How to identify North Korean hackers disguised as developers applying for jobs?

CN
链捕手
Follow
1 year ago

Writing: Deep Tide TechFlow

On March 27th, bad news came from Blast, the Web3 game platform Munchables was stolen over 17,000 ETH, worth 62.5 million US dollars.

Blockchain detective ZachXBT indicated that Munchables may have been stolen by North Korean hackers disguised as developers. SlowMist founder Yu Xian also stated, "This is at least the second DeFi project we have encountered in this situation. The core developer disguised and lurked for a long time, gained the trust of the entire team, and then struck at the right time without mercy."

As a founder of a cryptocurrency project, encountering North Korean hackers when interviewing remote developers may not be a new thing.

Monad founder Keone revealed in 2022 that they posted many job postings for Solidity developers and received many resumes… but they believed that many of them were North Korean and summarized some common characteristics:

  • They seem to prefer GitHub users like SuperTalentedDev726 or CryptoKnight415;
  • They also seem to like using numbers in their email and GitHub usernames, which may be a way to track their identities when applying?
  • They tend to choose Japanese identities (perhaps Koreans are too obvious) and often claim to have studied at top schools in Japan, Hong Kong, or Singapore (National University of Singapore, Nanyang Technological University, University of Hong Kong, Hong Kong University of Science and Technology);
  • They often (though not always) steal code repositories on GitHub, take existing projects, and regenerate commit messages to use their usernames;
  • They also tend to use multiple email addresses to apply for the same job multiple times, and these email addresses are different from each other;
  • The time they claim to have experience with Solidity/EVM is too early (e.g. 2015).

According to the latest developments, GitHub user Werewolves0493 is claimed to be the North Korean hacker behind the Munchables attack. His email address on GitHub is seniordev1225@gmail.com, which also matches Monad founder Keone's description.

In 2022, Jonwu, a staff member of the privacy protocol aztecnetwork, also encountered North Korean hackers during the interview process and described the scene of the online interview. Here is his account:

First, we at aztecnetwork were recruiting and received an application for "Bobby Sierra - Solidity Engineer" on @Greenhouse.

After an internal review, the system assigned me to an online interview.

I quickly scanned through the resume.

Name: Bobby Sierra

Applying for: Solidity Engineer

Location: Ontario

Languages: English and some Chinese

Experience: F2pool, with some DAO and NFT projects on the resume.

Remember this, it's relevant later.

Then I looked at the cover letter, which started with: "I am a blockchain developer with over 6 years of rich experience."

Then there was a bunch of vague information, some generic self-promotion, but understandable, not everyone is good at writing cover letters.

Finally, he wrote in the cover letter: "The world will see great achievements in my hands."

I immediately thought, this guy sounds like a Bond villain.

I'm imagining a guy whose arm is actually a laser cannon, and his eyeballs are made of plutonium or something.

"The world will see great achievements in my hands"???

Who the hell talks like that?

It's unsettling, I thought to myself, but maybe Bobby is just a quirky guy.

Then, I started the interview!

Hi, this is Jon from Aztec, is this Bobby?

"Yes. This is…Bobby Sierra."

I noticed a few things:

His camera was off;

There were more than 5 people talking loudly in the background;

A distinct Korean accent;

I asked him why the noise was so loud.

"Oh, I'm in the office."

WTF, but why are there 5 other people speaking a mix of Korean and English?

You might ask, how did I know he was Korean?

Well, some of my good friends are Korean, so I'm very familiar with the Korean accent, but this wasn't the accent of a typical Korean American or Korean Canadian, or any Korean accent.

"Bobby" could of course speak English, but not the usual kind: stiff, formal, and almost incomprehensible.

So, "Bobby, introduce yourself.

"I have been involved in many blockchain development and token issuance, have had many successful projects, very successful, lots of blockchain experience, all with very good results. Okay?"

Let's analyze this briefly:

1) The first part is a bunch of nonsense, just for that I wanted to cancel his interview

_2) "Okay"

The use of "Okay" made me sure that this guy is Korean. How did I know?

Because my friends' moms would say this shit to me before giving me a bowl of piping hot rib soup.

"This is very delicious, eat it while it's still hot, Okay?"

Now the alarm bells were ringing. I knew about the recent frequent North Korean hacker attacks.

I decided to dig further.

Where are you based, Bobby?

Bobby: "Based?"

I mean, where are you right now?

"Oh, in Hong Kong."

"Where did you work last?"

"Oh, Ateke."

What's that?

"A German company, or a French company. I don't know."

Your resume says you worked for F2pool, can you tell me about F2pool?

"Umm, can you wait a moment?"

Then he asked me to mute for 5 minutes.

When Bobby came back, he seemed like a different person.

"Hello, are you there?"

Yes, Bobby, I'm here.

"I am an experienced blockchain developer, I want a new job, I am very experienced, can bring value to your company, I want an engineer job now. Okay?"

Regardless of whether it was true or not, I hung up the phone.

We know that North Korean hackers like the Lazarus Group are attacking major protocols and individuals.

Ronin was stolen 600 million US dollars; Arthur0x, Mgnr, and countless other well-known accounts were attacked.

I don't know what the medium of attack is.

  • Shall we download a corrupted .docx resume?
  • Shall we share the screen and navigate to Metamask?
  • Gain access to our codebase and push a malicious change?

I'll leave it to the internet to guess.

In fact, I don't know if these people are North Korean hackers. Bobby might just be a very incompetent guy, but every fiber of my being says that's not the case.

Apart from fear and entertainment, I learned a lot from this strange interaction.

1) Our whole world is built on trust. If someone shows us their resume and GitHub, we believe it.

  • The risks of smart contracts are overestimated, anything can be a vector for attack: recruitment, events, travel, and so on.
  • Don't casually download attachments, keep your wallet isolated on your own machine, and so on.

Later, "Bobby" updated his GitHub, which now points to a brand new account with more code commits.

I believe these people are learning, adapting, and getting smarter.

Fortunately, they can't hide how disconnected and incompetent they are.

We just need to stay sharp.

免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。

币安:注册即返10%,送$600, 超2亿人的选择
Ad
Share To

Related Articles

avatar
avatarCoin Gabbar
11 minutes ago
Sharplink News: $1.62B ETH Bet Leaves Investors Stunned
avatar
avatarPANews
18 minutes ago
After the SEC Chairman's initiative for "crypto projects," Americans will also be able to receive airdrops.
avatar
avatarPANews
50 minutes ago
Baby BTC Strategic Capital has signed a term sheet with Nasdaq-listed company ATA Creativity Global, with the holding listed company acquiring Baby tokens to deepen its involvement in BTCFi.
avatar
avatar深潮TechFlow
52 minutes ago
Baby BTC Strategic Capital has signed a term sheet with Nasdaq-listed company ATA Creativity Global for the acquisition of Baby tokens, focusing on deepening BTCFi.
avatar
avatar律动BlockBeats
55 minutes ago
Stablecoin Weekly | From the United States to Hong Kong, stablecoin regulation has entered the "national-level race" stage.
APP

X

Telegram

Facebook

Reddit

CopyLink