing hiring, doing recruiting
constantly. We have like a little group chat or we all chat about, you know, and verify and
and check and you can sort of like trace their through lines because their social profiles,
their personas, their resumes, like evolve over time. But you could like track through.
Like if our LinkedIn gets shut down, they put a new LinkedIn on, but their get help will be the same, et cetera.
And then we also, you know, sort of go and like, we'll interview them.
We'll talk to them.
We'll try to understand if there's like any big red flags that we can educate around.
And I think one of them, the most interesting things is that over the last year, they've rapidly evolved.
So it used to be that they would just like not, not go on camera.
And that was like a big red flag.
And so we told all the companies like, yeah, so make sure you, you know, have your,
your air viewies cam up.
And that was like good advice for like maybe a month.
And then when they stopped getting jobs.
And so then all of a sudden they started camming up.
And that was like sort of a shocker for me because they'd always been this like very much like
removed entity and these like, you know, just these like voices or or mostly like text
space communication. And so they started camping up and you can notice the pattern, but there's
also like, it's just super weird. So they're usually in literally like in call centers. You can hear
like background noise like they're in call centers. But then they'll always have these quaint,
fake like Zoom backgrounds on their camera. So they'll have like the Golden Gate Bridge behind them
or like these little like snowy cafes or the fake room. I don't know if you've ever seen
I mean, like, it's like a pack of Zoom backgrounds or whatever, but it's like a fake bedroom
behind you or a fake office behind you.
And it's just like, it's just bizarre.
And then the other thing is that if you ask them questions that are not, that they're not
prepared for, that they're not trained for, right?
Like they'll, like, they have tactics and, you know, some of them are smarter and more experience
than others so they can actually like answer technical questions.
Others are like quickly Googling or using AI.
but if you ask them like normal human questions like they don't practice those so if you ask them what the weather is if you ask them like where they grew up like oh what street our favorite one we asked them he said that he was in amsterdam right uh he said that he grown up in amsterdam and then we asked him to like say like hi my name so-and-so like i'm a blockchain developer or whatever and he was like oh oh oh you speak
beat Dutch. And then the person
interviewing was like, yeah, of course.
Like, and you're an answer to him.
Like, let's go.
He just literally dropped off the call,
just like left instantly.
And it was the wildest, like,
it was the most, I don't know how to describe it.
It's just like so completely unexpected.
And I think it's like,
it's like a numbers game for them, I guess.
But then he came back in email,
like maybe an hour or two,
later and was like, why did you ask me these questions?
And was like very upset on us and then got back on the phone call.
But this time refused to cam off and was clearly a different person.
And was like now prepared to speak Dutch or whatever.
It was just like the whole thing.
I was like, you guys were so like dedicated, but in a in a very uncomfortable way.
It's the whole thing just makes me, I don't know.
It's scary.
in a bad way.
That is such a crazy story.
I find it hilarious that he was like,
why did you ask me such a question?
But just out of curiosity,
so when they came back,
was that that wasn't on video then?
That was just like audio?
Yeah, it was just audio.
He wouldn't come up.
He was like very kind of like almost aggressive
or at least like antagonistic about our
about the questions.
It was very odd.
And when you're saying our,
Are you talking about at MetaMask or where are you talking about?
So it's not, it's not via MetaMask.
We are not randomly like interviewing IT workers for fun.
It's like a side group of sort of investigators and people who are tracking these
these throughout actors.
And then that intel, obviously, we all share it to help the companies that we work for.
But also we try to like, you know, inform and educate people around the industry.
because it really is like the more you know, the better off you're going to be. And it's been so long
that we just didn't, nobody knew. So, you know, the more that we can do to really shine a light on,
you know, their tactics and what they're doing and all these things, the better it is.
Okay. And is that the SEAL team group or is that a different group? Yeah. So some of them are in SEAL,
are part of seal. It's really just a rag tag group chat.
Oh, okay. Okay. I should add, like, as a journalist, I haven't written this article.
Laura, maybe you guys can write this article at Unchained. But one of the things that, you know, it is interesting to me,
is that there is this group very informal of researchers like Taylor, like Zach XPT, like some of those
other folks that you mentioned earlier, Taylor. Some companies also are involved that kind of in this informal
manner are assembling behind the scenes whatever they can to sort of, you know, map out these
webs as a sort of collective effort. And this is all just like happening on the side of law enforcement,
on the side of, you know, any of the big efforts from some of these security firms. And it's,
it's interesting. It's, yeah, I'd like to learn more about it. Taylor's the expert on it.
