Decentralized Finance (DeFi) has long championed its foundation on principles of transparency and collaboration. Recently, an investigation commissioned by the Ethereum Foundation revealed that another very serious weakness in the DeFi ecosystem exists due to human identities. This investigation uncovered approximately 100 suspected North Korean IT workers who were employed by several Web3 companies via the normal process of engaging freelance developers or remote workers, rather than hacking into the companies to gain access to their systems. These individuals embedded themselves inside the major wallets, decentralized exchanges and critical blockchain infrastructures of the DeFi cryptocurrency industry as legitimate freelance workers using established employment processes.
The Scale of the Cyber Infiltration
Operating in secrecy, these covert operatives obtained jobs from roughly 53 different cryptocurrency projects. The Ketman Project—an Ethereum Foundation initiative whose researchers tracked these state-sponsored efforts over a period of six months—identified this as a highly-structured, nation-state-funded operation with a goal to infiltrate the entire crypto ecosystem. There are no recorded incidents of exploits or the theft of funds by this workforce to date. However, their employment in decentralized finance protocols provides a unique, hidden security vulnerability to the entire cryptocurrency industry.
How the Fake Identities Were Crafted
These operatives used very sophisticated and deceptive methods to avoid getting caught by today’s hiring managers. For the most part, the workers claimed to be experienced software developers in parts of the world such as Eastern Europe or Southeast Asia. They created false identities, used fake documentation and employment histories, used fabricated GitHub profiles and repositories, and in many cases created convincing deep fake photographs of themselves, as well as very convincing cloned voices when interviewing remotely for jobs—all in an effort to maintain their digital identity for a longer period of time without giving off a big red flag right away.
The Hidden Agenda Behind the Keyboards
Since 2018, both the FBI and US Treasury Department have indicated that North Korea has a long history of using remote IT workers around the world to generate foreign currency needed to fund the isolated regime while avoiding international sanctions. The work done in these remote corporate jobs offers significant advantages beyond just getting paid each month; operatives can use these corporate roles as a means of access to proprietary systems, steal valuable intellectual property, and potentially develop maps of networks for future cyber-attacks or money laundering schemes being carried out by state-sponsored hacking groups.
The Detective Work That Exposed the Network
In order to expose this large group of fraudulent developers, the Ketman research team used advanced forensic methods. The team used on-chain blockchain data combined with traditional open source intelligence. They also used reverse image searches to find AI-generated portraits, along with complicated voice pattern matching. Researchers even noticed subtle behavioral slip-ups, such as system language settings—like a Russian user interface—that directly contradicted the operative’s claimed nationality, along with the accidental exposure of unrelated, suspicious email addresses during standard screen-sharing sessions with employers.
A New Era for Web3 Hiring Practices
This surprising message has started a huge change in the way that blockchain companies will run and create their teams. One of the immediate reactions from companies will probably include performing stringent internal audits to evaluate who accesses their digital wallets and what each developer has contributed in terms of past source code commits as they build their product. More strictly than ever before, the way in which blockchain companies have traditionally hired employees or collaborators anonymously, regardless of where they live, will now change to tighten up procedures and review the way that companies have hired. Crypto firms are also likely to greatly accelerate the adoption of on-chain reputation systems by implementing stronger identity verification standards for all contributors and by significantly increasing cross- company information sharing to verify that their developers are legitimate and have used their skills as intended.
