Undercover North Korean IT workers may be driving crypto thefts

Blockchain analysts have warned that North Korean information technology (IT) workers unwittingly employed by crypto asset service providers (CASPs) globally may be behind this year’s surge in crypto thefts.

North Korean cyber crime teams have longed deployed specialist units to target CASPs covertly. Luke Wilson, global head of public sector at Allium in New York, noted: “The IT workers aim to work in specific areas of interest. It’s not happenstance.”

North Korean agents research organisations thoroughly to understand them, and pinpoint the jobs they want to apply for. “Theyʼre so bold now, they will get on the video calls to have an interview,” Wilson added.

North Korea’s $1.5 billion hack of Bybit in February puts 2025 on course to be a devastating year in terms of theft from individuals and exchanges.  A mid-year update shows $2.17 billion has been stolen so far — more than the total for 2024. If the pace of thefts from CASPs continues, the amount of stolen funds could reach $4 billion by year-end.

Expertise

The Bybit hack demonstrated North Korea’s crypto expertise and deep knowledge of CASPsʼ inner workings, some of which will have been gained from compromised staff as well as North Koreans working inside CASPs undetected.

North Korean IT workers are sent overseas to take jobs, but many are recruited remotely. Most CASPs hire remote workers, including those from countries such as Cambodia that are deemed higher risk. The country is a centre for scam compounds and informal over-the-counter (OTC) exchanges, and a location where North Korean workers have been active in the past.

Stablecoin provider Tether is one company that is expanding its presence in Cambodia.

Targeting third-party providers

CASPs should be also concerned about their third-party service providers, Allium’s Wilson said.

“If [a CASP’s] infrastructure is on the cloud, the thing [for the North Korea] is to go to that industry and try to flood the industry with its people. Go to this point in the supply chain, because if they hack in there, they have all the crypto industry, or most of the crypto industry. And of course, they’re going to look for the weakest link.”

Once North Korean hackers are inside a CASP, they learn how the company works, which is probably what happened with Bybit, Wilson added.

“[The hackers have] been in their systems, watching what’s happening, how emails are being sent. Theyʼre figuring out the hierarchy of the company too. They can spoof an email, but make it look like it comes from a specific boss. Then someone clicks on it, and boom, they’re in.”

Sanctions and warnings

According to Patrick Tan, general counsel at ChainArgos in Singapore, CASPs generally need to improve their security game and increase their understanding of risks, including those from North Korean IT workers. “A lot of the people who work in these organisations, especially on the sales side, are not aware of risks and can be negligent in basic security measures,” he added.

The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently sanctioned a company and three individuals it says were promoting fraudulent IT worker schemes, either to commit cyber crime or earn money to fund North Korea’s weapons of mass destruction programme. It also previously sanctioned North Korea’s state-sponsored cyber groups.

The increased cyber threat from North Korea comes despite warnings from the US Federal Bureau of Investigation (FBI) and the UK Office of Financial Sanctions Implementation (OFSI) [? broken link ?] about IT worker agents. The FBI also made recommendations for strengthening remote hiring processes.