I think it's just, it's a, I think because there's so few people that are really diving.
into not only like what they're doing and their MO and stuff, but then also the on-chain
crypto side as well, that we all sort of just find each other and like become friends because
it's such a weird niche, like, the old sort of research that when you find other people
that kind of speak your language and understand what's going on and you can like share,
Intel and the other person like gets it. Yeah, you become friends pretty quickly. I know. It's almost
like it's like a many governmental or law enforcement group just that the crypto industry,
you know, created. All right. So in a moment, we're going to talk more about the characteristics
of this infiltration. But first, a quick word from the sponsors you see make the show possible.
Pocod is the original and largest layer zero blockchain with over 2000 plus developers.
And the anticipated Pocodot 2.0 upgrade will be a massive accelerator for the ecosystem.
upgrading the infrastructure with eight times higher transaction throughput and twice as fast block times,
perfectly tailored core time for the needs of every protocol,
trustless bridges internally and into Ethereum, Cosmos near Binance Smart Chain,
and revised tokenomics and the implementation of a token burn to reduce inflation.
Perfect for GameFi and Defi to build, grow, and scale with one of the most active crypto communities in this space.
PogoDOT recently announced a partnership with mythical games,
bringing top games like NFT rivals with over 650,000 players and 43 million transactions
to pave the way for GameFi and the Pocodot ecosystem.
Get your Web3 ideas to market fast with economics that work for you.
Think big, bills bigger with Pocodot.
Join the community at Pocodot.network slash ecosystem slash community.
Mantle LSP is a permissionless and non-custodial ether liquid staking protocol
deployed on Ethereum and governed by Mantle,
M-Eath serves as the value-accumulating receipt token of Mantle LSP and is now the fourth-largest
ETH LST with $1.3 billion in DVL.
In addition to native ETH POS staking yields, M-Eath holders can access various yield opportunities
across DAPs on Mantle Network L2 integrations and more.
M-Auth holders have previously received over 1 million in Igen token air drops.
With the upcoming October 24 launch of Cook, the new governance token of Mantle LSP,
M-Eath holders can start accruing powder reward.
awards under season one, methamorphosis, which will be convertible to cook.
Visit mmeath.mantle.xyz slash campaigns to learn more.
Back to my conversation with Sam and Taylor.
So why don't we just walk through, like, how it is that they're even getting hired, like,
what are kind of the broad strokes?
Like, you know, you've talked about some of these trends or weirdnesses in the interviews,
but I'm asking for a combination of what it is that are the trends, like, in the hiring
process and kind of what are the red flags people might watch out for and just what are the hiring
practices that might lead people to accidentally hire a North Korean because the reason I
add that last bit is I did read one accounting by a project where they talked about
accidentally hiring North Korean and they said actually that U.S. hiring laws against discrimination
probably hindered their ability to ferret out the fact that this person was a North Korean
because there were some personal teasers that were dropped where the person didn't feel comfortable
asking for more information. But anyway, so yeah, just talk about that process. What are the trends
in that hiring process? Yeah. So I think that like one, especially in the crypto industry,
I think that one of like the key factors is they are like they're really looking for sort of like
crypto native or people that are, yeah, they're not, they're not necessarily like these like
formal recruiting things or like traditional employees. Like they really want people that are going
to be part of their team or like crypto natives who are on the same social platforms or the same
communication styles. And so a lot of teams do report that they were approached by what presumably
was like a younger, eager dev in their discord. And so like someone just like DMed the CEO or the
CTO. And then like they talk to them and it sort of like evolves from there because you have like this
eager guy. Sometimes they'll like contribute or ask questions about the GitHub repo of the project itself.
Some of them report that they that it like ramped up. So they had like, you know, they gave them like a
smaller task or they need to help with something and then over time it turned into like more
like real employment so to speak where they were paying them on a regular basis and a fixed rate
per month or two weeks or whatever others are I mean some of them just don't have any process at all
so it's not that like they kind of snuck in and evaded the process by contributing and being in the
discord but the teams and the projects are just so young and
just such early startup that they really have no processes. And so if someone offers to work for them
or they put a like a job listing out for a front end up or something like that, they just, yeah,
they like don't do interviews a lot of times. They'll just do tech, text-based communication.
Oh, wait, meaning they're only like chatting and like giving them tasks. And if they complete them,
then there's no even like interview. Yeah, exactly.
