Lawfare Daily: Sam Kessler on How North Korean IT Workers Infiltrate U.S. Tech Companies

[Intro]

Sam Kessler: You know, it obviously hits a national security, I guess, vector, in terms of U.S. companies paying North Korean workers, which violates U.S. sanctions, you know, and that money going to, you know, fund the nuclear program. That is kind of the crux of U.S.'s focus as far as enforcement is concerned.

Eugenia Lostri: It's the Lawfare Podcast. I'm Eugenia Lostri, senior editor at Lawfare with Sam Kessler, deputy managing editor for tech and protocols at CoinDesk.

Sam Kessler: Only in crypto can you have these startups holding literally billions of dollars that, you know, people can hack into and steal. And that's just really attractive to a regime that turns money this way.

Eugenia Lostri: Today, we're talking about the North Korean IT worker threat, how it affects the crypto industry, and how to mitigate it.

[Main Podcast]

So Sam, we've had a few recent headlines focused on the threat of North Korean IT workers that infiltrate tech companies and then funnel their earnings back to the North Korean regime and can also present serious insider threats to the companies that hire them. However, this is not really a new threat. So, could you maybe start by giving us an overview of how this scheme works and its history?

Sam Kessler: The way that this works is North Korea, through a variety of different means, has been trying to get into U.S. and global technology companies by simply planting workers in these companies, accruing revenues to those workers, and then sending those revenues back to the regime. According to the U.S. and UN research on this, that money theoretically goes to fund the regime's nuclear program.

So how this actually works from start to finish is typically and I'm focused particularly in the crypto space, so, you know, my context is somewhat limited to that. But broadly what I've seen is these North Korean IT workers will apply to, you know, jobs, in the United States and other countries through the same sorts of job portals that quote unquote typical employees would use. Except the difference here is of course because North Korea is subject to such strict global sanctions, which we can talk about, they take lots of, you know, lengths to obscure their actual identities.

So they'll apply through, in the crypto case, for example, CryptoJobList, or even Indeed.com. Sometimes companies I spoke to said that more than half of their applications came by their own assessments, they'd learn later on, from North Korean IT workers. They'll apply to these jobs. They'll interview just like anybody else, and then they'll do the job. Sometimes they'll also though reach out through other channels like Telegram and Discord, which are really big messaging platforms in the crypto space. They really are sort of native, it seems at least in the crypto case to the industry that they are infiltrating, and so they apply just like anybody else would into those industry companies.

Eugenia Lostri: So we don't tend to think of North Korea as a hub of innovation. So, I'm curious about who these hackers are, where are they operating from, and, you know, how are they advancing the North Korean regime objectives through this work?

Sam Kessler: Yeah, so, my knowledge of this is somewhat restricted to what I've read in research reports from U.S. authorities and the United Nations.

So, you know, in terms of my knowledge of the actual background of these workers, but according to these reports the workers work in a variety of locations, not just in North Korea, but typically actually in places in China, Laos, and Russia are the big ones that you hear about. Serbia is also on that list. But you can think of it, it almost reminds me of what you hear about in terms of these pig-butchering schemes, that you read about all the time where people kind of set up in these call centers and are kind of just working around a bunch of other people in similar positions to, in this case, infiltrate companies. So,

Eugenia Lostri: So just for any listener who might not be familiar with the pig-butchering scheme, could you explain a little bit what you mean by that?

Sam Kessler: Yeah, and that's a whole other rabbit hole. I recommend if you're interested in the crypto side of that, because a lot of times with crypto scams, you read Zeke Faux's reporting from Bloomberg. But these pig butchering schemes are, you know, those romance schemes, they used to be called, or romance scams, where people you see in your text messages, at least I get them a lot in the U.S., they'll be like, hey, Amy, where are you? And, you know, my name's not Amy, so maybe I'll respond, I'm not Amy. What they'll do is, they'll kind of create a, you know, rapport, create a relationship with you, and then by, you know, through various different means, you know, fatten the pig, that being you, know, through affection or whatever else, and then butcher that pig by taking your money. You know, getting you to invest in, for example, crypto scams.

Eugenia Lostri: I'm not a particular fan of the name of pig-butchering schemes.

Sam Kessler: As I was saying that, it did not roll off the tongue.

