Engineer Recruitment Trap Led to $540 Million Ronin Hack

Reading Time: 2 minutes
  • A fake recruiter was the cause of the $540 million Ronin hack last year
  • The ‘recruiter’ send over a file that was in fact a Trojan Horse that allowed hackers to infiltrate the network
  • The practice shows the ways in which Lazarus is expanding its operations

North Korean hacking groups are using an army of fake tech workers to infiltrate crypto projects and bring them down, according to the Wall Street Journal. The outlet reported this week on the case of Sky Mavis, whose Ronin bridge was famously hacked for $540 million worth of crypto in March 2022, explaining how it was infiltrated by a fake recruiter who managed to hack into the network via the solicitation of a potential employee to the company, highlighting how their tactics have evolved.

Fake Recruiter Infiltrated System

The Journal reported that a Sky Mavis engineer received a LinkedIn message from a recruiter regarding a potential employee. The conversation progressed to an actual interview, which led to the recruiter sending over a file for review. Unbeknownst to the engineer, this document contained malicious computer code, a Trojan Horse which, once opened, granted the sender unauthorized access to the engineer’s computer, becoming an entry point for the North Korean hackers.

The ‘recruiter’ was in fact a hacker for North Korean state-sponsored hacking group Lazarus, and the compromised connection allowed the hackers to breach Sky Mavis’s systems, leading to the monstrous theft, which remains one of the biggest in crypto history.

North Korea Has an Extensive Network of Operatives

U.S. officials have disclosed that North Korea has established an extensive network of IT workers operating covertly across different countries, including Russia and China. These workers, earning considerable salaries, sometimes exceeding $300,000 per year, engage in mundane technology tasks but investigations have uncovered strong links between this workforce and the regime’s cybercrime operations.

Operatives assume various personas, such as Canadian IT workers, government officials, and freelance Japanese blockchain developers, to deceive their targets. They conduct video interviews, posing as potential employers, or pretend to be other individuals during the hiring process, as demonstrated in the Sky Mavis incident.

To infiltrate crypto companies, North Korean operatives employ a tactic where they enlist Western “front people,” acting as decoys during job interviews to conceal their true identity. Once hired, they may subtly modify products, introducing vulnerabilities that facilitate subsequent hacking attempts.