Kraken Uncovers North Korean Hacker in Undercover Job Application Sting

Highlights:

• Kraken identified a North Korean hacker during a job interview process.
• Multiple fake identities and VPN setups were among the methods used by the hacker.
• Real-time tests exposed the hacker’s location and ID inconsistencies.

Kraken recently revealed that a North Korean hacker tried to slip into the company by applying for a tech job. The investigation started during an ordinary recruitment process. However, early signs cropped up when the applicant signed under a different name than what was on his resume. In the interview, the individual’s voice changed, showing a possible live coaching session.

Industry partners had already tipped off Kraken that North Korean actors were targeting crypto firms. They also provided a list of suspicious email addresses with these alerts. The applicant’s contact information matched one of the emails flagged, confirming the need for further investigation.

Kraken CSO @c7five recently spoke to @CBSNews about how a North Korean operative unsuccessfully attempted to get a job at Kraken.

Don’t trust. Verify 👇 pic.twitter.com/1vVo3perH2

— Kraken Exchange (@krakenfx) May 1, 2025

Uncovering the Network of Fake Identities

The company’s Red Team then started to conduct open source intelligence (OSINT) gathering to check who this applicant was. Analyzing breach data, the team found that the email had a connection to a larger fake persona network. With these identities being able to secure jobs with other firms, the stakes were raised.

The GitHub profile was linked to a compromised email address’s resume. The provided identification document looked manipulated and as if personal data had been stolen. One identity in the hacker’s network turned out to be on an international sanctions list. Kraken also highlighted technical inconsistencies in the setup of the said applicant. Through a VPN, they accessed systems from colocated Mac desktops to mask their location.

These anomalies prompted further scrutiny. The technical and behavioral red flags lined up with the tools, tactics and techniques used by state-backed hacker groups.

Turning the Interview into a Sting Operation

Rather than disqualifying the candidate, Kraken passed the candidate through multiple hiring rounds. Based on this strategy, the company was able to learn about the hacker’s tactics. Infosec tests and identity verifications were part of the team’s process.

The last stage included a staged interview with Kraken’s security leadership. Real-time challenges confirming identity and location were introduced by the team. The applicant was then asked to verify their location, show valid ID and name restaurants in their claimed city. These tests failed the hacker, who was struggling to give consistent answers.

This breakdown proved that the applicant was a part of an attempt of state-sponsored infiltration. The recruitment process had turned into an effective counterintelligence operation.

Strengthening Defenses in the Crypto Sector

Kraken’s response covers an emerging risk in the world of crypto. Hacks by North Korean hackers have brought hundreds of millions through fraud and digital heists. Now their tactics include applying for jobs to obtain internal access. Companies must adjust their hiring methodology to clash with this rising danger.

Through real-time traps and with OSINT techniques, Kraken was able to gain an advantage. This prevented a breach and gave them valuable insight into hacker playbooks. The incident will help other firms secure their operations against such threats.

The case shows that attacks do not always come through software vulnerabilities. Rather, some hackers today seek to “walk in the front door.” By treating recruitment as a potential attack vector, Kraken avoided a significant risk.