Security expert says North Korean presence in crypto is far worse than expected

North Korean agents are gaining access to the digital-asset industry at a scale that industry investigators say has largely gone unnoticed, creating significant risks for hiring networks, internal systems, and the security posture of crypto companies.

Recent remarks from Security Alliance (SEAL) member Pablo Sabbatella outline a pattern of hidden recruitment practices, malware-driven access routes, and breached operational security, revealing that the industry is facing increased exposure than previously recognized.

Sabbatella indicated that the scale of North Korean infiltration is greater than has been publicly acknowledged, and that there is a scenario in which agents are already integrated into 15% to 20% of crypto firms. He also stated that 30% to 40% of job applications submitted to crypto companies may be made by individuals acting on behalf of the North Korean state.

He described that the occurrence of infiltrators is not restricted to direct attacks or single occurrences, but it spreads into the daily activities of companies. After being hired, these individuals gain access to internal tooling, production systems, and other industry-standard infrastructure. Sabbatella claims that this path of entry has now become one of the favorite vectors of North Korean activity.

North Korean front workers and remote identities enable entry

The recruitment system works with middlemen who offer validated digital identities and access to platforms that users in North Korea cannot access directly. According to SEAL’s findings, such arrangements typically depend on workers in regions such as Ukraine and the Philippines, among other developing nations, who sell access to freelance accounts on websites like Upwork and Freelancer. 

In jobs that demand U.S. qualifications, Sabbatella claimed that some of its operatives find an American resident who is ready to be the face of the prospective candidate. The operative will then install malware on the device of that individual, providing them with constant access to a U.S. IP address and the rest of the internet. In that case, the operative will be involved in interviews and, in the event of success, will work from home.

These workers are likely to remain undetected once inside, as they meet deadlines and consistently deliver high-quality output. According to Sabbatella, they are frequently kept within the team due to their productivity, yet the teams are unaware of the threats posed by providing access to internal systems.

Sabbatella also pointed out that the security posture in the crypto industry presents a situation that makes it easier for infiltration. He wrote that crypto has the lowest OPSEC in the entire computer industry, where people establish businesses and work with their identities fully exposed, failing to employ secure key-management measures, and communicating with people they do not know using unverified channels.

He stated that, in the absence of operational security, malware infections and social-engineering attacks can spread at an alarming rate. This exposes personal and corporate gadgets to attackers who eventually gain access to wallets, communication systems, and development systems.

Financial and strategic motives drive activity

The U.S. Treasury recently reported that, over the last three years, cryptocurrency theft carried out by North Korean hackers has exceeded $3 billion. These funds have been reported to contribute to the weapons program of Pyongyang, and this has increased the importance of infiltration campaigns on the geopolitical scale. 

Sabbatella also made comments that explain that his previous estimate of 30-40% is limited to job apps, not apps in general, as far as crypto is concerned.