Eugenia Lostri: I don't know how we landed on that one, but I think it needed to be a workshop for a little bit longer, to be honest.

Sam Kessler: I agree, I agree.

Eugenia Lostri: So, continuing this thread though, what's the scale of this thread? You know, how much money is being funneled back to North Korea? How significant is this actually?

Sam Kessler: So the questions you're asking so far, a lot of these are in this UN report that I keep on citing and we'll get to, you know, some of these, you know, more specific anecdotes, but according, again, to cite the United Nations, I want to be careful as a reporter, it's not my own research in this case. They say $250 to $600 million dollars per year, globally, go back to North Korea through IT workers. Most of that money coming from wages. Just normal wages that these workers, and we call them IT workers, maybe it's just coders, developers, programmers, you know, just, you know, IT worker is the nomenclature that U.S. and global authorities have adopted. So, that's a lot of money.

Eugenia Lostri: Do you have a sense of what percentage of their salary they keep and how much needs to go back?

Sam Kessler: Yeah, so according to that same report that I'm citing, it's about 10 to 30 percent of wages get kept by these quote unquote IT workers. 30 percent for the higher earners, 10 percent for the, I guess, the lower performers, which adds a, you know, interesting texture to this entire thing that makes it even more cynical, where a lot of these people, even though the wages that they might earn from working in a U.S. company, for example, are higher than one would earn, you know, in North Korea, doing a tech job there.

They're still being forced to give a bunch of their salaries over to a different person, which you know, it is like in, you know, a sort of modern form of, you know, slavery or indentured servitude. You see a lot of things like this in the pig-butchering context. A lot of those people who are doing that stuff, I make the comparison, are also themselves victims of scams. In this case, the scam, quote unquote, would be maybe that you are, you know, just a person who was born in North Korea and subject to this sort of a system.

Eugenia Lostri: Right. So, the U.S. has issued advisories with some guidance on how to deal with the IT worker threat. It has also targeted some of the infrastructure that has been used to facilitate the scheme, and I believe last year it sanctioned entities that have been involved with this, I believe they call, obfuscated revenue generation and the malicious cyber activity that support the North Korean regime.

So can you tell us a little bit more about this response in the U.S. to the IT worker threat and the different prongs that are involved?

Sam Kessler: Yeah, so the IT worker threat kind of hits, you know, it obviously hits a national security, I guess, vector in terms of U.S. companies paying North Korean workers, which violates U.S. sanctions, you know, and that money going to, you know, fund the nuclear program. That is kind of the crux of the U.S.'s focus as far as enforcement is concerned, is that these are technically sanctions violations that these companies are quote unquote committing by hiring these workers.

So oftentimes you'll see Treasury, you know, the U.S. Department of Treasury getting involved and probing companies. For example, one of the companies that I spoke to was contacted by the FBI. The FBI was like, hey, we see some weird transactions going from your blockchain wallet to another blockchain wallet that we believe is connected to North Korea. The company then responds to that FBI agent and said, hey, these are contractors that we hired to build such and such, you know, crypto program. And then that kind of opened up a probe on the Treasury side that was ultimately closed.

And that gets to the next part, which is, you know, this is kind of like a sanctions sort of thing insofar as the government response is concerned. But these companies the government seems to understand are themselves victims. So oftentimes what they focus on is not prosecuting companies who unwittingly, in every case that I encountered, are hiring these workers, even though it's technically illegal either way, it's something called strict liability, but I guess this is Lawfare, so maybe people, you know, can actually dig into that and, but anyway. They're usually not mad at these companies. These companies are getting victimized.

But, what they do focus on is giving them as much as they can to kind of understand whether they might actually be targeted by these sorts of schemes. So, you know, for example, publishing the addresses of known North Korean crypto wallets, or banks, for example, that help launder the funds. They're published to the Office of Foreign Asset Control's sanctions, global sanctions database, so companies can see if their money is going there. But usually North Korea, at least these days, is more clever than that, and they kind of, you know, group a lot of their funds together in wallets that are harder to trace, and all this gets really complicated, but bottom line is that, you know, the U.S. has posted a lot of things online for how companies might be able to protect themselves from these sorts of schemes.