Sam can probably comment on this more, but I think it's like, it's, it's tough to talk about
because you don't want people to think that it's like only these like stupid or young projects
that are susceptible. Like they're all, everyone is susceptible to this because they're very persistent
in how they sort of like engage and get your attention. However, if you don't have any processes
and you're just hiring people or paying them to do work, even though you've never had like a face-to-face
ever, like, it's, yeah, you're not going to detect them. And they're going to have a higher
than likely success of getting into your company. I was just going to say, like, on that,
on those notes that you mentioned, there's two things that I think make the crypto industry
uniquely vulnerable to these North Korean infiltration schemes, whatever you want to call it.
One thing is just the fact that there's so much money protected by private keys, which just
on a hacking, you know, attack vector space just makes this industry really appealing.
I'm mentioning this because it's not only crypto that is suffering from this, but crypto is
uniquely vulnerable. So that's one side. The other side is these hiring practices.
So if people are listening to this podcast and they are not, you know, intimately familiar
with the crypto industry like the three of us are, it might sound weird that somebody would just
hire somebody, give them tasks, even a contractor. And then, you know, never see them, never talk to them,
ever do really rigorous background checks. But the thing to really recognize here is that some of
the vulnerability for crypto, you know, unfortunately does come down to, I think, the hiring
and just contributor culture that we have in this industry. So two things, anonymity. People are just
comfortable hiring anonymous, pseudonymous developers. That's not a thing everywhere in other
industries. And the other thing is just the lack of formality in particular in startups and
quote-unquote projects or decentralized autonomous organizations. We won't get into all that,
but DAOs, a lot of the examples that I found were these DAOs, where they're like companies
that are controlled. Most people listening to this podcast might know, but I'll just explain.
They're like controlled by tokens. If you have a token, you can vote on the direction of this thing.
And it's like a, it's an open source community-led process. Those folks, sushi, for example, were super
you know, I think vulnerable to these sorts of things because they don't do the sorts of background
checks. One thing, and if there's one last thing I'll end on here, one thing that I heard in most
of the examples without naming names that I spoke to for my article, is that they didn't actually
go about, they being the hires, didn't actually go about conducting professional background checks.
It wasn't just that they were comfortable hiring anons, anonymous developers. They would get,
and we have some of these in my story, passports, ID cards from Texas, Japan, Singapore,
so on and so forth that look real. But a lot of those ID cards would not actually, you know,
pass through a real ID verification service. So if there's one thing people are hearing,
you know, whether or not you're a DAO or anything, use these real professional background
checking services. Oh, interesting. Yeah. I guess because it is,
is like this open source culture, right?
Whereas most companies that are non-crypto companies are close source.
So that does leave them vulnerable.
And then we kind of talked about some of the red flags in the hiring process,
like the thing about not using webcam at first
or switching people, switching accents,
like not being able to answer kind of a small tech type question.
But are there any others that we didn't touch upon?
I think like the biggest thing,
If I have like one piece of advice for people who are like hiring or working with people is like on top of the background checks, run the IDs.
Like it's it's so easy.
But also like just be a human and ask your employees for information about them and have conversations like out of genuine curiosity.
If you do so, very quickly there will be massive gaping holes in their story.
Like the earthquake example, there's other examples where we're like, oh, like what?
time is it? Like, is it night there? And they'll be like, yeah, yeah, it's night. And then, you know,
it's like noon in Amsterdam or wherever they said that they're from. Yeah, there's like, you know,
because they have so many like sort of versions of their resumes, they don't always,
they don't always map one to one with what they're saying at any given moment. They don't
necessarily know which resume they sent you. And so you ask them where they're from,
where they went to college, the weather, the time of day, you know, how they got in a
crypto, like all of these things, there are questions that they're not prepared for and they'll often
slip up. But also it's like, you know, for me at least, like if you, even if you're Adele, right,
even if you're like the super crypto, you don't want to do K. YC. You don't want IDs, whatever.
You should still want to know who you're working with or who is working for you, right? You want to know
about, you want to be on the same team. You want to be working towards the same goals, have conversations.
and then, you know, don't just like let their weird wrong answers get away, right?
Like if there's not an earthquake, they say if there's an earthquake, there's not an earthquake,
don't just write it off as like a weird crypto thing.
Like that's a red flag that they're lying to you about something.
And, you know, enough of those red flags and you should, yeah, even if they're not North Korean,
they probably shouldn't be contributing to your company or your project.
It's just not going to end well.
