SCOOP: My latest investigation exposes how DPRK IT workers have embedded themselves deep into the fabric of the crypto industry.
More than a dozen projects confirmed that they inadvertently hired workers from the DPRK – exposing themselves to massive security and legal risks.
🧵
coindesk.com/tech/2024/10/0…
More than a dozen projects confirmed that they inadvertently hired workers from the DPRK – exposing themselves to massive security and legal risks.
🧵
coindesk.com/tech/2024/10/0…
North Korean IT workers with fake identities got jobs at @cosmos, @SushiSwap, @yearnfi, @FantomFDN, @zerolendxyz and several other big-name blockchain protocols.
This investigation marks the first time any of these projects have publicly disclosed that they unknowingly hired the workers.
2/
This investigation marks the first time any of these projects have publicly disclosed that they unknowingly hired the workers.
2/
First, some background:
According to U.S. and UN authorities, North Korean IT workers funnel their earnings to Pyongyang and help fund North Korea's WMD program.
The UN has proposed heavy sanctions on North Korean IT workers, and hiring them – even by accident – is illegal in the U.S. and many other countries.
Even if you're "decentralized," the sanctions can still apply if you wish to do business in most major economies.
3/
home.treasury.gov/news/press-rel…
According to U.S. and UN authorities, North Korean IT workers funnel their earnings to Pyongyang and help fund North Korea's WMD program.
The UN has proposed heavy sanctions on North Korean IT workers, and hiring them – even by accident – is illegal in the U.S. and many other countries.
Even if you're "decentralized," the sanctions can still apply if you wish to do business in most major economies.
3/
home.treasury.gov/news/press-rel…
However, at least in the U.S., no companies have been prosecuted for the hiring of DPRK workers. The bigger risk might be on the security front.
@chainalysis told me that out of all the DPRK heists they've tracked in 2024, "approximately half" involved DPRK IT workers.
Over the course of my reporting, I uncovered some hacks that appear linked to DPRK IT workers (e.g. at @SushiSwap)
4/
@chainalysis told me that out of all the DPRK heists they've tracked in 2024, "approximately half" involved DPRK IT workers.
Over the course of my reporting, I uncovered some hacks that appear linked to DPRK IT workers (e.g. at @SushiSwap)
4/
Now, for a few key anecdotes from the piece.
There's a ton I'm leaving out, so please read the full article if you are curious to learn more. 👇
5/
coindesk.com/tech/2024/10/0…
There's a ton I'm leaving out, so please read the full article if you are curious to learn more. 👇
5/
coindesk.com/tech/2024/10/0…
The crypto company @truflation hired 5 employees who said they were based in Tokyo, Montreal, Vancouver, Houston and Singapore.
They presented real-looking IDs, had genuine references, and had active Github profiles.
Stefan Rust, the founder of Truflation, noticed one day that his Japanese employee had suddenly dropped his accent.
Rust eventually learned that all five of his new hires were North Korean.
Last week, as I was wrapping up my reporting for this story, Truflation was hacked for $7 million.
6/
They presented real-looking IDs, had genuine references, and had active Github profiles.
Stefan Rust, the founder of Truflation, noticed one day that his Japanese employee had suddenly dropped his accent.
Rust eventually learned that all five of his new hires were North Korean.
Last week, as I was wrapping up my reporting for this story, Truflation was hacked for $7 million.
6/
MISO, a project from @SushiSwap, lost $3 million in a 2021 heist.
Two of the project developers, "Sava Grujic" and "Anthony Keller," were blamed for the exploit.
They claimed they were from the U.S. and Serbia, respectively.
They had impressive-seeming backgrounds. Keller even had a stint working on @coordinape, an app built by @yearnfi.
CoinDesk discovered blockchain data linking both developers (and another Sushi employee from the same period) to North Korea.
7/
Two of the project developers, "Sava Grujic" and "Anthony Keller," were blamed for the exploit.
They claimed they were from the U.S. and Serbia, respectively.
They had impressive-seeming backgrounds. Keller even had a stint working on @coordinape, an app built by @yearnfi.
CoinDesk discovered blockchain data linking both developers (and another Sushi employee from the same period) to North Korea.
7/
In 2021, .@zmanian, the CEO of Iqlusion, hired two developers to help develop the @cosmoshub blockchain: "Jun Kai" and "Sarawut Sanit."
"I talked to them almost every day for a year," said Manian. "They did the work. And I was, frankly, pretty pleased."
Eventually, Manian got a call from the FBI about suspicious transfers stemming from Iqlusion's blockchain wallets.
It turned out that Kai and Sanit had been funneling all of their wages from Iqlusion to the DPRK. CoinDesk traced the funds to two DPRK nationals sanctioned by OFAC in 2023.
8/
"I talked to them almost every day for a year," said Manian. "They did the work. And I was, frankly, pretty pleased."
Eventually, Manian got a call from the FBI about suspicious transfers stemming from Iqlusion's blockchain wallets.
It turned out that Kai and Sanit had been funneling all of their wages from Iqlusion to the DPRK. CoinDesk traced the funds to two DPRK nationals sanctioned by OFAC in 2023.
8/
Over the years, Manian learned to recognize certain telltale signs that developers are North Korean. DPRK developers are vastly more prevalent than people realize.
"The percentage of your incoming resumes, or people asking for jobs, or wanting to contribute – any of that stuff – that are probably from North Korea is greater than 50% across the entire crypto industry," he told me.
His assessment was echoed by others I spoke to over the course of my reporting.
9/
"The percentage of your incoming resumes, or people asking for jobs, or wanting to contribute – any of that stuff – that are probably from North Korea is greater than 50% across the entire crypto industry," he told me.
His assessment was echoed by others I spoke to over the course of my reporting.
9/
This reporting project would not have been possible without the help of my incredible editors @Liqquidity and @MarcHochstein.
Thanks also to @chainalysis and @tayvano_ for the expert insights.
And lastly, massive thanks to @zachxbt for setting this train in motion. ZachXBT was the first person to expose several of the DPRK IT workers I traced for this story, and I'm not sure people would've been willing to speak to me on record if his original investigation hadn’t already brought light to this issue.
(PS: @ArkhamIntel please sponsor me. I am now your #1 power user.)
10/
Thanks also to @chainalysis and @tayvano_ for the expert insights.
And lastly, massive thanks to @zachxbt for setting this train in motion. ZachXBT was the first person to expose several of the DPRK IT workers I traced for this story, and I'm not sure people would've been willing to speak to me on record if his original investigation hadn’t already brought light to this issue.
(PS: @ArkhamIntel please sponsor me. I am now your #1 power user.)
10/
• • •
Missing some Tweet in this thread? You can try to
force a refresh