Eugenia Lostri: So let's dig into that a little bit more because I am interested in from the perspective of a tech company who, you know, is just interested in hiring competent people to do whatever they're doing, right? What are some of the red flags that these workers can present both during the interview process, but also once you maybe actually unwittingly hired them? What are some of the things that you should be looking for?

Sam Kessler: I mean, maybe the first thing I'll say here just to kind of provide an anecdote of what this looks like, you know, maybe that'll be helpful for the conversation, like what this looks like from a company's perspective, and then we can talk about, you know, what one could look out for in that sort of a case.

So, an example that, that comes to mind is there's a crypto company that I reported on called Truflation. The founder hired, you know, it's a startup, and the founder hired a worker who was named Ryuhei, who is ostensibly a Japanese employee. But this founder started noticing some weird things with Ryuhei pretty quickly, you know, with his story not matching up, for example, the founder noticed one day after this employee, Ryuhei, missed a call that he blamed missing that call on an earthquake. But you know, the employee claimed that he was in Tokyo, but there was no earthquake, you know in that time frame in Tokyo. So that's kind of a weird fly, but you're not thinking North Korea, right?

So, you know, spoiler alert, this person ends up being a North Korean IT worker but anyway, it's not what comes up in your mind as a founder who's hired somebody. But later on, what ends up happening is this person just disappears doesn't show up to some meetings and then comes back and when they hop back on the call, it is clearly, according to this founder, a different person. The employee literally dropped his Japanese accent. So,

Eugenia Lostri: That's crazy.

Sam Kessler: It is crazy and I heard so many stories like this about you know, these sorts of employees. But this founder thought that, you know, he had done all the steps that one would normally need to do to hire somebody. You know, for example, he had asked for background information from the worker, like passports and IDs and stuff, and he had reviewed those and they checked out.

You know, nothing, you know, the employee also wasn't a particularly bad performer. And that's something else that you hear about if you do reporting on this or speak to these people. A lot of times, these quote unquote North Korean IT workers are actually stellar, not just good employees or not bad employees. Sometimes they're stellar developers.

But anyway, long story short, this person ends up being North Korean, and this founder learns that not only was this person North Korean, but other individuals, five people total that this person, this employer, had hired in that same two-month time frame were North Korean.

Eugenia Lostri: That's fascinating. I think many of the stories that you're sharing your investigation are fascinating. You know, something that stuck out to me was when you're talking about one person pretending to be many employees so that they could earn the wages or the fact that maybe they would rotate who was pretending to be whom. So, you know, in the same way that this person showed up and was suddenly not Japanese anymore, they would be different people and the different ways in which they try to cover that up. I think if you could speak to that a little bit more, that I thought was really interesting and kind of an insight into the issue that we don't usually get by just looking at a UN report.

Sam Kessler: Yeah. So basically, let me use this anecdote to talk about, you know, some of those red flags. So first off, I mentioned that this employee, Ryuhei, and the other employees had furnished real or at least seemingly real IDs for this employer. That is not enough. And if there's one thing, if you're like an employer, if you're, you know, operating a tech company and you don't know, and this is not by any means exclusive to crypto. You know, if you have some suspicions or even don't, the most important takeaway here is that you run professional background checks on employees, and particularly remote employees, which is every case that I've uncovered of this happening.

So just looking at these IDs is not enough because sometimes the IDs are stolen, which will often come up if you use a professional background checking service. Sometimes the IDs are just really good fakes. And there's some, you know, if you check my story on Coindesk, you'll can see some examples of very real looking IDs from these people. So that's rule number one, two, and three in terms of, you know, sussing out these people.

The next thing is to be just mindful of just, you know, I guess trusting your gut in, in terms of odd behavior. So I bring up this anecdote because it is super, I think, illustrative of, you know, many of the anecdotes I came across over the course of my reporting, which is just weird things happen that would not happen if, you know, this was not the sort of ordeal scheme, sort of a thing that we're talking about today.

So, in this case and in many cases, you'll have an individual person, or ostensibly an individual employee, actually turning out to be multiple different people masquerading as a single individual. And if you notice, for example as my story, you know, gives the example of a person who remembers things in the morning and then seems to forget them in the afternoon, after, your daily stand up meeting. If you notice that this person never wants to put their camera on, or they have like a, you know, the word I heard was like factory noises, which is oftentimes they'll operate out of these sorts of call centers. These sorts of things that, you know, might not be super indicative that a person is, you know, a North Korean IT worker on their own, all together, should leave one to, you know, take some pause.

