Crypto Exchange Turns Interview Into Intelligence Operation After Industry Tip-Off
Kraken, one of the largest U.S.-based cryptocurrency exchanges, has revealed how it identified and blocked a North Korean hacker attempting to infiltrate the company by posing as a job applicant for a technical engineering role.
In a May 1 blog post, Kraken explained that what initially appeared to be a routine hiring process evolved into a full-scale intelligence-gathering mission, after early red flags and a timely tip-off from industry partners.
“What started as a routine hiring process for an engineering role quickly turned into an intelligence-gathering operation,” Kraken wrote.
Early Red Flags and Suspicious Behavior
The deception became apparent when the applicant:
-
Used a different name during the interview than on their resume
-
Switched voices mid-conversation, indicating possible remote coaching
-
Displayed technical inconsistencies, including logging in via remote Mac desktops and VPNs
Rather than immediately terminating the process, Kraken decided to escalate the applicant through the hiring funnel to better understand the methods used by state-sponsored attackers.
“Don’t trust, verify. This core crypto principle is more relevant than ever in the digital age,” said Nick Percoco, Kraken’s Chief Security Officer.
Kraken CSO @c7five recently spoke to @CBSNews about how a North Korean operative unsuccessfully attempted to get a job at Kraken.
Don’t trust. Verify 👇 pic.twitter.com/1vVo3perH2
— Kraken Exchange (@krakenfx) May 1, 2025
Evidence Linked to North Korean Threat Actors
Kraken confirmed that it had been alerted by industry peers that North Korean hackers were actively applying for jobs at crypto firms. One of the email addresses flagged in a shared threat list matched the one used by the candidate.
Further investigation uncovered:
-
A GitHub profile tied to a breached email address
-
Altered identity documents likely stemming from a previous identity theft case
-
A network of fake digital personas used to apply across multiple crypto companies
During the final interview, Percoco conducted identity trap tests, which the applicant failed — confirming the attempt was part of a broader espionage campaign.
Lazarus Group Escalates Global Attacks on Crypto Industry
The thwarted attempt at Kraken is the latest example of North Korea’s Lazarus Group and affiliated threat actors using cyber infiltration techniques to target the crypto sector.
-
In February 2025, Lazarus was linked to the $1.4 billion Bybit hack, the largest-ever crypto heist
-
In 2024, North Korean hackers stole over $650 million in crypto assets via multiple attacks
-
The U.S., Japan, and South Korea have jointly warned that North Korea is deploying IT workers to act as insider threats within blockchain firms
-
In April, a Lazarus subgroup set up three shell companies, two in the U.S., to distribute malware via fake job offers and remote interviews
Final Thoughts: Social Engineering Meets State-Sponsored Threats
Kraken’s experience underscores a critical shift in the tactics used by state-aligned cybercriminals, with job interviews becoming a front for infiltration.
As crypto companies continue to grow in scale and financial importance, they are increasingly in the crosshairs of nation-state actors. Kraken’s proactive security measures — and its transparency in sharing the incident — highlight the importance of vigilance and verification in a digital age where even hiring can be a threat vector.