I did see a couple of, you know, I think like to us, they're snarky, but they actually work comments about how to ferret them out during the hiring process, which is somebody tweeted something like, and this was actually an older tweet.
This was Adam Cochran. He tweeted, just do what Mike Demerese does and make them draw a mustache on a picture of Kim Jong-un as part of the hiring process. And I feel like I saw another tweet where,
somebody asked the person to, like, say something negative about Kim Jong-un and the person, like,
literally just left the interview. So, I mean, it's, like, it's funny to us just because we can say
whatever the hell we want to our president and, you know, criticize them, whatever. But yeah,
North Korea, like, that can get you, you know, severe, severe penalty. Okay. So then one other
pieces, obviously, at a certain point, then the money can get traced in terms of it being sent
over to the North Korean government. So how does that part of it work? Like, I'm assuming,
well, or maybe they're literally taking the earnings and sending it immediately, but the projects
aren't noticing. Like, is there a delay or, like, how did it eventually get found out? Is it, like,
when Zach XPT found that out, was it like they waited a long time to send the money or?
What's happening there?
Yeah.
So there were sanctions a couple years ago for some of the laundry networks around, yeah,
around a few different guys and OTC desks and folks in China that the North Korean regime
uses for converting like the crypto into whatever, you know, real world asset that they
want at that moment in time.
I think it's important to keep in mind that that North Korea doesn't necessarily want
like fiat in North Korea, they want money available to purchase things or do whatever. And it doesn't
necessarily have to be like money in North Korea. It can be sort of around the globe wherever they're
purchasing whenever they're trying to purchase. And so these laundry networks, they do have to
get out of crypto because at least today you cannot literally buy a nuke with crypto. Thank goodness.
And so due to that, you know, the money gets laundered.
It gets sort of moved around all the different blockchains and they try to, you know,
they try to obfuscate where it's coming from and where it's going to.
And then eventually it gets sort of consolidated in these, you know, like three or four specific guys.
The way that we found the more recent on-chain activity was we had reports.
We sort of verified reports of employees.
This actually dates back to like the Munchables case.
So we had like sort of these little pockets of activity that we knew like from recent on chain, right, where we knew the project was paying like this IT worker at this address and then we could trace it from there.
And eventually you have enough of those pieces and there it is.
Like you can just see it all sort of flow together.
And so it's like I think Sam might have a better idea.
but today it's, I think it's like a two-week sort of period, actually.
It's like they all sort of like send their paychecks to this one address.
It sort of like builds up over a couple weeks.
And then it starts the next stage of the laundering process.
This is one of the things that I noticed as I was doing my investigation that was really striking to me is Taylor does a lot of this.
Zach XPT does a lot of this.
And I was able to do a lot of this just as a journalist.
The way that you can identify what is going on here is literally just by looking at blockchain data that,
one might think is impenetrable to the average person just using a free tool like Arkham,
for example, which is what I use. But it is super easy to see, for example, money moving from,
you know, Eclusion, which is a Cosmos organization that was kind enough to speak to me
for my piece and gave me some addresses. You can see money moving from them to an address on the
blockchain. And this is in my article that was sending all of its money. So this was,
you know, ostensibly a developer that Eclusion had paid. This developer was sending
millions of dollars, literally millions of dollars worth of mostly stable coins to a single address.
That single address ends up being, you know, an address that is literally published for the world
to see now, not at the time that they were originally paid by OFAC. So the Office of Foreign
Assets Control in the U.S. or the U.S. Treasury. So I can see money moving into an address that the U.S.
authorities think is North Korean. That's how you can track this stuff. But it is very easy to
start from there and then kind of zoom out and see funds going to all the, I mean,
if you really want to, you know, become like Taylor, like it's, it's difficult to, you know,
get all these labels built up, but you can see money moving to projects, you know, so, I mean,
just dozens and dozens of different blockchain projects, meant most of which, almost all of which
we don't name here.
But you're, so you said money moving out, but you meant it's actually money moving from those
projects to those addresses.
money moving from those projects to those addresses. I'm sorry. Yeah. So it goes from the project. A lot of times it's like a NOS is safe or a treasury. And sometimes, especially the, if you go back in time, it's a lot easier because everything's labeled. So you have like the sanction addresses on one end that are like big and red because their OFAC has said like this is, this is North Korea right here. And then on the other end, you have yeah, a Nosis safe or treasury or something. And those are.
also because they're historic, like, especially the bigger ones, they're often labeled as well.
So like, you know, the reason that Sam's piece called it like yearn, and then the urine guys came out and was like, it's actually this other thing was on chain.
