No bullshit I think I just interviewed a North Korean hacker.
Terrifying, hilarious, and a reminder to be paranoid and triple-check your OpSec practices.
Here's how it went:
๐ฐ๐ต
It starts with us (@aztecnetwork -- we're hiring!) getting an inbound application on @Greenhouse for "Bobby Sierra - Solidity Engineer."
After internal review the system auto-assigns me an interview, and I go through the usual non-technical pre-interview process.
Resume scan:
Name: Bobby Sierra
Applying for: Solidity Engineer
Location: Ontario
Language: English & some Chinese
Experience: F2pool, with a few DAO and NFT side-projects on his resume.
Remember this. It's relevant later.
I then look at the cover letter, which starts off:
"I am a blockchain developer with 6 + years of rich experience."
Then a bunch of vaguery about how he goes above and beyond.
Okay sure, it's fluffy and generic but hey, not everyone's great at cover letters.
But then he signs off the cover letter with this:
"The world will see the great result from my hands."
...
THE WORLD WILL SEE THE GREAT RESULT FROM MY HANDS
๐ฉ๐ฉ๐ฉ
Immediately I'm like, this motherfucker sounds like a Bond villain.
I'm picturing a dude whose arm is actually a laser cannon and his eyeball is made of plutonium or some shit.
"The world will see the great result from my hands" ???
Who fucking talks like that?
It's obviously disconcerting, but I figure I'll look at his Github.
12 commits in the last 12 months?
Not exactly "rich experience."
Plus (without actually looking at the repositories), the projects seem completely random?
- BoredBunnies
- PantherSwap
- MetaverseDAO
I somehow push all this aside.
Crypto's a weird, fun space full of weird, fun people! Look, maybe Bobby's just a quirky guy.
(Narrator: he was not)
I sign into the interview.
Hi, this is Jon from Aztec, is this Bobby?
"Yes. This is...Bobby Sierra."
From the gun, here's what I observe:
๐ฉ His camera's off
๐ฉ 5+ people are talking loudly in the background
๐ฉ Thiccc Korean accent
I ask him why it's so loud.
"Oh I am in an office."
Yeah no shit, Bobby, but why are there 5 other loud ass dudes speaking a mix of Korean and English in the background?
Now you might be like Jon--wait--how do you know he's Korean?
Well first, let's tackle the accent.
Some of my best friends growing up were Korean.
Some of them were fobs.
I am deeply familiar with Korean accents.
But this is not a normal Korean-American or Korean-Canadian or Korean-anything accent.
"Bobby" speaks English, sure, but not normal English.
The type of English that suggests you learned it exclusively from rebroadcasts of NBC Nightly News:
Stiff, formal, and at the same time nearly incomprehensible.
So, Bobby, tell me about yourself.
"I uhh, experience blockchain development, production, develop tokens, many successful project, very success, lot experience in blockchain, excellent result.
Okay?"
Let's parse the above response:
1) The first part is fucking gibberish and would be completely disqualifying all by itself
2) "Okay?"
The "Okay?" is a DEAD FUCKING GIVEAWAY this guy is Korean.
How do I know?
Because every single one of my friend's mom's would say that shit right before they gave me a piping hot bowl of galbitang.
"This is very delicious. Eat quickly before it gets cold.
Okay?"
I don't know why Korean people do that, I just know that it's a Very Fucking Korean Thing To Do.
Now the alarm bells are going off. I know about the recent hacks.
I decide to dig further.
Where are you based, Bobby?
"Based?"
Where-are-you-located?
"Ohh, Hong Kong." ๐ฉ๐ฉ๐ฉ
Hong Kong? And where did you work last?
"Ohh, Ateke."
And what's that?
"German company. Or French. I don't know."
It says here you worked for F2pool. Can you tell me about F2pool?
"Uhmm, yeahh, can you wait?"
He then proceeds to mute me for a solid 5 minutes.
๐ฉ๐ฉ๐ฉ๐ฉ๐ฉ
When Bobby comes back, it's with renewed purpose.
"Hi, are you there?"
Yes Bobby, I'm here.
"I am experience blockchain developer, I want job, new job, I'm very experience, bring value to your company. I want engineer job now.
Okay?"
For better or worse, this is where I hang up, a little shaken.
We know for a fact North Korean hackers like Lazarus Group are attacking major protocols and individuals.
- The $600m+ Ronin hack
- Arthur0x, Mgnr, and countless other high profile accounts
I have no idea what the attack vector was meant to be.
- Get us to download a compromised .docx resume?
- Get someone to share screen and navigate to Metamask?
- Gain access to our codebase and push a malicious change?
I leave it to the internet to surmise.
In reality, I have no idea if these even were North Korean hackers. Bobby could've been, well, just a really incompetent dude.
But every fiber of my being says that's not the case.
Other than being scared and entertained, I learned a lot from this bizarre interaction:
1) Our whole world is built on trust. If someone shows us their resume and Github, we believe it.
2) Smart contract risk is overrated. Anything can be an attack vector: hiring, events, travel, etc.
3) Do not download attachments. Isolate your wallet to its own machine. Etc.
Postscript:
"Bobby" updated his Github. It points to a completely new account now with more commits.
I'm sure these guys are learning, adapting, getting smarter.
Thankfully, they can't fix how fucking out of touch and incompetent they are.
We just need to stay savvy.
fin
Also: if you're a real person working on real problems, @aztecnetwork is hiring:
- Cryptography
- Full stack eng
- BD, community, ops
Requirements:
- World class at what you do
- Passionate about privacy
- Not a state-sponsored cyberterrorist
What this does is deposit $ETH into Aztec's rollup contract.
Aztec's rollup then issues you a private encrypted claim note that can be redeemed for the underlying $ETH.
2) Register an alias.
Aliases make it easy to send other users funds internally, but no one can associate your deposit address to your alias, nor can anyone see your balance or transaction history.