Crypto Exchange Kraken Uncovers North Korean Espionage Plot

Crypto exchange Kraken’s latest security disclosure reads less like a corporate blog post than a field report from the front lines of modern cyber-warfare. Published on 1 May 2025 under the blunt title “How we identified a North Korean hacker who tried to get a job at Kraken,” the account describes in granular detail how a seemingly routine hiring process morphed into what the exchange openly calls “an intelligence gathering operation.” From the first contact, something felt wrong. Recruiters noticed that the applicant “joined under a different name from the one on their resume, and quickly changed it,” a detail the security team later described as the opening note in a symphony of red flags. Moments later, the interview took on an uncanny timbre: “the candidate occasionally switched between voices, indicating that they were being coached through the interview in real time.” Kraken Tricks North Korean Crypto Hacker Kraken’s staff did not rely on intuition alone. The post explains that industry partners had already circulated “a list of email addresses linked to the hacker group,” and one of those addresses matched the résumé in question. Armed with that match, Kraken’s Red Team launched an OSINT dive that exposed what it calls “a larger network of fake identities and aliases” spreading across the crypto employment market. According to the blog, multiple companies had unwittingly hired personas from the same lattice of fabricated résumés, and “one identity in this network was also a known foreign agent on the sanctions list.” Technical inconsistencies began piling up. The exchange recounts how the applicant relied on “remote colocated Mac desktops but interacted with other components through a VPN,” a configuration favoured by operators who need to launder location data. Investigators tied the résumé to a GitHub profile containing an email address that “had been exposed in a past data breach,” and finally concluded that the primary government ID “appeared to be altered, likely using details stolen in an identity theft case two years prior.” With the evidence mounting, Kraken opted for misdirection rather than immediate rejection. The company advanced the applicant through successive stages—in effect baiting the hook. “Instead of tipping off the applicant, our security and recruitment teams strategically advanced them through our rigorous recruitment process – not to hire, but to study their approach,” the blog states. The denouement came in what should have been an informal “chemistry interview” with Chief Security Officer Nick Percoco. The applicant did not realise that every pleasantry was laced with a test. Percoco and his colleagues asked for live two-factor confirmations: show your government ID on camera, report your physical location, name a few local restaurants. “At this point,” the post recounts, “the candidate unraveled. Flustered and caught off guard, they struggled with the basic verification tests, and couldn’t convincingly answer real-time questions about their city of residence or country of citizenship.” Percoco subsequently distilled the lesson from the disclosure: “Don’t trust, verify. This core crypto principle is more relevant than ever in the digital age. State-sponsored attacks aren’t just a crypto, or US corporate, issue – they’re a global threat. Any individual or business handling value is a target, and resilience starts with operationally preparing to withstand these types of attacks .” The blog underscores that the crypto sector’s attack surface is no longer confined to code repositories or hot-wallet infrastructure; it extends to the HR inbox. “Not all attackers break in, some try to walk through the front door,” Kraken writes, adding that “Generative AI is making deception easier, but isn’t foolproof... genuine candidates will usually pass real-time, unprompted verification tests.” In a concluding reflection on organisational culture, the post argues that “a culture of productive paranoia is key. Security isn’t just an IT responsibility. In the modern era, it’s an organizational mindset.” Kraken closes its narrative with a reminder that the candidate was part of the North Korean campaign which, by third-party estimates cited in the post, siphoned more than $650 million from crypto firms in 2024. The message is sober and unsentimental: “Sometimes, the biggest threats come disguised as opportunities.” At press time, BTC traded at $96,825. Featured image created with DALL.E, chart from TradingView.com