North Korean hackers are saturating the cryptocurrency industry with credible-sounding job offers as part of their campaign to steal digital cash, according to new research, raw data and interviews.

The problem is becoming so common that job applicants now regularly screen recruiters for signs they might be acting on Pyongyang’s behalf. Twenty-five experts, victims and corporate representatives that Reuters spoke to agreed that the problem was ubiquitous.

“It happens to me all the time and I’m sure it happens to everybody in this space,” said Carlos Yanez, a business development executive at the Switzerland-based blockchain analytics firm Global Ledger, who was among those recently targeted by the thieves, according to data supplied by cybersecurity companies SentinelOne and Validin, who are publishing a report about the cyber campaign on Thursday.

Yanez said that while he avoided getting hacked, the quality of masquerades carried out by North Koreans had improved significantly in the past year. “It’s scary how far they’ve come,” he said.

Although there’s no publicly available estimate of how much money is taken through this tactic alone, North Korean hackers were believed to have stolen at least US$1.34-billion worth of cryptocurrency last year, according to blockchain intelligence firm Chainalysis. The US and United Nations monitors have both alleged that Pyongyang uses the thefts to support its sanctioned weapons programme.

Allegations that Pyongyang targets the blockchain world with sophisticated scams aren’t new. Late last year the Federal Bureau of Investigation issued a public warning saying that North Korea was “aggressively” targeting the cryptocurrency industry with “complex and elaborate” social engineering schemes. But Reuters’ reporting, which seven targets corroborated with screenshots of their conversations with the hackers, provides previously unreported details of how they trick their targets, along with a detailed breakdown of their tactics.

How it works

First, a recruiter would reach out over LinkedIn or Telegram with a pitch for a blockchain-related job. “We are currently expanding our team,” said a 20 January LinkedIn message sent to Victoria Perepel from a recruiter purporting to represent Bitwise Asset Management. “We are particularly looking for individuals who are passionate about cryptocurrency markets.”

After a brief back-and-forth about the supposed job and compensation, the recruiter would encourage prospective applicants to visit an obscure website to run a skills test and record a video. At this point, several targets became suspicious.

Read: Crypto industry shoots for mainstream adoption

Why not simply do a live interview over a better known video platform, like Google Meet or Zoom? That was the objection raised by machine learning entrepreneur Olof Haglund on 21 January when he was approached by Wieslaw Slizewski, who purported to be a technical recruiter from the online trading platform Robinhood.

Slizewski refused to budge, insisting that Haglund download code to shoot the video.

“We follow a structured hiring process, and the video assessment is a key part of our evaluation to ensure consistency and fairness for all candidates,” Slizewski said in a LinkedIn message.

Haglund ended up terminating the interview, but others didn’t. One product manager for a US cryptocurrency firm, who spoke on condition of anonymity because he didn’t want to be known as a job seeker, said he recorded the video and sent it on to a person who claimed to be recruiting for cryptocurrency company Ripple Labs. It wasn’t until that evening, when he realised that $1 000 worth of ether and solana was missing from the digital wallet he kept on his computer, that he realised he’d been hoodwinked. When he looked for the purported Ripple recruiter’s LinkedIn profile, it was already gone.

In another case, consultant Ben Humbert was speaking via LinkedIn with Mirela Tafili, a recruiter claiming to be acting on behalf of the cryptocurrency exchange Kraken about a project management role. Tafili asked Humbert to complete a “brief virtual interview” and provided a link which Tafili said would help them “expedite the process” and move him to the next stage. Humbert said he became suspicious and terminated the conversation.

Ripple and Bitwise did not return messages seeking comment. In a statement, Robinhood said it was “aware of a campaign earlier this year that attempted to impersonate several crypto companies, including Robinhood” and that it had taken action to disable web domains linked to the scam. LinkedIn said in a statement that the fake recruiter accounts identified by Reuters were “previously actioned”. Telegram said scams were weeded out wherever they were found. Reuters’ attempts to reach the hackers were unsuccessful.

SentinelOne and Validin attribute the thefts to a North Korean operation previously dubbed “Contagious Interview” by cybersecurity company Palo Alto Networks. The researchers tracking the campaign concluded that the North Koreans were behind it based on several factors, including their use of internet protocol addresses and e-mails linked to previous North Korean hacking activity.

As part of their investigation, the researchers uncovered log files accidentally exposed by the hackers that displayed the e-mail and IP addresses of more than 230 people – coders, influencers, accountants, consultants, executives, marketers and more – targeted between January and March.

Reuters contacted all the targets to alert them to the malicious activity. The 19 who spoke to the news agency all confirmed being targeted around that time. One of the firms impersonated by the hackers said this was typical of the crypto space. “Every day there’s something going on,” said Nick Percoco, Kraken’s chief security officer.

North Korea’s mission to the United Nations did not reply to messages seeking comment on Reuters’ findings. Pyongyang regularly denies carrying out cryptocurrency thefts.

‘Tiny, tiny fraction’

The targets identified by Reuters were just “a tiny, tiny fraction” of Contagious Interview’s prospective victims, which in turn represents a subset of North Korea’s overall cryptocurrency stealing efforts, said Aleksandar Milenkoski, a senior researcher with SentinelOne who was one of the report’s co-authors. “They’re like a typical scam group,” he said. “They go for breadth.”

Percoco, the Kraken executive, said the company started seeing recruiting scams late last year, with reports persisting through March, April and May. The company uses tools to search for phony accounts posing as recruiters, but also fields reports from outsiders who’ll get in touch to say, “Hey, I was interviewing for a job with you guys and then it turned real scammy,” Percoco said.