It literally says yearn, treasury. That's where the money's coming from. So it goes from the yearn treasury to this developer like every couple weeks or so, like a few thousand dollars. And then from that address, it goes to this like collection point.
where you can see other, you know, $2,000, $3,000, $4,000, $5,000, $6,000 coming in from all these other places.
And so then when you look at all those, like, oh, where does the rest of the money come from?
It turns out that like, you know, even if they're not labeled, it's like, wow, there's a lot of noses safes here.
Wow, there's a lot of noses safes that, you know, the only activity is on the first and the 15th of every month and is between like $2,000 and $6,000.
And you do it over time enough.
And you, yeah, Sam sent me an address.
He's like, what do you think this is?
I'm like, I have no idea, but like, I'm on my phone.
And I'm going to tell you that that's definitely someone receiving payroll.
Right.
Because it was like $4,000 flat every two weeks, like clockwork for like seven months.
I was like, that's zero.
I'm sure we could both talk for like three hours about it does become fun.
Like just tracking this stuff.
I see why Taylor does what she does.
because now I'm like, you know, on the periphery of this community and can be fluent about it.
We could have a whole other podcast.
I doubt maybe you'd, you know, go crazy, Laura.
But like, it does become really interesting how, frankly, to me, easy it is to de-anonymize a lot of these blockchain, you know, entities.
People assume that we're at a point where people are sanitary about how they separate their funds and, you know, filter things.
But it is so easy for investigators, not just within the industry, but one imagines beyond the
industry, the FBI, we have them quoted in our piece, to see individual people and companies
sending money to these agents, which is something just broadly, I think, to keep in mind for people
in crypto. It's very transparent. Yeah. And this reminds me of how earlier when Taylor said,
you know, you can't buy a nuke with crypto. And we all kind of laughed. But obviously, it would be a
day once that happens. But the thing is that, especially if people end up using things like
USDT or whatever, then, you know, those companies can freeze those. So that leads me to my next
question. Is most of this in USDT or like what, like especially on Toronto or no, I guess payroll wouldn't
be. Yeah. So what assets are they using? And are they like being paid tokens or is it all stable
coins or what? Yeah. So it's, so I mostly look at at Ethereum. I presume that there's like a whole bunch of
other chains that this is happening on. But it's a mix between stables and like the base assets.
So, ETH or if it's like a Solana project, they usually pay in Seoul. And then once the funds sort of like
get set on and consolidated, they, I think today they usually swap out of UST and USDC in favor of
die or ETH. However, historically, they would just sit in the stable coins, the centrally stable coins.
and the FBI was in those sanctions as part of those sanctions over the whole course of, I think, March 2023, they were able to freeze like millions and millions of dollars that were just sitting in these different, like waiting for the next wandering phase, I guess. They were just sitting in USCT. And so Tether was like, bye. And so, you know, it is, it is possible to freeze, especially with the stable coins. When it happens a few times, they tend to learn that, you know, not to sit in the stable coins.
anymore. But you know. Okay. Yeah. So they're already catching on. Yeah, I did see, I can't remember
where I saw this, but I also saw that, at least for some portion of this, the estimate was that
between $300,000 to $500,000 worth of crypto was being sent to the North Korean government
every month from these workers. So I don't remember Sam if that was from your article. But.
So there, yeah, I don't think that was from my article. That might have been Zach XPT or some,
Or actually, there was a Defy Lama report that I saw recently that had some different numbers.
But I said it a UN report just overall, they say $250 to $600 million annually go to the North Korean regime.
But that's including all sources from these IT workers.
So other industries as well.
Yeah.
I would say the 500k number a month for the crypto ones is accurate.
So they're basically making, yeah, at least 500K a month in crypto.
So from crypto companies who are paying them in crypto, they do have other IT work that is not for
crypto companies.
They're hitting up like a lot of the AI companies.
Oh.
Okay.
And that's like a whole other like network that they use.
Yeah.
It's not actually just a crypto problem.
It is a much bigger problem.
Okay, so then earlier we talked about how a lot of these protocols were later hacked.
So what were the mechanisms that they were using to perpetrate those?
