North Korea’s infiltration of crypto is far worse than anyone realises.

Pablo Sabbatella, founder of web3 audit firm opsek and current Security Alliance member, dropped a bombshell at Devconnect in Buenos Aires: North Korean infiltrators are embedded in up to 20% of all crypto companies.

“North Korea is much worse than everybody thinks,” Sabbatella said in an interview with DL News. Even more alarming is that Sabatella reckons North Korean operatives may operate “30% to 40%” of all crypto applications.

If those estimates are correct, the scope of potential damage is staggering.

Moreover, the scale of North Korean penetration isn’t just about hackers stealing funds, even though they’ve gotten away with billions. Instead, it’s about workers getting hired at legitimate companies, gaining access to systems, and operating infrastructure that underpins major crypto companies.

Hackers from North Korea have stolen more than $3 billion worth of cryptocurrency over the past three years through sophisticated malware and social engineering, said the US Treasury department in November.

The funds were then put to use for Pyongyang’s nuclear weapons programmes.

How they get hired

For the most part, North Korean workers don’t apply for jobs directly, because international sanctions make that impossible.

Instead, they find unsuspecting remote workers from around the world to act as fronts. Some of them now act as recruiters who bring in collaborators from outside North Korea to work under stolen identities.

According to a recent Security Alliance report, these recruiters use freelance platforms like Upwork and Freelancer to reach individuals around the world — particularly in Ukraine, the Philippines, and other developing countries.

The pitch is simple. Hand over your verified account credentials or let the North Korean actor use your identity remotely. In exchange, the collaborator gets 20% of earnings. The North Korean operative keeps 80%.

A lot of North Korean hackers target the US, Sabbatella said.

“What they do to get hired is find someone in the US to become their ‘front-end,’” Sabbatella explained. “So they pretend to be someone from China that doesn’t know how to speak English but they need to get an interview.”

They then infect the front person’s computer with malware, giving them access to a US IP ($2.29) address and much more of the internet than they could reach from North Korea.

Once hired, companies keep them around because they deliver.

“They work well, they work a lot, and they never complain,” Sabbatella told DL News.

So how does a company know if they’re employing a North Korean hacker?

“Ask them if they think Kim Jong Un is a creep or something bad,” Sabbatella said. “They aren’t allowed to say anything bad.”

Operational security

North Korea’s successful criminal endeavours aren’t just clever social engineering, however.

It’s that crypto companies — and users — make it easy for them.

“The crypto industry probably has the worst opsec in the entire computer industry,” Sabbatella said. Crypto founders are “fully doxxed, do a terrible job at holding their private keys securely, and easily fall victim to social engineering.”

Operational Security, or OPSEC, is a systematic process for identifying and protecting critical information from adversaries.

The lack of operational security creates an environment where “every single person’s computer is going to get infected with malware at some point in their lives,” said Sabbatella.

Pedro Solimano is DL News’ Buenos Aires-based markets correspondent. Got a tip? Email him at psolimano@dlnews.com.