But the last thing that I'll say too is, when it comes to these sorts of hiring operations you truly cannot necessarily go off of the performance of the employee, when you're trying to determine, like you basically can't assume that a person is not who they claim to be, just because their aptitude is not at the level that you expect it to be based on, you know, the thing that they're applying for.

So sometimes they'll have a person conducting the, you know, the interview being the interviewee who is not the actual employee who shows up to work on day one. Sometimes the person who shows up to work on day one is a really competent employee, and you just can't go off of that to make your determinations.

Eugenia Lostri: There's an interesting aspect that you focus on in your investigation, which is the development of these personas and the reputation that they develop. The fact that they want to protect access to the name and to maybe their contributions that are existing as a way to show like, yeah, this is what I've done. This is how I show that I'm good. That I found really interesting because given all of this, you know, rotation, impersonation, you would not expect there to be such an attachment to specific names and personas. Can you talk about that a little bit more?

Sam Kessler: Yeah, absolutely. So what you're referencing is this additional anecdote in the piece about a crypto project called Sushi, which is a decentralized exchange that lets people swap cryptocurrencies without middlemen on a blockchain. This is not a blockchain podcast, so we don't really need to get into any of that. It's a crypto project.

Eugenia Lostri: That's enough for us.

Sam Kessler: Yeah, as it should be. But anyway in this particular case, the project, I call it a project because crypto companies, it's a whole weird thing, but you call it a project, they had employed a contractor, in this case who went under a pseudonym, but actually used his quote unquote real name, Anthony Keller, when he applied to work for this company. So Anthony Keller does work. He brings his friend on board who's ostensibly Serbian, named Sava Grujic. Anthony claimed to be living in Georgia, in the United States.

And then Sushi, later on, gets hacked. Something you see here is not only do these IT workers accrue wages and send those back to North Korea, but sometimes they'll also, and we'll talk about this, you know, be involved in the hacking operations that the regime pulls off all over the place.

But anyway, in the Sushi case, $3 million was stolen, but then that $3 million has returned. Once this kind of uproar happens within the company, within the project, and once people threaten to get you know, federal agents in the U.S. involved and threaten to quote unquote dox, you know, some of the people involved in this who are, you know, it now, based on my investigation, suspected to be North Korean, at the time just suspected to be hackers. There was a lot of suspicion at the time that those two individuals that I mentioned who did perpetrate this hack were one person.

Long story short I don't know if I'm giving the most linear, you know, narrative to what happened here. The key thing that, Eugenia, I think you reference is that they did try to protect the reputation or the identity, it seems, of at least one of these individuals by giving this money back, and why that is could be a variety of different things, and this is my hypothesizing. One of them could just be that they do steal identities, and it can, it's not free to get a stolen passport, a stolen ID. So, that's one thing. You just want to protect that. And $3 million dollars for North Korea, which is doing hacks all the time, might just not be worth it when you can pull in a lot of money from these you know, IT workers just wage-wise.

The other thing though, and I think this is the most important thing, is that these IT workers, they'll build a reputation over time, which is particularly important in the crypto space where everything is often by kind of word of social media mouth conducted on Twitter, Discord, Telegram, on forums. So you'll often see these employees like Anthony Keller in this case, who, the pseudonym escapes me that he was using. But his pseudonym actually built up a pretty considerable degree of credibility within the crypto space before he ended up being implicated in this heist. So he worked on other prominent crypto protocols. He got real references.

So I guess altogether this ties into something we were talking about before, which is, you know, these people try to build up these reputations, but that is also why you can't always, you know, suss these people out without a background check, because references are simply not enough. You think if you get a reference check, you know, if they pass through, you know, that's the most important filter. References can be real. And they were in this particular case.

Eugenia Lostri: Now, I couldn't help myself and had to jump into talking about all of these anecdotes, but I wanted to make sure that we also talked about the steps that come before this investigation. I want to know why you know, of course you cover crypto, right? So it makes sense that you would do this.

But as I think you say at the beginning of the piece, there was maybe less attention being paid to the IT workers infiltrating crypto companies. So what led you to focus on this particular strand of the challenge, I guess and maybe if you could share a little bit more about how, you know, you went about connecting with these companies and getting them to talk about this, the struggle that they face or the surprise that they had when they realized that they had actually hired someone that they are legally not supposed to?

