North Korean Hackers Flood the Crypto Job Market With Plagiarized Resumes

Due to a longstanding embargo on the North Korean regime, local authorities have made headlines countless times for unusual – and often illegal – ways to gather funds.

From hacking regular banks to farming in-game currencies via botting, the methods range from essentially harmless to downright threats to national security.

Crypto Markets Targeted In Full Force

In recent years, the North Korean regime has set its sights on the crypto market, with multiple attacks on crypto exchanges by the Lazarus Group and others. However, a recent report from Bloomberg and security researchers at Mandiant indicates that North Korean government-sponsored hackers are now putting more focus on another method of fundraising via the crypto market.

Instead of hacking vulnerable crypto exchanges and other projects such as Harmony, the Lazarus Group is now having members pose as IT professionals on LinkedIn and Indeed, appropriating the resumes of legitimate users.

According to Joe Dobson – one of the analysts at Mendiant – these are then edited and sent to companies hiring blockchain developers in hopes of getting insider information and creating backdoors that would allow the platforms in question to be exploited at a later date.

“It comes down to insider threats. If someone gets hired onto a crypto project, and they become a core developer, that allows them to influence things, whether for good or not.”

Plagiarized Resumes

Although the resumes are mostly plagiarized, some also include blatantly false info – such as whitepapers for exchanges that seem to have never existed, intentionally vague job descriptions, etc. Mandiant has identified several companies that hired allegedly fake jobseekers from the Lazarus Group but has refrained from publishing the information.

On Twitter, however, stories from interviewers allegedly targeted by Lazarus’s latest project have been popping up.

No bullshit I think I just interviewed a North Korean hacker.

Terrifying, hilarious, and a reminder to be paranoid and triple-check your OpSec practices.

Here’s how it went:

🇰🇵

— jonwu.(🗽, 🍎) (@jonwu_) April 29, 2022

The report indicates that most of the appropriated resumes are citing the skills of Chinese and Russian individuals, with a smaller number of CVs being copied from devs in Africa and Southeast Asia. These resumes are then used to create multiple fake jobseeker profiles, many using nearly identical language to describe their skillset.

A smaller group also claimed to be South Korean, Japanese, or US-based remote workers. In any case, almost all resumes identified applied for positions in the US and Europe.

The report advises recruiters to remain vigilant when screening applicants, noting the substantial amount of damage to one’s company that can be caused by even one small commit to its internal software systems.