According to a report from The Wall Street Journal on June 11, U.S. officials have revealed that North Korea has assembled a sizable shadow workforce comprising thousands of IT workers. This clandestine workforce is believed to be closely associated with North Korea’s cybercrime operations, specifically engaged in carrying out large-scale cryptocurrency hacks.
One notable incident involved the targeting of a Sky Mavis engineer last year. The shadow workers masqueraded as recruiters on LinkedIn and initiated a phone conversation with the engineer. As part of the recruitment process, they provided a document for review, which contained malicious code. This enabled North Korean hackers to breach Sky Mavis and siphon off more than $600 million through the Ronin bridge hack.
These shadow workers are scattered across various countries, including Russia and China, and they earn substantial salaries of up to $300,000 per year for performing mundane technology tasks. According to the report, they have previously posed as Canadian IT workers, government officials, and freelance Japanese blockchain developers. These workers assume the roles of potential recruiters or employees, conducting video interviews to maintain the facade.
To infiltrate cryptocurrency firms, North Korean hackers enlist the assistance of Western “front people” or actors. These individuals participate in interviews with crypto companies, unbeknownst to the firms, who remain unaware of their connections to the hackers. Once hired, these front people introduce small modifications to the company’s products, rendering them vulnerable to exploitation by the hackers. This covert collaboration with shadow workers has facilitated the theft of over $3 billion by North Korean hackers over the past five years, as reported by Chainalysis.
The WSJ report highlights the increasing sophistication of North Korean hackers, impressing both U.S. officials and researchers. They have executed intricate maneuvers that were previously unseen. For instance, last year, North Korean hackers orchestrated a cascading supply-chain attack, described by some researchers as a groundbreaking occurrence. The hackers initially targeted Trading Technologies, a company that develops online trading software. Through a compromised version of the software downloaded by an employee of 3CX, a Trading Technologies customer, the hackers then infiltrated 3CX software. This allowed them to compromise the systems of 3CX customers, including cryptocurrency exchanges.
It is evident that North Korean cybercriminals have expanded their operations by building a network of shadow workers and adopting increasingly sophisticated hacking techniques. These developments pose significant challenges for cybersecurity efforts and necessitate enhanced vigilance from both governments and the private sector to counter these malicious activities.