Sam Kessler: Yeah, absolutely. So this problem of North Korean IT workers trying to infiltrate the crypto industry has been written about before. I actually recently stumbled across a CNN article that I think was written in 2022. I didn't even see this over the course of my reporting. That said North Korean IT workers are trying to infiltrate crypto companies. And now we know it's not just crypto companies where this is happening. It's what I report on.

But the results of my investigation, I think, yielded something different, which is not only that this is maybe happening, but it is absolutely happening. They're not just trying to infiltrate these companies. They are successfully doing so. And the threat is, it goes far deeper, particularly in the world of crypto, as far as I'm, you know, again, that's my context here. It goes far deeper than I think most people realize in terms of not only the scale of this operation, so many of your applications as a crypto company, not just a few, but sometimes more than half of your applications for a position might be North Korean, so it's big in that respect.

But it's also big in the sense that we have seen articles about this before, we have seen research about this before, we have seen warnings about this before. But I really endeavored in my article to show that it's not just companies that you haven't heard of. Maybe you haven't heard of them, but in the world of crypto, these are companies that within that community, people have heard of.

Sushi, the one that I just mentioned, for example, is actually a pretty big name project. And, you know, there's others that I won't, you know, just list off here. But the goal for my reporting was not only to show that this is happening that this is, you know, widespread, but that it's not just, you know, startups and companies that you haven't heard of or that most crypto people haven't heard of that are quote unquote falling for these sorts of things. It really is endemic to the entire industry. So, that, that's part one.

Part two is you know, how I sort of connected these dots, connected with these companies. So, a lot of my work and this is the beauty of being a crypto reporter, a lot of my work in this case was conducted on chain. So, for all the negatives that you hear about crypto many of them, you know, well-earned negatives that you hear about it in the press. And, you know, even sometimes in my reporting frequently, there is a huge advantage for, you know, a random person like myself, looking from the outside in, which is that payments are transparent.

So, we mentioned before that the Office of Foreign Assets Control published a list and they do this intermittently, of sanctioned entities linked in this case to North Korea. I was actually able to cross-reference those addresses with crypto companies that are quote unquote doxed, that publish their crypto information on the internet or through a variety of other means. It's like you see, you know money from an investor going into this wallet going into this wallet. You're able to do some sleuthing, talk to some people and figure out okay, this address that's sending money to this account that's sending millions of dollars to North Korea, you're able to kind of as a reporter talk to whoever is publicly known, associated with these crypto addresses, you can talk to those individuals and then make the connections.

So, a lot of the time, what I saw was a very similar pattern, which is a crypto company or a blockchain address that I don't even recognize, sending, you know, very regular payments to, another address that is sending its payments, millions of dollars in this case, to, you know, North Korea. An address that is identified by the U.S. government as being linked to North Korea. Which to me is a red flag, just the regularity of the payments, the size of the things leaving the address, you know. There's all these different red flags that you kind of notice as a reporter or a researcher into this stuff, that somebody is an IT worker.

Eugenia Lostri: So, I mean, you're saying this is a benefit from the crypto space, but you also describe the industry as ripe for sabotage. So what makes the space so vulnerable?

Sam Kessler: Yeah, this gets to another part of your question that I don't think I addressed there, which is why these companies spoke up. So, when you have on chain evidence like I had, you're able to go to them and say, hey, I, you know, I, so I had, a list for months and months, and I'll get to this ties in, I promise.

But I had, you know, a lot of these companies for at least many weeks. But I didn't want to publish anything until I had a critical mass, that, so that I could show that I wasn't going to pick on one company, two companies, three companies. We had over a dozen companies that we named and got in contact with.

And the point there was to show that this is so widespread in the crypto space that we're not just saying that, hey, this company made a mistake. We're saying that, hey, even this company made a mistake and so did all of these other companies. So that's a bit of a nuance, but I want to make that clear as I'm talking about all these companies.

Anyway, you know, when you go to companies, they understand and they, in many cases, were willing to lend their expertise, just, you know, that they've generated from coming across this sort of stuff. Whatever. They were willing to talk about it and almost every single one already knew that they had hired these North Korean agents just because other researchers had reached out, government in the U.S. had reached out, and so on. I was I guess just the first reporter that had reached out.

