Kraken Uncovers North Korean Spy Posing as Job Applicant in Covert Infiltration Attempt

Cryptocurrency exchange Kraken has revealed it uncovered a North Korean spy attempting to infiltrate its systems during what began as a routine job interview. According to the company, the suspicious applicant, who identified himself as “Steven Smith,” triggered a series of internal security measures after raising red flags early in the hiring process.

Kraken began evaluating the candidate for an engineering role in early 2025. The company noted that it had been warned in advance about North Korean hacking operations targeting the crypto industry. “Before this interview, industry partners had tipped us off that North Korean hackers were actively applying for jobs at crypto companies,” Kraken stated in a blog post detailing the incident. “We received a list of email addresses linked to the hacker group, and one of them matched the email the candidate used to apply to Kraken.”

During the interview process, further inconsistencies emerged. On a video call, the individual used a different name than the one listed in the application, and his voice changed mid-conversation, suggesting real-time coaching from a third party.

Rather than cutting the interview short, Kraken’s security team chose to keep the candidate in the process to study the infiltration techniques being used. “This wasn’t just about stopping one hacker,” said Kraken’s Chief Security Officer, Nick Percoco. “We aimed to dismantle their entire playbook.”

The company’s investigation revealed that the applicant was operating from a remote colocated Mac desktop while simultaneously masking his network activity through a VPN, a setup commonly used to obscure both physical location and digital footprints. The resume he submitted was tied to a GitHub profile that included an email previously exposed in a known data breach. Additionally, the primary identification document provided by the candidate appeared to have been manipulated, possibly using information stolen in an identity theft case from two years earlier.

Kraken decided to push “Smith” through several more interview rounds, using each one to test not only his technical qualifications but also his identity and geographic authenticity. In the final round, the applicant was asked to hold up a government-issued ID and describe his local surroundings.

“Between standard interview questions, our team slipped in two-factor authentication prompts, such as asking the candidate to verify their location, hold up a government-issued ID, and even recommend some local restaurants in the city they claimed to be in,” Kraken explained. “At this point, the candidate unraveled. Flustered and caught off guard, they struggled with the basic verification tests, and couldn’t convincingly answer real-time questions about their city of residence or country of citizenship.

“By the end of the interview, the truth was clear: this was not a legitimate applicant, but an imposter attempting to infiltrate our systems.”

This attempt fits within a broader pattern of cyber espionage by North Korean groups seeking to penetrate the crypto industry. In 2024 alone, hackers linked to Pyongyang stole more than $1.5 billion in digital assets. Operations such as Lazarus Group have increasingly adopted remote worker personas, employing AI-generated profile images, VPNs, and shell companies to bypass global sanctions and blend in with legitimate applicants.

A separate 2025 investigation uncovered that one Lazarus subgroup was running three front companies based in the United States, which they used to distribute malware. Another campaign, known as “Contagious Interview,” involved spreading malicious code and placing operatives within target organizations using fake job offers.

Kraken’s CSO Percoco issued a broader warning to the crypto and financial communities. “Don’t trust, verify. This core crypto principle is more relevant than ever in the digital age,” he said. “State-sponsored attacks aren’t just a crypto, or U.S. corporate, issue – they’re a global threat. Any individual or business handling value is a target, and resilience starts with operationally preparing to withstand these types of attacks.”

By fLEXI tEAM