The covert battle in the crypto industry escalates: 40% of job seekers are North Korean agents?

North Korean agents have infiltrated 15%-20% of crypto companies.

According to a SEAL member, 30%-40% of job applications in the crypto industry may come from North Korean agents.

The crypto industry has been criticized as having "the worst operational security (opsec) in the entire computer industry," according to Pablo Sabbatella.

The extent of North Korea's infiltration into the crypto industry far exceeds public perception.

Pablo Sabbatella, founder of Web3 auditing firm Opsek and current Security Alliance member, dropped a bombshell at the Devconnect conference in Buenos Aires: North Korean agents may have infiltrated up to 20% of crypto companies.

"The situation with North Korea is much worse than people imagine," Sabbatella said in an interview with DL News. Even more shockingly, he pointed out that 30%-40% of job applications in the crypto industry may come from North Korean agents, who are attempting to infiltrate relevant organizations through this method.

If these estimates are accurate, the potential for damage is incredible.

More importantly, North Korea's infiltration is not just about stealing funds through hacking, although they have already stolen billions of dollars through sophisticated malware and social engineering. The bigger issue is that these agents are hired by legitimate companies, gain system access, and manipulate the infrastructure supporting major crypto companies.

According to a report from the U.S. Treasury Department in November last year, North Korean hackers have stolen more than 3 billion dollars in cryptocurrency over the past three years. These funds were then used to support Pyongyang's nuclear weapons program.

How do North Korean agents infiltrate the crypto industry?

North Korean workers usually do not apply for positions directly, as international sanctions prevent them from participating in recruitment processes under their real identities.

Instead, they look for unsuspecting global remote workers to act as "proxies." Some of these proxies have even transitioned into recruiters, helping North Korean agents use stolen identities to hire more overseas collaborators.

According to a recent report from Security Alliance, these recruiters reach out to individuals around the world through freelance platforms such as Upwork and Freelancer, mainly targeting Ukraine, the Philippines, and other developing countries.

Their "deal" is quite simple: provide verified account credentials, or allow North Korean agents to remotely use your identity. In return, collaborators can receive 20% of the income, while North Korean agents keep 80%.

Sabbatella stated that many North Korean hackers target the United States.

"What they do is find Americans to act as their 'front end'," Sabbatella explained. "They pretend to be people from China, don't speak English, and need someone to help them attend interviews."

Then, they infect the "front end" person's computer with malware, thereby obtaining a U.S. IP address and gaining access to more internet resources than they could from North Korea.

Once hired, these hackers are usually not fired, as their performance satisfies the company.

"They are efficient, work long hours, and never complain," Sabbatella said in an interview with DL News.

Sabbatella provided a simple test: "Ask them if they think Kim Jong-un is a weirdo or has anything bad about him." He said, "They are not allowed to say anything bad."

Operational security vulnerabilities

However, North Korea's success is not solely due to sophisticated social engineering.

Crypto companies—and users—make all of this easier.

"The crypto industry probably has the worst operational security (opsec) in the entire computer industry," Sabbatella said. He criticized that founders in the crypto industry are "fully doxxed, perform poorly in protecting private keys, and are easily victimized by social engineering."

Operational Security (OPSEC) is a systematic process used to identify and protect critical information from adversary threats.

The lack of operational security leads to a high-risk environment. "Almost everyone's computer will be infected with malware at least once in their lifetime," Sabbatella said.

Update Note

Update: This article has been updated with Sabbatella's clarification, noting that North Korea does not control 30%-40% of crypto applications; the above percentage actually refers to the proportion of job applications in the crypto industry coming from North Korean agents.