So anyway, moving to that question about crypto being unique, just like it's uniquely transparent, there's also some negatives to it to, you know, that, that make, I think, crypto uniquely rife for these sorts of things.

So first off is crypto is just, you know, right for exploitation, just from a hacking standpoint. North Korea is the biggest perpetrator of crypto heists, stealing billions and billions of dollars, three to six billion. I forget the exact number in the past few years alone from crypto companies. And that's just because only in crypto can you have these startups holding literally billions of dollars that, you know, people can hack into and steal. And that's just really attractive to a regime that earns money this way.

But the other thing is, I think that there's a really informal sort of texture to the crypto space as far as hiring and work is concerned. So, companies are a lot more comfortable in crypto than in under other industries, hiring, literally, anonymous workers. That's becoming less of a thing in certain, you know, places in crypto as it tries to kind of formalize and, you know, professionalize itself. But, you know, that's just not going to be able to fly for much longer while these sorts of things abound with people trying to get into your companies.

And then the last thing here is just that these companies pay relatively well. Western and particularly crypto, Western crypto wages and it's not just Western companies, but it's often Western companies, and we're on a U.S. podcast, pay, you know, higher than one would earn in North Korea for an IT quote unquote job. So if you're a developer, it's a great way to earn some money and crypto is flooded with cash, if nothing else.

Eugenia Lostri: You hinted at this already, but I wanted to ask if you could expand a little bit on all these different ways in which a company can be made aware that they hired a North Korean IT worker, you know, I think you mentioned other researchers or the government reaches out or, you know, you reach out.

What are some of these stories like and why isn't it maybe more normal to figure that out internally?

Sam Kessler: Yeah. So, in many cases, I think these companies do figure out internally. So a lot of the times what you'll hear and Truflation, the anecdote that I mentioned a while ago, what they did was they reached out to one of their investors, a company that invests into Truflation. And that company had actually, you know, and I don't name them because they don't want to be named because they do a lot of research on this that they want to keep quiet.

But long story short, this company, you know, has just generated a ton of, I guess, institutional knowledge insofar as the North Korean IT worker threat is concerned, where they were able to use their own years of learnings from themselves and companies they've invested in to connect certain dots and show, hey, these behaviors, these specific addresses, whatever, are red flags.

You know, a lot of these companies, you know, build up that muscle themselves. And that's something that you notice too is now Truflation, they send me inbound applications, for example, that they can just tell are North Korean because of the way that they sound, the way that they're, you know, constructed. So that that's one thing. But, you know, so they'll realize that way.

But a lot of fresh companies that you know, are having their first run in with a North Korean IT worker learn, for example, from law enforcement. So the FBI, we showed some emails from the FBI in my article, where they literally reached out to one of my sources and said, hey we notice, like I said before, money flowing to, you know,  such and such an address that they said over the phone to this source was North Korea-linked according to, you know, this FBI agent and that's one way you learn.

But another way that you learn this stuff is through researchers. Through, like, I guess sleuths is the best word, you know, to describe many of these people, which is often themselves, in many cases, anonymous people, like ZachXBT, who listeners of Lawfare might know who he is, or if you don't, he's got a really entertaining and interesting Twitter account. He'll often post the results of his crypto investigations. And in the case of North Korean IT workers, he was the first one to amass a really lengthy list of, you know, GitHub, which is developer profiles, blockchain addresses, and so on, that he had associated with North Korea.

And that was actually really helpful for me, where after he had already reached out to these companies individually, I spoke to some of those companies based on the research that he'd done and connecting those dots myself. So, there's a lot of people like him who kind of do this work and collaborate with one another behind the scenes.

Eugenia Lostri: Now, have you seen any changes in the company's behavior after, you know, after you talk to them or as this becomes maybe a little bit more newsworthy? So you're seeing more headlines, you're becoming a little bit more aware that this is an actual problem that you could be facing. Has the risk assessment in the industry changed at all?

You mentioned that some things are maybe not flying anymore, but I wonder if that's just a couple of the companies that are maybe are better positioned to make changes or if that's an industry change, more broadly.

