jonwu.eth Profile picture
Apr 29 โ€ข 24 tweets โ€ข 5 min read
No bullshit I think I just interviewed a North Korean hacker.

Terrifying, hilarious, and a reminder to be paranoid and triple-check your OpSec practices.

Here's how it went:

๐Ÿ‡ฐ๐Ÿ‡ต
It starts with us (@aztecnetwork -- we're hiring!) getting an inbound application on @Greenhouse for "Bobby Sierra - Solidity Engineer."

After internal review the system auto-assigns me an interview, and I go through the usual non-technical pre-interview process.
Resume scan:

Name: Bobby Sierra
Applying for: Solidity Engineer
Location: Ontario
Language: English & some Chinese

Experience: F2pool, with a few DAO and NFT side-projects on his resume.

Remember this. It's relevant later.
I then look at the cover letter, which starts off:

"I am a blockchain developer with 6 + years of rich experience."

Then a bunch of vaguery about how he goes above and beyond.

Okay sure, it's fluffy and generic but hey, not everyone's great at cover letters.
But then he signs off the cover letter with this:

"The world will see the great result from my hands."

...

THE WORLD WILL SEE THE GREAT RESULT FROM MY HANDS

๐Ÿšฉ๐Ÿšฉ๐Ÿšฉ
Immediately I'm like, this motherfucker sounds like a Bond villain.

I'm picturing a dude whose arm is actually a laser cannon and his eyeball is made of plutonium or some shit.

"The world will see the great result from my hands" ???

Who fucking talks like that?
It's obviously disconcerting, but I figure I'll look at his Github.

12 commits in the last 12 months?

Not exactly "rich experience."

Plus (without actually looking at the repositories), the projects seem completely random?

- BoredBunnies
- PantherSwap
- MetaverseDAO
I somehow push all this aside.

Crypto's a weird, fun space full of weird, fun people! Look, maybe Bobby's just a quirky guy.

(Narrator: he was not)

I sign into the interview.
Hi, this is Jon from Aztec, is this Bobby?

"Yes. This is...Bobby Sierra."

From the gun, here's what I observe:
๐Ÿšฉ His camera's off
๐Ÿšฉ 5+ people are talking loudly in the background
๐Ÿšฉ Thiccc Korean accent
I ask him why it's so loud.

"Oh I am in an office."

Yeah no shit, Bobby, but why are there 5 other loud ass dudes speaking a mix of Korean and English in the background?

Now you might be like Jon--wait--how do you know he's Korean?
Well first, let's tackle the accent.

Some of my best friends growing up were Korean.

Some of them were fobs.

I am deeply familiar with Korean accents.

But this is not a normal Korean-American or Korean-Canadian or Korean-anything accent.
"Bobby" speaks English, sure, but not normal English.

The type of English that suggests you learned it exclusively from rebroadcasts of NBC Nightly News:

Stiff, formal, and at the same time nearly incomprehensible.
So, Bobby, tell me about yourself.

"I uhh, experience blockchain development, production, develop tokens, many successful project, very success, lot experience in blockchain, excellent result.

Okay?"
Let's parse the above response:

1) The first part is fucking gibberish and would be completely disqualifying all by itself

2) "Okay?"
The "Okay?" is a DEAD FUCKING GIVEAWAY this guy is Korean.

How do I know?

Because every single one of my friend's mom's would say that shit right before they gave me a piping hot bowl of galbitang.

"This is very delicious. Eat quickly before it gets cold.

Okay?"
I don't know why Korean people do that, I just know that it's a Very Fucking Korean Thing To Do.

Now the alarm bells are going off. I know about the recent hacks.

I decide to dig further.

Where are you based, Bobby?

"Based?"

Where-are-you-located?

"Ohh, Hong Kong." ๐Ÿšฉ๐Ÿšฉ๐Ÿšฉ
Hong Kong? And where did you work last?

"Ohh, Ateke."

And what's that?

"German company. Or French. I don't know."

It says here you worked for F2pool. Can you tell me about F2pool?

"Uhmm, yeahh, can you wait?"

He then proceeds to mute me for a solid 5 minutes.

๐Ÿšฉ๐Ÿšฉ๐Ÿšฉ๐Ÿšฉ๐Ÿšฉ
When Bobby comes back, it's with renewed purpose.

"Hi, are you there?"

Yes Bobby, I'm here.

"I am experience blockchain developer, I want job, new job, I'm very experience, bring value to your company. I want engineer job now.

Okay?"
For better or worse, this is where I hang up, a little shaken.

We know for a fact North Korean hackers like Lazarus Group are attacking major protocols and individuals.

- The $600m+ Ronin hack
- Arthur0x, Mgnr, and countless other high profile accounts

I have no idea what the attack vector was meant to be.

- Get us to download a compromised .docx resume?
- Get someone to share screen and navigate to Metamask?
- Gain access to our codebase and push a malicious change?

I leave it to the internet to surmise.
In reality, I have no idea if these even were North Korean hackers. Bobby could've been, well, just a really incompetent dude.

But every fiber of my being says that's not the case.