So I gave an example in my piece about sushi, which is a decentralized exchange,
you know, a much broader suite of products that's been around for a while, which at its peak
lost around $3 million in a hack that was not until now attributed to North Korea.
and I think that that one kind of is very emblematic of the broader trend that Taylor can speak to better than me of how these things work in terms of quote unquote social engineering, where North Korean hacks, as Taylor has explained to me, and I've quoted, and I'll let her explain again, like they are not usually hacks, hacks like you think of when you watch Mr. Robot. I explain like in the article, like green computer terminals and stuff like that. The sushi hack, which I'll explain, show.
is how they're mostly social engineering, where you gain the trust of an individual,
offering them a job, like a dream job, and then sending them a malicious link, sending them an email,
joining their company, and then sending them an email that is laced with malware.
That's usually how this stuff happens. It's not just like, you know, hacking the mainframe or
whatever. But at sushi, this is an example of it. You had two employees. Maybe it was one employee.
Maybe it was one organization that were working for this miso product. Eventually,
one of those employees, you know, both of those employees stopped getting paid because they're
not doing work by the Sushi Dow, so they're kind of let go. And then one of those employees really
wants their money and they're like, screw it, you know, I'm going to hack the protocol. So what they
did was they, you know, because Sushi had forgotten as a Dow to revoke access from the core
protocol, the poor Miso protocol from this employee who they had already let go, this individual
just uploaded code that they said was like quote unquote code cleanup or something. You can see
them doing it on GitHub. They uploaded code that essentially rerouted certain funds from a treasury
address to their own address. And using blockchain data, I was able to find that these individuals
were linked to certain addresses that were linked to the North Korean government to a sanctioned address.
It's very easy to kind of draw that line. And there's some other evidence that Taylor knows about
that we also found with one of these people, like in a fake Japanese passport. But anyway, this is a perfect
example where they had trust, they were able to get their hands on the literal code base
and then exert influence or infiltrate in that manner. Yeah. Yeah. Yeah, I would say that
the first thing is that like all, yeah, all the North Korean hacks are like get initiated
via some form of social engineering. Whenever you see like a very technical, like a big defy
technical exploit, it's like I don't think there's ever been a case.
where that's actually been North Korea.
The way that they operate is they, yeah,
they trick you into getting access to something
and then they steal private keys
or they instruct your AWS server
to withdraw all your money to their address
or the smart contract or whatever it is.
I think that the IT workers,
my perception is that they're a bit more opportunistic
than the sort of like,
this the army i call them the hacker army right these guys that like are just sitting there trying
to infiltrate and sending these fishing emails and you know on and on and so they're i guess like
the way that they execute the hacks are are much more diverse and we only have a few i guess
like super confirmed examples where it's like this IT worker was working for this company
and then that IT worker hacked the company like we have suspicions on a whole lot more
and how, you know, intel or information might be, like, flowing between the different,
these different, like, North Korean threat actor group, subgroups.
But in terms of, like, the IT workers, it's, yeah, they'll compromise private keys, admin
keys.
Sometimes they are the deployer and therefore the admin of the smart contract.
Oh, my God.
Terrifying.
Yeah, Dow's, they can do, like, you know, like pseudo-governmental.
maintenance type things.
Oh my gosh.
Because again, they're in this like privileged position of, yeah, being this like somewhat
trusted party.
Okay.
So earlier where, you know, we gave the tips on not hiring, then what tips would
you give to projects that, you know, if they accidentally hire one of these employees, like,
what are some good practices you think they should implement?
Yeah.
So I think that Euron actually is a good example where.
They were actually more aware than most that they were like sort of like all operating anonymously.
And then as a result, they were like, cool.
So we actually can't trust anyone.
Like we can't trust any of ourselves.
We can't trust you at all.
And so they establish a lot of processes where it was, yeah, it was actually this distrust.
And so on the one hand, you can like try to figure out who everyone is and get their IDs and stuff like that.
On the other hand, you're actually probably ultimately going to be safer if you just have really strict processes on like things like who can commit code, who cannot commit code, who gets access when they leave your company, make sure you revoke that access, making sure that you need like multiple signers and reviewers on every single commit.
it. And, you know, it obviously varies depending on your exact, like, company and project and stuff. But,
you know, I would say number one rule is like, don't give any one person at your company, like the raw private admin key.
If there's one person that can rug your whole company, like, they probably will. And if they don't,
then someone who hacks them will. And that's vast majority of the hacks and the money stolen in the space come down to
that one thing. Okay. So we're running out of time, but I definitely don't want to leave the
episode without asking about that other category of the hackers like the Lazarus type group.
You know, Zach XBT talked about how that group has laundered between $200 million or over
$200 million from 25 different hacks from 2020 to 2023. So I guess, Taylor, since you're more
familiar with this type of hack, what are the, you know, kind of signs or
How do they, you know, perpetrate those?
