Undercover Cyber Intelligence Expert Reveals: North Korean Spy Posing as Japanese Engineer Exposes Themselves While Job Hunting
Featured Latest News Security 

Undercover Cyber Intelligence Expert Reveals: North Korean Spy Posing as Japanese Engineer Exposes Themselves While Job Hunting

According to Cointelegraph’s investigation, a group of North Korean spies is attempting to secure job opportunities within the cryptocurrency industry, with one spy revealing himself during an undercover sting operation led by experts.

This investigation was led by Heiner Garcia, a cybersecurity expert from the Spanish telecommunications company Telefónica and a blockchain security researcher. Garcia posed as an undercover recruiter, exposing how North Korean agents manage to find work online without using a VPN.

Garcia’s analysis report found job applicants impersonating Japanese engineers and linked to GitHub accounts. These accounts and identities were reportedly associated with North Korean espionage activities. In February of this year, Garcia invited Cointelegraph to participate in an online interview arranged with a North Korean agent named “Motoki.” After gaining Motoki’s trust, he inadvertently leaked information about North Korean spy operations before angrily hanging up and subsequently disappearing. The following is a summary of the report.

Suspected North Korean Spies Impersonating Japanese Engineers

Garcia first encountered Motoki on GitHub at the end of January while investigating a group related to a suspected North Korean threat actor, “bestselection18,” an account operated by experienced North Korean IT infiltrators who allegedly penetrate the cryptocurrency industry through freelance platforms like OnlyDust.

Most North Korean operatives do not use profile pictures, so when Motoki’s profile featured a face photo, it caught Garcia’s attention. Garcia stated to Cointelegraph that he directly messaged Motoki on Telegram, claiming to be from a headhunting firm helping cryptocurrency companies find talent, without even mentioning the company’s name, successfully luring Motoki into conversation.

On February 24, Garcia invited Cointelegraph’s Korean reporter to join Motoki’s job interview, hoping the reporter could converse with the North Korean agent in Korean before the call ended. The Cointelegraph reporter was intrigued, believing that understanding how North Korean spies operate could provide deeper insight into their strategies.

Impersonator Lacks Japanese Language Skills

On February 25, Garcia and Cointelegraph met with Motoki online. They turned off their webcams, but Motoki did not. During the interview conducted in English, Motoki frequently repeated the same answers to different questions, making the interview awkward and stilted. Motoki exhibited suspicious behavior. Firstly, he could not speak Japanese; when asked to introduce himself in Japanese, he appeared to be frantically scrolling through pages, looking for text to help him answer. After a moment of silence, Cointelegraph said in Japanese, “Jiko shōkai o onegaishimasu,” to which Motoki frowned, took off his headphones, and left the interview.

Compared to bestselection18, Motoki’s performance was somewhat careless. He shared his screen during the interview, revealing critical details. Garcia speculated that Motoki was likely a low-level spy collaborating with bestselection18.

Motoki had two calls with Garcia, one of which included Cointelegraph. In both calls, his screen shared showed that he could access bestselection18’s private GitHub repository.

North Korean Accent Reveals Identity

A study conducted in 2018 found that South Korean males typically have wider and more prominent facial structures compared to their East Asian neighbors, while Japanese males often have longer and narrower faces. Although a broad generalization, in this case, Motoki’s appearance closely resembled the image of Koreans described in the study.

“Okay, let me introduce myself. I am an experienced blockchain and AI engineer focused on developing innovative and impactful products,” Motoki said during the interview, reading off a script as his gaze swept from left to right as if he were reading a script.

Motoki’s English pronunciation also provided more clues. He frequently pronounced words starting with ‘r’ as ‘l’, a common substitution among Korean speakers. Japanese speakers also struggle to distinguish between these sounds, but they tend to merge them into a neutral sound.

He appeared more relaxed when answering personal questions, claiming he was born and raised in Japan, had no wife or children, and asserted that he could speak Japanese fluently. He stated he liked football, and when he laughed, his pronunciation of the ‘p’ sound was quite heavy, a typical feature of Korean English.

Undercover Expert Reveals More North Korean Spy Secrets

About a week after being interviewed by Cointelegraph, Garcia attempted to extend the operation. He messaged Motoki, claiming that his boss had fired him due to the suspicious interview, leading to three weeks of private information exchange with Motoki. Garcia later sought Motoki’s help in finding a job. In response, Motoki proposed a contractual agreement, stating they would provide Garcia with money to buy a computer, allowing him to work through it. This arrangement would enable the operator to remotely access the machine from another location and perform tasks without needing a VPN connection.

On April 16, Garcia and his partner published their findings regarding the group of suspected North Korean agents associated with bestselection18 on the open-source investigation platform Ketman.

Days later, Cointelegraph received a message from Garcia stating that the person (Motoki) had disappeared; all his social media accounts had changed, and all chat records and relevant content had been deleted. Since then, Motoki has been unreachable.

North Korean agents have become a problem faced by recruiters in the tech industry, with even major cryptocurrency exchanges becoming targets of attacks. On May 2, Kraken reported discovering a North Korean cyber spy attempting to secure a job on a U.S. cryptocurrency trading platform.

A United Nations Security Council report estimated that North Korean IT workers generate up to $600 million annually for the regime. These spies can transfer stable salaries back to North Korea. The UN believes that these funds help finance its weapons programs, including the acquisition of nuclear warheads.

Risk Warning

Investing in cryptocurrency carries high risks, with prices potentially fluctuating dramatically, and you may lose all principal. Please carefully assess the risks.

You May Also Like

The Era of "Ultra-realistic Conversations" and Robots Falling in Love: OpenAI's Latest Model GPT-4o

The Era of “Ultra-realistic Conversations” and Robots Falling in Love: OpenAI’s Latest Model GPT-4o

Kraken Introduces Self-Hosted Wallet: 24/7 Customer Support, Open Source Ensuring Security

Kraken Introduces Self-Hosted Wallet: 24/7 Customer Support, Open Source Ensuring Security

Upbit, South Korea's Largest Exchange, Faces Potential Record-Breaking Fines and Suspended Operations of Up to Six Months due to KYC and Anti-Money Laundering Violations.

Upbit, South Korea’s Largest Exchange, Faces Potential Record-Breaking Fines and Suspended Operations of Up to Six Months due to KYC and Anti-Money Laundering Violations.

Leave a Reply

Your email address will not be published. Required fields are marked *