Other than being scared and entertained, I learned a lot from this bizarre interaction:
1) Our whole world is built on trust. If someone shows us their resume and Github, we believe it.

2) Smart contract risk is overrated. Anything can be an attack vector: hiring, events, travel, etc.

3) Do not download attachments. Isolate your wallet to its own machine. Etc.
Postscript:

"Bobby" updated his Github. It points to a completely new account now with more commits.

I'm sure these guys are learning, adapting, getting smarter.

Thankfully, they can't fix how fucking out of touch and incompetent they are.

We just need to stay savvy.

fin
Also: if you're a real person working on real problems, @aztecnetwork is hiring:

- Cryptography
- Full stack eng
- BD, community, ops

Requirements:
- World class at what you do
- Passionate about privacy
- Not a state-sponsored cyberterrorist

grnh.se/935e32f2teu

โœŒ๏ธ

โ€ข โ€ข โ€ข

Missing some Tweet in this thread? You can try to force a refresh
ใ€€

Keep Current with jonwu.eth

jonwu.eth Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @jonwu_

Apr 28
If DevConnect Amsterdam was any indication, the Ethereum developer community is more fired up than ever.

Here are 5 takeaways on what's coming for Ethereum:

๐Ÿ‘‡
1. The world needs to learn how to think in SNARKs.

ZK tech is still nascent, and brain power is laser focused on cryptographic breakthroughs.

Writing secure, custom zk circuits is hard.
Building great apps is hard.

There are very few brains that can do both well.
We still live in a public blockchain paradigm.

SNARK thinking has yet to reach tipping point awareness among the app developer community.

When it does, watch out.

The power of zk goes far beyond scaling, and gaming, identity, DAOs, and DeFi will be transformed.
Read 16 tweets
Apr 15
My favorite saying of all time is "The prize for winning the pie eating contest is more pie."

When we do things we don't want to do, it earns us more opportunities to do things we don't want to do.

People think you need discipline.

Let me make the argument for hedonism:
First of all, "the prize for winning the pie eating contest is more pie" evocative.

I love the imagery.

You can just imagine some guy burying his face in pie, grimace on his face, with a giant sign overhead saying:

"Big Prize for Winner of the Pie Eating Contest!"
The pie eating contest ends.

The fastest pie-eater smiles, cherry in his teeth, pie tins all around him.

He throws his hands up in elation.

He asks between uncomfortable burps:

"So, what did I get??"
Read 12 tweets
Apr 12
You might've heard of Ichi, a protocol best known for defending its token value with a "price wall."

Well, $ICHI is down -90% from all time highs after skyrocketing 6x in 2 months.

What happened??

Here's everything you need to know about the Fall of the Ichi Wall:

๐Ÿงต
Ichi is supposed to be "currency for every community."

If you're a burgeoning protocol with a volatile native token, and you want to see token price number go up, you need to do two things:

1) Get people to buy your token
2) Get people to not sell your token
Ichi promised people-will-buy-your-token-and-never-sell-it-as-a-service via white-label stablecoins called oneTokens.

Users put in volatile token, and mint stables.

Think @MakerDAO but instead of major assets in, Dai out, it's: protocolToken in, oneTokens out.
Read 29 tweets
Mar 25
The math of zkRollups is pretty simple and only comprises three components:

- Fixed cost of posting a proof to the settlement chain
- # of transactions verified by that proof
- Variable cost of transaction call data

Here's how zkRollups will scale: Image
First off the simple equation:

Proof verification cost / txn per proof + call data cost per txn

= total txn cost

So how do we make it scale? Image
1) Lower the fixed cost of proof verification

There's a bit of an efficient frontier between huge proofs / many txns and small proofs / fewer txn.

Starks: 5 million gas / 10s of 1,000s of txn
Snarks: 100's of thousands of gas / thousands of txn
Read 12 tweets
Mar 9
Privacy coins are absolutely pumping.

I'm clearly very biased but I'm long privacy networks like @aztecnetwork over privacy coins like $XHR and $ZEC and mixers like @tornadocash.

For those new to the concept, here are the trade-offs and my thesis on Aztec:
1) Asset support

Privacy doesn't matter much without utility.

If you can't use coins you have and can buy, then what's the point?

$DAI is 2.7x bigger than $XMR, 5.1x bigger than $ZEC.

Not to mention the EXTRAORDINARY popularity of centralized stables.
Let's zoom in on stable assets.

The most important privacy use-case is the one that has gone largely ignored in crypto: payments.

And payments require stablecoins.

Here's realized volatility for privacy coins vs. #gold $SPX, $BTC & $ETH (reminder that cash is basically 0 vol).
Read 13 tweets
Feb 28
Someone used Aztec over the weekend to send 2,000 $DAI anonymously to the Ukraine crypto donation address.

If you want to support causes with private crypto payments and donations, here's how:
1) Go to zk.money and shield some $ETH.

What this does is deposit $ETH into Aztec's rollup contract.

Aztec's rollup then issues you a private encrypted claim note that can be redeemed for the underlying $ETH.
2) Register an alias.

Aliases make it easy to send other users funds internally, but no one can associate your deposit address to your alias, nor can anyone see your balance or transaction history.
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(