Media report on the mass employment of DPRK developers in crypto startups

What’s new? North Korean citizens are massively employed in crypto companies using fake documents as remote developers, which creates risks of hacking and falling under sanctions, CoinDesk journalists write in a new large-scale investigation. As one example, they cited the startup Truflation of Stefan Rust, which lost $5 million and whose staff at some point in time consisted of 1/3 of North Koreans, who identified themselves as Japanese when hired.

Material by CoinDesk

What else is known? US authorities increasingly began to issue warnings that North Korean IT workers are seeking to infiltrate foreign companies to organize the inflow of funds into the country in the context of international sanctions. Separately, it is noted that the funds they receive are used to finance the government’s weapons program.

Earlier, the authorities issued a similar statement regarding the Lazarus group of hackers from the DPRK, they are also linked to the financing of the nuclear program. Moreover, the connection with hackers was one of the reasons for adding several crypto mixers to the sanctions list, including Tornado Cash and Sinbad.

According to a 2024 UN report, IT workers earn up to $600 million annually for Kim Jon Un’s regime. Importantly, even unintentionally hiring and paying DPRK workers violates sanctions and threatens the startups themselves with legal prosecution. In addition, these actions pose a serious security threat, as such employees have access to internal systems and can drain all funds from projects.

CoinDesk journalists found over a dozen crypto projects that unknowingly hired DPRK developers, including Cosmos Hub, Injective, ZeroLend, Fantom, Sushi, and Yearn Finance. Some cases occurred as early as 2018, but the publication notes that over the years, this practice has become increasingly widespread in the crypto industry. The companies themselves preferred not to report such incidents for fear of legal repercussions.

Often, North Korean employees simply performed the agreed upon work, but some transferred their salaries to North Korean government blockchain addresses. There have also been documented cases of “workers” eventually organizing hacks. Such was the case with the DeFi protocol Sushi, which lost $3 million in 2021.

North Korean developers of course do not disclose their real citizenship and residence when they are deployed. They provide fake passports and real repositories on GitHub, which have been actively maintained for many years in a row. Young crypto firms are most at risk: they are ready to hire a specialist after a conversation in Discord, pay salaries in cryptocurrency, and have no mechanisms for background checks.

As a result, DPRK citizens can be hired both directly to a startup and as contractors — the last case occurred with the Cosmos Hub blockchain in 2021, with the project’s team very highly praising the results of their work. Only two years later, Cosmos developer Zaki Manian received a letter from the FBI informing him that the tokens he had paid out had gone to North Korean crypto wallets.

CoinDesk managed to find out that the funds went to Sim Hyon Sop of North Korea’s Kwangson Bank, which finances the government’s weapons of mass destruction and ballistic missile program. Funds were also sent to Kim Sang Man of Chinyong Information Technology Cooperation Company, which hires developers from Russia and Laos. Both are on the US Treasury Department sanctions lists.

Their addresses also received tokens associated with Fantom Foundation, a non-profit organization that supports the blockchain of the same name. This suggests that the Fantom team also included DPRK nationals. The company said it was two outsourced developers brought in in 2021 who did not have access to the codebase, with the project they created ultimately never deployed. Fantom admitted that one of the employees tried to attack the servers but failed because he did not have the necessary access.

Eric Chen, CEO of the developer company of the Injective DeFi platform, also admitted that he hired a DPRK developer in 2020, but quickly fired him because he wrote “crappy code that didn’t work well.” Chen did not learn of the potential violation until three years later when he was approached by US authorities.

At the same time, US authorities did not press charges against the firms themselves. According to the journalists, law enforcement officials to some extent recognized that the firms “were victims of, at best, an unusually elaborate and sophisticated type of identity fraud, or, at worst, a long con of the most humiliating sort.”

The publication’s interlocutors from crypto companies emphasize that the DPRK developers themselves are not the main beneficiaries — they are only exploited by the regime. Thus, according to the UN, they are left with only 10-30% of their salaries.

In August, the DeFi protocol DeltaPrime lost $6 million as a result of an exploit. Notably, even before the incident, popular anonymous blockchain analyst ZachXBT reported that the company hired IT specialists from the DPRK. In total, he published data on several North Korean developers infiltrating the crypto space.

The startup Cluster took advantage of this ZachXBT information and fired two developers before they could get hurt. The team noted that there were a few “red flags” worth pointing out during the course of the work. For example, these employees regularly changed payment addresses and nicknames in messengers.

The publication’s interlocutors also highlighted other signs. For example, the time of work did not correspond to the supposed places of residence of the developers. Sometimes different people tried to pretend to be one developer, which could be deduced from the difference in voice and accent, as well as ignorance of the details of the previous call.