The scale and scope of the North Korean IT worker fraud continues to grow. A $1.3 million heist. “IT workers” as cutouts for OFAC-sanctioned officials. Unwitting recruitment agencies placing hackers into hiring pipelines. And startups are at the center of it all.
Another Company Shares Its Story
Cinder, a Trust & Safety startup, recently shared their experience as a target of these scams. Cinder has founders with intelligence community experience and North Korea expertise, but hackers still found their way into the interview process. Due diligence and attention to detail ultimately protected them.
An Investigation
Separately, renown pseudonymous scam hunter ZachXBT published his research on X/Twitter, sharing names, contact information, and images of these North Korean “IT workers.” His findings were remarkable:
- One group stole $1.3 million from a crypto startup
- At least 25 crypto startup projects had been infiltrated
- Some hackers had been placed at companies by recruitment firms
- One person/entity was working for dozens of startups simultaneously, earning $300k-$500k per month.
How to Stay Safe
Between Cinder’s recent blog post and ZachXBT’s thread (both well worth a full read), we’ve compiled a list of warning signs and red flags.
- Many actors had little/no online presence beyond professional networking profiles – no social media, no portfolio of work. ZachXBT did, however, find some more sophisticated actors with robust Github activity.
- Profiles were often recently created, with obscured, blurry, blank, and/or AI-generated profile pictures.
- Work experience and resumes were uniformly strong, but were often fabricated with roles or office locations that don’t exist. When asked, many candidates were unable to answer basic geographic or atmospheric questions about claimed work locations.
- Claimed experience (location, role, education) and command of English often did not match.
- Candidates uniformly insisted on fully remote roles, at times also explicitly refusing to travel.
- Many candidates readily engaged with identity verification processes, but used Fake IDs and hoped there was no genuine investigation.
- Hackers consistently used referrals as a means to expand infiltration.
- Actors used unwitting recruitment agencies as interlocutors to enhance legitimacy and obscure their backgrounds.
Startups in the Crosshairs
In scams like these, startups are not collateral damage – they are the main target. Remote work, high volume hiring in competitive fields, and a lack of security resources make startups uniquely vulnerable. Our startup clients depend on PRG to provide due diligence that scales and moves at the speed of business so they can grow fast and stay safe.
IMAGES: @zachxbt on Twitter