Kraken Foils Attempted Inside Job by North Korean Threat Actor

Kraken blocked an attempted breach by a North Korean hacker posing as a job candidate for an engineering position.

The operative targeted a vacancy posted in May 2025, intending to gain insider access. Red flags surfaced during the first interview: he used a different name than the one on his application and frequently shifted his tone mid-sentence, as if coached in real time. 

Recruiters flagged the inconsistencies and escalated the case to the security team for closer inspection.

Cybersecurity specialists, aware of increased job-related infiltration attempts, took the following investigative steps:

• Analyzed the candidate’s email origin and metadata, cross-referencing it with threat intelligence on DPRK-linked hacker collectives.

• Employed OSINT platforms and data from prior leaks to reveal a fabricated network of digital résumés, falsely linking identities to major crypto and IT firms.

Then came the final crack in the mask: the applicant had routed every session through VPN-tunneled macOS remote desktops—a shadowy method favored by operatives seeking to vanish behind mirrored signals and masked endpoints.

Later, the truth surfaced. He was already tagged on international sanctions lists under “foreign agent,” and the papers he’d presented? Almost certainly taken from someone else—someone real, and unsuspecting.

Check this out: AI: North Korea’s Latest Tool in Cyber Warfare

The patterns were too polished, the anomalies too precise. Kraken’s security team, after dissecting the evidence, saw the shape behind the mask: a state-backed infiltration attempt, methodical and resourced.

Yet they didn’t slam the door shut. They let him walk a little further—into the final interview round. Not to recruit him, but to watch him work. To study the way shadows moved when they thought no one was looking.

At the final stage, with Kraken’s CSO Nick Percoco himself leading the call, the tone shifted. Alongside routine questions came sharp pivots: “Show your documents—right now, on camera. What cafés are around the corner? Which street are you on?”

The answers didn’t hold. And with that, the mask slipped.

Don’t trust, verify. This core crypto principle is more relevant than ever in the digital age. State-sponsored attacks aren’t just a crypto, or U.S. corporate, issue – they’re a global threat. Any individual or business handling value is a target, and resilience starts with operationally preparing to withstand these types of attacks,

Percoco added.

For years, North Korean hackers have cast a long shadow over the crypto space—haunting it with wave after wave of precision theft.

In 2024, they walked away with over $650 million. And in the early months of 2025, the Lazarus Group struck again—this time targeting Bybit, draining $1.4 billion in what has become the industry’s most catastrophic breach on record.

A recent Silent Push report paints a chilling picture: in April, operatives linked to Lazarus began quietly incorporating shell entities in the U.S., using them as fronts to deliver malicious software during falsified job interviews.

These blended strategies—where malware meets manipulation—are proving more insidious than brute-force hacks, shifting the threat landscape deeper into psychological territory.

Read on: South Korea Sanctions North Korean Hackers Over Crypto Theft

Security professionals now urge companies to go beyond basic hiring protocols by integrating real-time vetting methods:

• Creative, unscripted questioning,
• Video-based identity checks,
• Unusual problem-solving tasks that reveal inconsistencies.

Equally crucial is cultivating a culture of thoughtful skepticism—one that applies to every level of the organization, from entry-level staff to senior executives.