DOJ Exposes North Korean Operatives ’Embedding’ in Crypto Startups—Here’s How They Did It
The U.S. Department of Justice just dropped a bombshell: North Korean-linked developers allegedly infiltrated crypto startups under false pretenses. Here’s the breakdown.
How They Played the Game
Posing as freelance devs, these operatives reportedly slipped into blockchain projects—coding by day, exfiltrating by night. No digital vault was safe.
The Crypto Industry’s Blind Spot
Startups hungry for cheap engineering talent got more than they bargained for. Due diligence? More like 'do-not-diligence'—classic crypto move.
Why This Matters Now
With DeFi protocols holding billions, the DOJ’s move signals a crackdown on shadowy access points. Expect tighter KYC—or at least, another round of empty promises about it.
Another day, another reminder that in crypto, 'trustless' systems still require someone to check the damn credentials.
Standard operating procedure
These tactics FORM "a pattern that has increasingly become standard operating procedure," Fierman told Decrypt.
The threat actors get hired by using "falsified documentation" and "masking their North Korean nexus," Fierman explained.
Aside from sending their compensation "back to the regime," the workers also "patiently wait for the opportunity to access funds of the Web3 company they've infiltrated" to steal more, Fierman said.
The scheme exposes a vulnerability in crypto's remote-first culture, where firms hiring globally may skip background checks, allowing state-sponsored actors with fake identities to exploit gaps.
"Unfortunately, many teams avoid in-person meetings and prefer hiring more 'cheap' developers than hiring well-known guys in our sector," Vladimir Sobolev, threat researcher at blockchain security firm Hexens, told Decrypt. "This is a fundamental issue. "
Describing North Korea's cyber operations as a "long-term endeavor," Sobolev notes that the country has been engaged in these activities for a long time, even "before the popularity of blockchain and Web3."
Broader scheme
Earlier this month, the federal prosecutors detailed in a civil action lawsuit how "tens of millions were exploited in a larger North Korean IT worker crypto scheme," Fierman said, sharing documents reviewed by Decrypt.
In a separate press release, the DOJ stated that it conducted coordinated raids across 16 states, seizing 29 financial accounts, 21 fraudulent websites, and approximately 200 computers from "laptop farms" supporting North Korean IT schemes, including the four aforementioned.
The enforcement actions revealed how North Korean agents used these laptop farms as remote access points, allowing operatives to modify smart contracts and drain crypto funds while appearing to work from U.S. locations.
"The ability for organizations to recognize these threats and protect their firm against them will be critical," Fierman warned.
Edited by Sebastian Sinclair
