According to Cointelegraph’s investigation
there is a group of North Korean spies attempting to secure job opportunities in the cryptocurrency industry, with one spy exposed during an expert undercover sting operation. This investigation was led by Heiner Garcia, a network threat intelligence expert from the Spanish telecommunications company Telefónica and a blockchain security researcher. Garcia posed as an HR undercover agent, revealing how North Korean operatives obtain jobs online without using VPNs.
Garcia’s analysis report uncovered a job seeker impersonating a Japanese engineer linked to a GitHub account. Reports indicate that these accounts and identities are connected to North Korean espionage activities. In February of this year, Garcia invited Cointelegraph to participate in an online interview arranged with a North Korean operative named “Motoki.” After gaining Motoki’s trust, he inadvertently leaked details about North Korean spy activities before angrily hanging up and disappearing. Below is a summary of the report.
Suspected North Korean spy impersonating a Japanese engineer
Garcia first encountered Motoki on GitHub at the end of January while investigating a group associated with the suspected North Korean threat actor “bestselection18,” an account operated by experienced North Korean IT infiltrators who are suspected of penetrating the cryptocurrency industry through freelance platforms like OnlyDust.
Most operatives from North Korea do not use profile pictures on their accounts, so when Motoki’s profile featured a photo, it caught Garcia’s attention.
Garcia told Cointelegraph that he directly messaged Motoki on Telegram, claiming to be from a headhunting firm helping crypto companies find talent. He did not even mention the company’s name, successfully luring Motoki into conversation.
On February 24, Garcia invited Cointelegraph’s Korean reporter to join Motoki’s job interview, hoping the reporter could converse with the North Korean operative in Korean before the call ended. The Cointelegraph reporter was intrigued, believing that understanding how North Korean spies operate could provide deeper insights into their strategies.
Impersonator unable to speak Japanese
On February 25, Garcia and Cointelegraph met Motoki online, where they turned off their webcams, but Motoki did not. During the interview conducted in English, Motoki frequently repeated the same answers to different questions, creating an awkward and stilted conversation. Motoki exhibited suspicious behavior. First, he could not speak Japanese when they asked him to introduce himself in Japanese. The light from his screen reflected his frantic page browsing, searching for text that could help him answer questions. After a moment of silence, Cointelegraph said in Japanese, “Jiko shōkai o onegaishimasu,” to which Motoki frowned, took off his headphones, and left the interview.
Compared to bestselection18, Motoki’s performance was somewhat lackluster. He shared his screen during the interview, revealing critical details. Garcia speculated that Motoki was likely a low-level spy working in collaboration with bestselection18.
Motoki spoke with Garcia on two occasions, one of which was a call with Cointelegraph. In both calls, his screen sharing indicated he could access bestselection18’s private GitHub repository.
North Korean accent exposed
In a study conducted in 2018, researchers found that the facial structures of South Korean men tend to be wider and more prominent compared to their East Asian neighbors, while Japanese men typically have longer and narrower faces. Although this is a broad generalization, in this case, Motoki’s appearance closely resembled the image of Koreans described in the study.
“Okay, let me introduce myself first. I am an experienced blockchain and artificial intelligence engineer focused on developing innovative and impactful products,” Motoki read during the interview, his gaze scanning from left to right as if reading from a script.
Motoki’s English pronunciation also provided more clues. He frequently pronounced words beginning with “r” as “l,” a common substitution among Korean speakers. Japanese speakers also struggle to distinguish between these two sounds but tend to merge them into a neutral sound.
When answering personal questions, he appeared more relaxed, claiming he was born and raised in Japan, had no wife or children, and asserted he could speak fluent Japanese. He mentioned his love for soccer, and when he laughed, his pronunciation of the “p” sound was notably heavy, a typical pronunciation in Korean English.
Undercover expert reveals more secrets of North Korean spies
About a week after being interviewed by Cointelegraph, Garcia attempted to extend this operation. He messaged Motoki, claiming that his boss had fired him due to the suspicious interview, and subsequently engaged in three weeks of private information exchange with Motoki. Garcia later sought Motoki’s assistance in finding a job. In response, Motoki proposed a contract agreement, stating they would provide Garcia with money to purchase a computer so he could work through it. This arrangement would allow the operator to remotely access the machine from another location and carry out tasks without needing a VPN connection.
On April 16, Garcia and his partner published their investigation results on the open-source investigation platform Ketman, related to the group of North Korean operatives suspected of being associated with bestselection18.
Days later, Cointelegraph received a message from Garcia stating that the person (Motoki) had vanished. All his social media accounts had changed, and all chat records and related content had been deleted. Since then, Motoki has not been heard from.
North Korean operatives have become a problem for recruiters in the tech industry, with even major cryptocurrency exchanges becoming targets of attacks. On May 2, Kraken reported discovering a North Korean cyber spy attempting to find job opportunities on an American crypto trading platform.
A United Nations Security Council report estimates that North Korean IT workers generate up to $600 million in revenue for the regime each year. These spies are capable of remitting stable salaries back to North Korea. The United Nations believes this funding contributes to financing its weapons programs, including the procurement of nuclear warheads.
Risk Warning
Investing in cryptocurrencies involves a high level of risk, and their prices may be subject to extreme volatility, which could result in a total loss of principal. Please assess the risks prudently.