CoinDesk identified more than a dozen crypto companies that unknowingly hired IT workers from the Democratic People's Republic of Korea , including such well-established blockchain projects as Injective, ZeroLend, Fantom, Sushi, Yearn Finance and Cosmos Hub.
The crypto company Truflation was still in its early stages in 2023 when founder Stefan Rust unknowingly hired his first North Korean employee. Rust would soon learn that"Ryuhei" and four other employees – more than a third of his entire team – were North Korean. Unwittingly, Rust had fallen prey to a coordinated scheme by North Korea to secure remote overseas jobs for its people and funnel the earnings back to Pyongyang.
These interviews with founders, blockchain researchers and industry experts reveal that North Korean IT workers are far more prevalent in the crypto industry than previously thought. Virtually every hiring manager approached by CoinDesk for this story acknowledged that they had interviewed suspected North Korean developers, hired them unwittingly, or knew someone who had.
In many cases, North Korean workers conducted their work just like typical employees; so the employers mostly got what they paid for, in a sense. But CoinDesk found evidence of workers subsequently funneling their wages to blockchain addresses linked to the North Korean government. Previously, employers remained silent due to concerns about unwanted publicity or legal repercussions. Now, confronted with extensive payment records and other evidence unearthed by CoinDesk, many of them have decided to come forward and share their stories for the first time, exposing the overwhelming success and scale of North Korea’s efforts to penetrate the crypto industry.After hiring Ryuhei, the ostensibly Japanese employee, Rust's Truflation received a flood of new applicants.
Rust said he had conducted his own background checks on all of Truflation's new hires."They sent us their passports and ID cards, gave us GitHub repos, went through a test, and then, basically, we brought them on." Although startups are less likely to use professional background checkers,"we do see North Korean IT workers at bigger companies as well, either as real employees or at least as contractors," said Monahan.In many cases, CoinDesk discovered DPRK IT workers at companies using publicly available blockchain data.
Two years after the freelancers completed their work, Manian received an email from an FBI agent investigating token transfers that appeared to have come from Iqlusion en route to suspected North Korean crypto wallet addresses. The transfers in question turned out to be Iqlusion's payments to Kai and Sanit.
Iqlusion's wages to Kai accounted for less than $50,000 of the nearly $8 million he sent to Kim, and some of the remaining funds came from other crypto companies. It is illegal to pay North Korean workers in the U.S. whether you know you're doing it or not—a legal concept called"strict liability." U.S. authorities have been lenient about bringing charges against the firms – on some level acknowledging that they were victims of, at best, an unusually elaborate and sophisticated type of identity fraud, or, at worst, a long con of the most humiliating sort.
"He didn't last long," said Chen."He was writing crappy code that didn't work well." It wasn't until this past year, when a U.S."government agency" reached out to Injective, that Chen learned the employee was linked to North Korea. In another instance, Cluster, a decentralized finance startup, fired two developers in August after ZachXBT reached out with evidence that they were linked to the DPRK.
One company hired an employee who showed up for meetings in the morning but would seem to forget everything that was discussed later on in the day – a quirk that made more sense when the employer realized she'd been speaking to multiple people. Joseph Delong, Sushi's chief technology officer at the time, traced the MISO heist to two freelance developers who helped to build it: individuals using the names Anthony Keller and Sava Grujic. Delong said the developers – who he now suspects were a single person or organization – injected malicious code into the MISO platform, redirecting funds to a wallet they controlled.