And what tips would you give to projects so they don't fall?
Pray.
Yeah.
So there's sort of like on chain, at least there's like three distinct clusters of activity.
There's the big centralized exchange hacks that everyone knows about.
It also includes like Ronan and Harmony.
All of those are cases where like the infrastructure is compromised.
It usually starts with social engineering though.
So one developer at the company, one DevOps guy, one senior engineer,
the CEO, someone who has access to the servers, to AWS, to wherever the servers are,
they personally got compromised via social engineering.
And then once they've gained access to that one person, they then sort of like expand their reach and escalate.
If necessary, obviously if that one person has, you know, the keys to the kingdom, they don't,
they don't need escalate.
They just steal all the money.
But a lot of times they do have to like, you know, they get the one device and
then they have to get into the servers, they sit in the servers, you know, and then eventually
they get to like the cold wallets or the whole system or whatever it is.
The other sort of cluster of activity is the one that you mentioned, that Zach has a very
long research piece that traces it through, I think, the last four years.
It's very similar, okay?
A person gets social engineered is tricked into like installing malware, their device
gets completely compromised.
In this case, they're usually like DFI founders or CEOs, though.
And in that case, they don't necessarily have like this big system of infrastructure that the centralized exchanges have.
They have the system of smart contracts.
And so the way that they will steal the money is one, they'll steal the founders money, right?
The CEO's money, their allocation, the tokens.
And then they'll usually upgrade the contract to be something that they control.
And so sometimes they will upgrade it so that they can just steal the money.
Sometimes they have to like do some mechanism in order to like trigger the rest of the contracts in the system to dump the money.
But ultimately they they steal all the money.
And I think it's really, I think it's really notable that yeah, every single one of these really starts from, you know, a single person clicking a link, having a conversation on Discord, on telegram, on email.
and then, you know, once they get that one toehold, it's game over. It's just a matter of time.
And so, yeah, the advice I have is don't have a single person who can take all the money or upgrade all the contracts or has access to all the systems require sort of like so many distinct pieces to come together to be able to like remove all of the funds.
Yeah, although that reminds me that did happen with finding.
right where they were there was like multiple points of entry and that was how they I don't remember even
this was a few years ago do you guys remember that they they were compromised there were multiple points
if I'm remembering correctly yeah I mean they're very good at they're very good at infiltrated obviously
it just it gives you it gives you way more time and ways to detect obviously you still need to be
trying to detect but if you yeah there's
sort of like two paths, right? The Ronan path is you have a single server with all the keys on it.
They get access. They steal all the money. The other path is like I think Indodax is a very, very recent
hack where they were only able to get access to like the one set of hot wallets. Right. And it's because
Indodex, well, it's because Indodex had been hacked before and they had set up really robust processes
that didn't allow, there was like no one person who could access all the things.
And so the difference is $600 million versus like $20 million or 100% of the money in the system or 10%.
And you always want, it's better not get hacked, but if you too get hacked, you definitely want it to be limited to 10% over 100%.
This reminds me of something that Taylor and I have talked about, you know, as I was writing my piece,
which is you find in crypto that a lot of these protocols are, you know,
essentially synonymous with one or two developers as far as the keys, the private keys, are
concerned. So it's not enough to just protect your code base from individual workers who you
suspect might be or don't suspect or just want to be careful about because of the threat of
North Green IT workers. But, you know, just the idea of a private key controlling the deployer contracts,
holding millions, hundreds of millions, even billions of dollars, you know, it is just something
that is not scalable for the crypto industry, given that it only takes one person getting hacked
for these protocols to get hacked because of what we're talking about. Yeah.
All right. So last question, chain analysis did release its crypto crime report for the mid-year of
2024. And so first of why, I should actually set up the context of in 2023.
they found that actually the amount of funds stolen from crypto platforms fell by more than 50%.
So that shows that the industry did get smarter at a certain point. I don't know if it's also
because that was like more of a bear market here. But industry is also poor.
But what they found at least for the first half of 2024 is that cyber crime has actually increased.
I mean, the overall illicit activity decreased, but the amount that was stolen via or that was stolen
and then also taken in ransomware had increased.
So I don't know if you have any kind of general comments about like the trajectory of things
in the industry.
Like, do you feel like people are getting smarter?
Do you feel like they're getting sloppier?
Like, you know, where do you think this is headed?
Do you think that North Koreans are winning?
Yeah, that's a question.
