A top auditor has revealed to the blockchain security community that there is an unprecedented infiltration crisis in the cryptocurrency industry that has sent shockwaves throughout the community. Speaking at the Devconnect conference in Buenos Aires, Pablo Sabbatella, founder of the web3 audit firm Opsek, dropped a bombshell statistic: North Korean operatives may now be embedded in up to 20% of all crypto companies.
This isn’t just about external hackers launching phishing attacks from afar. According to Sabbatella, the threat is internal. He estimates that a staggering 30% to 40% of all job applications currently received by crypto firms are from North Korean actors attempting to gain employment under false pretenses. If these figures hold true, the industry is not just under siege; it is already partially occupied.
The “Front Man” Strategy
The mechanics of this infiltration are as sophisticated as they are disturbing. Because international sanctions strictly prohibit North Korean citizens from participating in the global economy, these operatives cannot simply apply for jobs on LinkedIn. Instead, they have developed a complex “front man” system that exploits the global shift to remote work.
Recruiters for the regime reportedly scour freelance platforms like Upwork and Freelancer, targeting individuals in developing nations, as well as in Ukraine and the Philippines. The pitch is enticingly simple: “rent” your verified identity and credentials to a developer who claims to be from China or another restricted region. In turn, the collaborator gets 20% of the salary and the North Korean operative gets the other 80%.
Sabbatella explains the ruse: “They pretend to be someone from China that doesn’t know how to speak English but they need to get an interview.” Once the deal is struck, the operative infects the front person’s computer with malware, allowing them to route their connection through a U.S. IP address. To the employer, it looks like they are hiring a legitimate remote worker in a compliant jurisdiction.
The Perfect Employee—With a Dark Purpose
Once hired, these operatives are often model employees. “They work well, they work a lot, and they never complain,” Sabbatella noted in an interview with DL News. This high performance makes them difficult to fire and easy to promote, granting them deeper access to sensitive internal systems.
However, their ultimate goal is not career advancement. It is to funnel wages and potentially stolen assets back to Pyongyang. The U.S. Treasury Department confirmed in November that North Korean hackers have stolen over $3 billion in cryptocurrency over the past three years. These funds are not for personal enrichment but are directly funneled into the regime’s illegal nuclear weapons and ballistic missile programs.
The “Kim Jong Un Test”
Identifying these moles is notoriously difficult, but Sabbatella offered one unconventional litmus test. Because these operatives live under the constant threat of the regime, they are reportedly terrified of speaking ill of their “Supreme Leader.”
“Ask them if they think Kim Jong Un is a creep or something bad,” Sabbatella advised. “They aren’t allowed to say anything bad.” While seemingly absurd, this psychological quirk highlights the totalitarian pressure these workers operate under, even while navigating the liberated world of decentralized finance.
A Crisis of Operational Security
The successes of these infiltration operations highlight a major vulnerability in the cryptocurrency ecosystem: poor operational security, or opsec. Sabbatella stated that the industry may have the “worst opsec in the entire computer industry.” Founders and developers are often “doxxing” their true identities and locations while leaving their private keys unsecured. This lax attitude fosters a permissive space for social engineering attacks, especially with their predictable customers.
“Every single person’s computer is going to get infected with malware at some point in their lives,” Sabbatella warned, suggesting that for many crypto companies, the call is already coming from inside the house.
A Wake-Up Call for Recruiters
The ramifications of this report are significant. It implies that standard vetting processes such as the video interview, code tests, and background checks are insufficient. As the industry develops, it must now confront the fact that its decentralized, borderless ethos is being exploited by one of the world’s most isolated and dangerous regimes.




