How Fireblocks uncovered a North Korea-linked job recruitment scam

Digital asset infrastructure company Fireblocks says it has disrupted a North Korea-linked recruitment impersonation scam targeting digital assets.

Fireblocks said hackers used fake job interviews to compromise developers and gain access to crypto infrastructure.

According to the firm, hackers were able to closely resemble Fireblocks’ legitimate recruiting process and impersonate recruiters. Google Meet interviews and share take-home assignments via GitHub.

“Basically what they do is weaponize a legitimate interview to create a very legal and authentic interaction with candidates.” Michael ShaulovFireblocks’ CEO told CNBC.

When candidates performed a routine installation, malware was actually installed that could expose wallets, keys, and production systems.

Shaulov said the group targeted engineers based on their LinkedIn profiles and looked for people with “privileged access.”

He said the firm has identified nearly a dozen fake profiles that constantly change company brands, and they believe the scam has been active for the past few years.

“We were able to basically interact with the hackers and collect what we basically call ‘signatures of compromise,’ but essentially like fingerprints of the tools, weapons, and malware that they used in this campaign,” Shaulov said. he said.

He added that Fireblocks was working with LinkedIn and law enforcement to remove the profiles.

“More than 99% of the fake accounts we remove are proactively detected before anyone reports them,” a LinkedIn spokesperson said in a statement.

The social media platform, which targets professionals, said it continually invests in technology to detect “harmful behaviour” and has safeguards in place, such as in-message alerts when chats leave LinkedIn, and verification badges for recruiters.

Last year, Bybit suffered the largest crypto heist in history, when hackers stole $1.5 billion in digital assets from the cryptocurrency exchange.

Analysts at blockchain analysis firm Elliptic attributed the attack to North Korea’s Lazarus Group, a state-sponsored hacking collective notorious for siphoning billions of dollars from the crypto industry.

Lazarus Group’s history of targeting crypto platforms dates back to 2017, when the group infiltrated four South Korean exchanges and stole $200 million worth of Bitcoin.

Shaulov, who helped investigate Lazarus Group’s attacks on crypto platforms in 2017, said hackers, especially those linked to North Korea, were evolving at “lightning speed.”

He said in 2017 and 2018 it was “actually pretty easy” to identify them due to grammatical errors and spelling errors. But now it looks like they’ve graduated [The University of] Oxford.”

“It is clear that attackers have become much more sophisticated and much more difficult to detect due to artificial intelligence,” Shaulov said.