So numbers-wise, we are definitely not getting better.
The numbers are going up rapidly.
you can sort of say like, well, the whole industry is growing.
All the numbers go up, so the hacks go up as well.
There are some areas and some processes and some companies that are significantly more robust.
I think the centralized exchanges took a while, but they finally, yeah, they finally realized, like, don't keep all your money in a single wallet.
You know, it took years and years, but we finally figured that out.
I think that Defi especially needs to learn these same lessons and stop repeating history.
It's been about four years of like the same sort of admin key hacks.
And so while we are getting like there's progress, there's evolution, we are getting better.
It's like, you know, you have to kind of hunt to look at the winds, right?
And where we're actually getting better.
I would much prefer if people would learn from history and and,
really actually secure their systems and not only decrease the risk on like the front end,
but also get better at like detection and mitigation, limiting the loss, things like circuit
breakers, which Laura, I think you've had people on talking about circuit breakers.
Like it's a perfect example of something that, you know, is not necessarily the most obvious
thing, but it can have such a huge impact if, you know, if something bad does happen.
And so it's that whole, you really do have to go through the whole process.
I think, like, Lazarus hacks, North Korean hacks this year are probably going to be almost certainly going to be higher than last year.
And I think chain eliz's number last year was about a billion dollars.
We still have a few months left.
And I think we're already at like $600 or $700 million.
And so looking to be another billion dollar year, which is just not good at all, especially because it's not good for anyone to lose a billion.
it's especially not good when that's it's going directly to the to the North Korean regime to
you know abuse their citizens and people around the world to be ranked I mean I would say
you know echoing everything Taylor just said I'll just maybe bring it back to the IT worker stuff
I mentioned earlier in the the podcast that I spoke to chain analysis for my story and they
mentioned that in the you know in the first half of 2024 the hacks that they traced back
back to North Korea, half of those were tied to, in some way, these IT workers, according to
to chain analysis.
And in the past two weeks alone, two or three weeks, I think three weeks now alone, two of the
companies that I mentioned before, Truflation and Delta Prime that had hired these workers,
allegedly in the case of Delta Prime, I haven't talked to them, I haven't had the opportunity
to confirm it.
But, you know, we're hacked.
We don't know if it's linked to North Korea.
another person that I spoke to over the course of my investigation had attempts to explore.
You know, also actually last week, a day before my article came out, I don't know what that is.
Maybe it's because Zach XPT kind of like exposed some of these actors.
And so they're kind of like now or never.
But I guess the place where I'll leave this is that whether or not things are increasing,
what I'm concerned about is that this has been going on for years and years and years.
And I really do think it's incumbent upon every crypto protocol to, if they're not sure,
and if they haven't done an audit and a specific audit with an eye to these sorts of problems,
do that audit and make sure their code is safe because it's very possible that some of these
exploits, whether it be malware on a personal machine, whether it be a tainted smart contract,
has laid dormant for a very long time and just hasn't been attacked. That doesn't mean that the
attack isn't, you know, ready, ready to happen. So, yeah, I think that's kind of where I'll leave
things. All right. Well, you guys, this has been such a fascinating conversation. Where can people
learn more about each of you and your work? I'm on Twitter, always. My handle is Tevano,
underscore at the end
T-A-Y-V-A-N-O
underscore
and my DMs are always open
if you have questions about
the IT workers or hacks
or you get hacked
I'm always around
I try to respond pretty quickly
and yeah
my Twitter is full of fun
fun stories
yeah so my
Twitter is S Kessler
without the E at the end
so S-K-E-S-S-L-R
follow me there for updates on my articles that I do for CoinDesk.
It's a mix of news and longer investigations like this one.
And if you have any tips that are more sensitive,
there's an email that you can see in my X account, you know,
or my signal you can also see there to send those through.
Bring more light to issues like these.
Great. Well, it's been a pleasure having you both on Unchained.
Thanks so much.
Thanks so much, Laura.
Thanks so much for joining us today.
to learn more about Sam and Taylor and how North Korean hackers are infiltrating the crypto industry,
check out the show notes for this episode. Unchained is produced by me, Laura Shin,
with help from Matt Pilchard, Wanner Randavich, Beck and Gavis, Pam Bichomdar, and Marker, Korea.
Thanks for listening.
Unchained is now a part of the Coin Desk Podcast Network.
For the latest in digital assets, check out markets daily, five days a week, with host Noel Atchison.
Follow the CoinDesk Podcast Network for some of the best shows in crypto.