Crypto exchange Kraken has thwarted a sophisticated infiltration attempt by a North Korean hacker posing as a software engineering job applicant, underscoring the evolving tactics used by state-sponsored cybercriminals.
The attempt was flagged during a routine hiring process, which quickly escalated into a full-fledged investigation after multiple red flags raised suspicion within Kraken’s internal security team.
Behavioral and Technical Anomalies Trigger Alert
According to Kraken, the applicant exhibited unusual behavior from the outset. The candidate joined the interview call using a different name than the one listed on their resume and appeared to alternate between voices suggesting they were receiving real-time coaching. Additionally, their system setup included colocated Mac desktops paired with VPN usage, a common method for masking geographic origin.
The inconsistencies prompted Kraken’s team to dig deeper. A cross-check of the applicant’s email address revealed a match with one previously flagged by industry partners as linked to a known North Korean hacker group.
Red Team Investigation Confirms Threat
Kraken’s internal Red Team launched an open-source intelligence (OSINT) investigation, analyzing breached data, email patterns, and digital footprints. The probe uncovered that the applicant was part of a broader network of fabricated identities, some of which had successfully gained employment at other crypto companies highlighting the potential scale of the threat.
Rather than immediately rejecting the candidate, Kraken chose to advance them through further interview stages to collect more intelligence on the tactics used.
In a final interview led by Chief Security Officer Nick Percoco, the candidate was asked subtle identity verification questions, including requests for local knowledge and live ID authentication. The individual failed to respond convincingly, confirming the team’s suspicions of a coordinated state-sponsored infiltration attempt.
A Growing Threat to the Crypto Industry
Kraken cited the event as part of a growing trend of North Korean cyber operations targeting the crypto industry. According to reports, North Korean hackers stole more than $650 million from crypto firms in 2024 alone. As U.S. firms become more vigilant following high-profile incidents like the Bybit hack, threat actors are increasingly shifting focus to European crypto companies.
This incident also highlights the evolving strategies of North Korean hacking groups, which now include impersonating job seekers to gain privileged access within companies.
The attempted infiltration at Kraken serves as a stark reminder of the ongoing cybersecurity risks faced by the crypto sector. As threat actors refine their methods, exchanges and Web3 companies are under increasing pressure to implement robust security measures not just for assets and platforms, but for hiring and internal operations as well.