Sam Kessler: Yeah, I think the industry is as far as I can tell becoming more aware of this issue. The best evidence that I can point to, funnily enough, is memes. You oftentimes on quote unquote crypto Twitter, crypto X, whatever it's, you know, people are calling it now, you know, you'll see a hack that happens and you know, you'll see memes in there about how they probably hired a North Korean IT worker. Now that sounds silly, but meme culture is a big part of crypto culture, and I think that does point to some broader awareness of this being a bigger threat.

But, you know, I think we've seen a lot more writing about it. We've also, it's only been the past couple of years that we've seen the FBI issuing, the FBI, and U.S. Treasury Department, and DOJ issuing specific advisories targeted at the crypto industry and the threat of DPRK IT workers. You know, that obviously is going to spread some, you know, level of awareness and I think it's, you know, reporting like mine and other stories that I've seen come out before and since point to the fact that this has been going on for a while, but I do think that there is this broader awareness happening.

Eugenia Lostri: You've mentioned this before, but I want to dig into it a little bit more, and it's the connection between the North Korean hacking arm and the infiltrated IT workers. Tell us a little bit more about that connection, how it works, and why it's, you know, maybe a different type of threat

Sam Kessler: Yeah, so this is something I also want to learn more about and I'm trying to do my own additional reporting on. But North Korea is most, in the crypto world, it's best known for its hacking operations. Groups like Lazarus, which is, you know, linked to that group that, that hacked Sony Pictures all those years ago when they were releasing The Interview, that movie and released all of those internal, you know, Hollywood emails. North Korea is well known to be a, you know, huge perpetrator of cybercrime and that is, you know, crypto has become part and parcel to that entire operation over the past several years now.

So, the IT workers, many times it seems, most times according to you know, U.S. advisories, are trying to just earn revenues, earn wages that they funnel back to the government and kind of keep a low profile. But, researchers that I spoke to, examples that I unveiled, companies that I talked with, indicate that it is not just for earning wages, they are also hacking these companies.

So why is that? And this is one of the most interesting things that you might be getting at with your question that I learned over the course of my reporting, which is that, even though, you know, North Korea is known for being this huge, really sophisticated hacking operation. It is not as fancy or sophisticated behind the scenes as it sounds when North Korea attacks a, for example, crypto company.

Most of the time, it's not like they're, you know, hacking into the mainframe or doing something like you would see on a TV show. Mr. Robot is the example that I've been thinking of a lot recently, which is a great show. It doesn't look like that. It's not like they're hacking web servers. What they're actually doing is even more cynical in a certain sense, which is a lot of, I guess social engineering is the word that is used often to describe these sorts of things.

Where almost like in the pig-butchering example I was giving before, they will earn the trust of a victim in some way and then exploit them accordingly. So one way in crypto that this bears fruit is just that a lot of crypto companies are controlled by individuals holding, they're called private keys, secret keys, they're like passwords, essentially that give one access not only to crypto bank accounts essentially, but also the ability to upgrade software.

If you earn the trust of an individual, say by getting a job at this company, you are in a very good position to get into their literal systems and not hack those systems, but just put a back door in, change out an address, which is what happened in the Sushi case, you know. Or send a email laced with malware, send that to your CEO and have them think that they're interacting with a normal email, download a PDF, and then get access to their machine. That's what you see time and time again happening here, but it's not this sophisticated, crazy, you know, black-hat hacking sort of a thing that you usually think of.

Eugenia Lostri: I just, I'm compelled to do a plug here for the incredible podcast Lazarus Heist. Anyone who hasn't listened to that and wants to learn more about the North Korea cybercrime, go listen to that one. It's incredible.

Sam Kessler: Absolutely. Give my endorsement. The whole thing's fascinating.

Eugenia Lostri: It is incredible. Now, there's been recently other investigations into the North Korean scheme that reveal kind of other trends like demanding a ransom from the employer after gaining access, kind of similar to what you described, or what I believe is called the contagious interview campaign where the North Koreans are posing as recruiters as a way to spread malware.

As far as you are aware of these trends, did you see those adaptations in your own investigation? Is that something that is also happening in the crypto space or are we just staying in this, maybe less sophisticated, social engineering space?

Sam Kessler: Yeah, I mean, I actually think that a lot of this stuff that we're talking about still falls under that social engineering category. So, it's not always clear if attacks have, are tied back to North Korea or, for example, Russia, which is also behind, not the Russian government necessarily, by any means, like it is in the North Korea case. It's kind of the government and, you know, these operations we're talking about are one and the same. But you also have, like, independent hacking groups.

