How to identify North Korean hackers disguised as developer job applicants?
TechFlow Selected TechFlow Selected
How to identify North Korean hackers disguised as developer job applicants?
Crypto is full of weird and interesting people...
Navigating Web3 tides with focused insightsWritten by: TechFlow
On March 27, devastating news emerged from Blast: the Web3 gaming platform Munchables was hacked, losing over 17,000 ETH—worth $62.5 million.
Chain analyst ZachXBT indicated that the breach may have occurred because Munchables hired a North Korean hacker posing as a developer. Yu Xian, founder of SlowMist, also commented, “This is at least the second DeFi-like project we’ve seen遭遇 this kind of situation. A core developer pretends to be legitimate, infiltrates the team for a long time, gains full trust, and then strikes ruthlessly when the timing is right.”
When you're a crypto project founder interviewing remote developer candidates, encountering a North Korean hacker might not be so unusual after all.
Keone, founder of Monad, once disclosed on X in 2022 that they had posted numerous Solidity developer job openings and received many resumes… but suspected a significant number were from North Koreans, identifying several common traits:
-
They tend to prefer GitHub usernames like SuperTalentedDev726 or CryptoKnight415;
-
They often use numbers in email addresses and GitHub usernames—possibly a way to track their application identities?
-
They frequently adopt Japanese identities (perhaps because Korean ones are too obvious) and often claim to have attended top universities in Japan, Hong Kong, or Singapore (e.g., National University of Singapore, Nanyang Technological University, University of Hong Kong, HKUST);
-
Their GitHub repositories often (though not always) contain stolen codebases—taking existing projects and regenerating commit messages under their own usernames;
-
They frequently apply multiple times using different email addresses;
-
Claiming to have Solidity/EVM experience dating back too early—such as 2015.
According to recent updates, GitHub user Werewolves0493 is reportedly the North Korean hacker behind the Munchables attack. His GitHub email address is seniordev1225@gmail.com, which broadly matches the profile described by Monad’s Keone.
In 2022, Jonwu, a staff member at privacy protocol aztecnetwork, also encountered a North Korean hacker during an interview process, describing the online interview experience below:
First, we at aztecnetwork were hiring and received an application via @Greenhouse from someone named “Bobby Sierra - Solidity Engineer.”
After internal screening, the system assigned me to conduct an online interview.
I skimmed through the resume briefly.
Name: Bobby Sierra
Position: Solidity Engineer
Location: Ontario
Languages: English and some Chinese
Experience: F2pool, with some DAO and NFT projects listed on the resume.
Keep this in mind—it will become relevant later.
Then I read the cover letter, which opened with: “I am a blockchain developer with over 6 years of extensive experience.”
Followed by a bunch of vague, generic self-promotion—understandable, since not everyone is good at writing cover letters.
At the end, he wrote: “The world will see great results in my hands.”
...
Immediately, I thought—this guy sounds like a Bond villain.
I pictured a man whose arms were literally laser cannons, eyes made of plutonium or something.
“The world will see great results in my hands”??? Who talks like that?
What normal person says that?
It was unsettling. I immediately checked his GitHub—only 12 commits in the past 12 months? That’s not “extensive experience.”
Also, the projects he contributed to seemed random:
BoredBunnies
PantherSwap
MetaverseDAO
Anyway, I told myself, crypto is a strange and interesting space, full of weird and interesting people! Maybe Bobby is just eccentric.
Then, I started the interview!
Hi, this is Jon from Aztec—is this Bobby?
“Yes. This is...Bobby Sierra.”
A few observations:
His camera was off;
More than five people loudly talking in the background;
A noticeable Korean accent;
I asked why it was so noisy.
“Oh, I’m in the office.”
WTF—but why are another five people speaking a mix of Korean and English?
You might ask—how do I know he was Korean?
Well, I have several close Korean friends, so I’m very familiar with Korean accents—but this wasn’t the typical Korean-American, Korean-Canadian, or any diaspora accent.
“Bobby” certainly spoke English, but not naturally—stiff, formal, almost incomprehensible.
So, “Bobby, please introduce yourself.”
“I participated in many blockchain developments, token launches, many successful projects, very successful, lots of blockchain experience, all with excellent outcomes. Okay?”
Let’s break this down:
1) The first part is complete nonsense—I almost disqualified him right there
2) “Okay”
That one word “Okay” convinced me he was Korean. How do I know?
Because my friend’s mom always says crap like that before handing me a steaming bowl of pork ribs.
“This is very tasty, eat while it's hot, okay?”
Now alarm bells were ringing. I knew about the recent surge in North Korean hacker attacks.
I decided to dig deeper.
Where are you based, Bobby?
Bobby: “Based?”
As in—where are you currently located?
“Oh, Hong Kong.”
“Hong Kong? Where did you last work?”
“Oh, Ateke.”
What’s that?
“German company, or maybe French. I don’t know.”
Your resume says you worked at F2pool—can you tell me about F2pool?
“Uh uh uh, can you wait a moment?”
Then he asked me to mute myself for five minutes.
When Bobby came back, it felt like a completely different person.
“Hello, are you there?”
Yes, Bobby, I’m here.
“I am experienced blockchain developer, I want new job, I have very much experience, I can bring value to your company, I want engineer position now. Okay?”
Regardless of whether it was true or not, I hung up.
We know groups like the Lazarus Group from North Korea are actively attacking major protocols and individuals.
Ronin lost $600 million; Arthur0x, Mgnr, and countless other high-profile accounts have been compromised.
I don’t know the exact attack vectors.
-
Download a malicious .docx resume?
-
Ask someone to share their screen and navigate to MetaMask?
-
Gain access to our codebase and push a malicious update?
I’ll leave it to the internet to speculate.
Honestly, I don’t know if these people are actually North Korean hackers. Bobby might just be an extremely incompetent individual—but every fiber in my body says otherwise.
Beyond fear and amusement, I learned a lot from this bizarre interaction.
1) Our entire world is built on trust. If someone shows us a resume and GitHub, we believe it.
-
Smart contract risks are overestimated—anything can be an attack vector: hiring, events, travel, etc.
-
Don’t download attachments randomly; keep your wallet isolated on a separate device, etc.
Later, “Bobby” updated his GitHub to point to a brand-new account, now with more code commits.
I believe these individuals are learning, adapting, and getting smarter.
Fortunately, they still can’t hide how utterly disconnected and inept they truly are.
We just need to stay sharp.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
深潮TechFlow