But anyway, all that aside, I do see examples of this absolutely happening in the crypto space. For example, as a reporter in this space I'm not, you know, a famous at all. Yet, for whatever reason, for somebody of my, you know, stature, I have a lot of impersonators, which is, you know, pretty weird. I don't think journalists in other spaces have the number of impersonators that somebody with my number of followers gets just for being a crypto reporter.

What often happens is you will have people pretending to be me, a reporter at Coindesk, reaching out to companies, saying they are me, asking for an interview, and then sending a link that is laced with malware, like that example I gave before. You see that all of the time, to the point where I actually have warnings on my Twitter account to, like, make sure it's actually me that you're speaking to. It's not always clear if that's North Korea doing this stuff. But that's part of it.

Eugenia Lostri: I'm glad we got you.

Sam Kessler: Yeah, well, yeah, it is me, I promise.

But, yeah, like, you just have to be incredibly careful, and the other you know, side of this that you mentioned before is these recruiters. So, a dream job in heist, or dream job attacks are you know, how I've heard them referred to sometimes, where you'll literally reach out to an executive with a offer of a dream job and say, hey, we'd love to speak to you.

Another example of this too, is you know, you'll pretend to be an investor and be like, hey, we'd love to get some time on your calendar. Maybe we'll give you a million bucks insinuated in the offer. What they'll do is they'll literally just send you a link. That is all that it takes, and if you click on that link, either it'll download malware or it will encourage you to initiate a transaction.

And in crypto, people are just not as sanitary as they should be about how they deal with their personal devices, wallets, and so on, and that's where they get you. But that's still social engineering, because they're just tricking you into doing something. It's like phishing. Rather than, you know, uploading some crazy, code, you know, and actually exploiting the back end of a piece of software.

Eugenia Lostri: As we start to conclude the conversation, I would like to leave us maybe on a more optimistic note. So, if there are any recommendations from the investigation that you can share for, you know, increasing this hygiene or that can help companies steer clear from the threat, what would you recommend?

Sam Kessler: I almost feel like, there's almost nothing else I'd recommend, other than everything else pales in importance to the one thing, which is just use a professional background checking service when you hire somebody. A lot of these fake IDs will not pass muster with a true professional background checking service. So I almost feel like that's the best place to leave things as far as my recommendations are concerned.

Eugenia Lostri: That's fair. So anything else that you'd like to add, maybe something that we didn't get to cover today, but you think would be important for our listeners?

Sam Kessler: Yeah, I mean, I think we covered a lot of ground and I appreciate you letting me, you know, go on my rambles here because I, you know, as a reporter, this is just something that's obviously super fascinating to kind of learn about.

But one thing that I don't know if I've, sort of harped on enough and I try to bring this up with the pig-butchering, which is, you know, we talked about these North Korean IT workers and I don't want to, you know, diminish, you know, these people as literally people and in many cases victims of the regime and of these systems that they're working within. I have tried reaching out to these people that I've, you know, I guess obliquely been writing about in my reporting, but haven't had the opportunity to speak with them, unsurprisingly.

But I think something to, you know, bear in mind, when interacting with these folks, is that it's not like all of this is always happening by choice. It's a lot more cyn— I guess you wanted to end on an optimistic note before, but it, to me it is a lot more cynical than that. And I hope that comes through in our conversation.

Eugenia Lostri: I appreciate that point. I think that's definitely important that the victims are not just the companies, even though that's what we're covering today. So, I appreciate you making that point for us to end on. Sam, thank you so much.

Sam Kessler: Thank you. Thanks for having me.

Eugenia Lostri: The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad-free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter through our website, lawfaremedia.org/support. You'll also get access to special events and other content available only to our supporters.

Please rate and review us wherever you get your podcasts. Look out for our other podcasts including Rational Security, Chatter, Allies, and the Aftermath, our latest Lawfare Presents podcast series on the government's response to January 6th. Check out our written work at lawfaremedia.org. The podcast is edited by Jen Patja, and your audio engineer this episode was Jay Venables of Goat Rodeo. Our theme song is from Alibi Music. As always, thank you for listening.