A North Korean Spy Wanted to Infiltrate a Crypto Company. He Applied for a Job but Failed to Answer Questions About Halloween

For decades, films, video games, and novels about double agents have depicted spies as risky, lonely, and often romantic figures. However, the reality is that traditional fieldwork has largely taken a back seat in the age of cyberespionage and labor infiltration. China and North Korea frequently emerge as focal points in discussions on this topic.

Sometimes, the methods used for cover are so blatant that a single question can easily reveal the truth: “What do you do on Halloween?”

Steven Scott Jr. Smith. His name is about as quintessentially American as you can get. Steven Smith applied for a job at Kraken, an American bank and cryptocurrency exchange. From the very first moment of the interview, something felt off.

Smith claimed to have 11 years of experience as a software engineer at companies like Cisco and to have lived in Houston for two years. According to Fortune, he logged into the video call under a different name than the one on his resume, promptly changing it. He also hesitated while answering simple questions. For more complex inquiries, he took longer to respond, as if he were consulting someone else for the answers.

Cornering the spy. This raised suspicions among recruiters, prompting them to ask Smith questions unrelated to the job. Suspecting he could be a spy trying to infiltrate the company’s system, they tried to catch him off guard.

Recruiters focused on three key questions:

• The interview took place on Halloween. When they mentioned children might be knocking on doors that evening, Smith said that he would do “nothing special” if they came to his house.
• One of Smith’s interests listed on his resume was food. A recruiter mentioned he would be traveling to Houston in a few days and asked for a restaurant recommendation. Smith looked around, smiled, and responded, “Nothing special here.” This was odd, considering there are surely many good restaurants in a city with a population of 2.3 million people.
• Finally, recruiters requested to see his ID. Although Smith initially said he didn’t have it handy, he later shared a photo of his driver’s license, which showed an address over 300 miles away from Houston.

You can see both the license and the restaurant question in the following CBS video:

Culture of productive paranoia. In its blog, Kraken explains how its recruiters quickly recognized that something was amiss and approached the situation with one goal in mind. They wanted to analyze the spy’s methods in order to uncover details about their identity.

Crypto companies have recently faced significant issues with theft. Nick Percoco, a security manager at Kraken, explains that these attacks aren’t limited to the crypto industry and represent a global threat.

Percoco highlights three key aspects of this recent trend:

• Not all attackers forcibly enter organizations. Many attempt to gain access by posing as employees.
• Generative AI aids in deception, enabling attackers to pass initial screenings, such as resume or photo checks. As a result, interviews become crucial, and verification questions should be designed to avoid predictable patterns. For instance, asking for Halloween costume ideas or restaurant recommendations can be effective.
• It’s essential to cultivate a culture of productive paranoia. According to Kraken, security shouldn’t be viewed solely as the responsibility of corporate recruiting and security teams. It requires a collective mindset across the entire company.

More from Xataka On

North Korea Eliminates Doubts About Its Alliance With Russia by Announcing Its First Nuclear-Powered Submarine

Not an isolated incident. When the Kraken team examined Smith’s operating history, it uncovered some intriguing details. For instance, he used a Mac desktop situated in a shared data center. He connected via VPN to conceal both his location and network activity. Additionally, his resume was linked to a GitHub profile that included an email address compromised in a data breach.

This behavior aligns with previous research findings. Spies often use VPNs to disguise their locations, pretending to be in the U.S. while actually being in North Korea or China.

Missile industry. Investigators have two main suspicions when it comes to corporate espionage. First, some individuals are stealing directly from their companies, particularly in cases involving cryptocurrency firms. Second, there are instances where employees send their entire salaries to the North Korean government to fund its arms industry.

A notable example is Christina Champman from Arizona. She operated a remote computer farm that made it appear as though attackers were based in the U.S. According to CNN, this network raised $6.8 million, which Bloomberg reports was used to finance North Korea’s nuclear weapons program.

China uses a different strategy. While North Korea is focused on funding its arms industry, China often seeks to acquire technological know-how to enhance its chip industry.

In late 2003, ASML, a European company known for producing cutting-edge semiconductor manufacturing machines, reported the theft of confidential information. It suspected that a former employee had leaked business secrets to Huawei. Another case involved accusations against a spy who stole information from SK Hynix, again for Huawei.

This issue poses a significant challenge not only for the West but also for China. In mid-2024, the U.S. issued a cautionary message to ASML and several universities in the Netherlands, warning them to “be careful with Chinese students.” This alert raised concerns and, unfortunately, cast suspicion on all students.

Image | Duncan Karanja

Related | A Group of North Korean Hackers Pulled Off the Biggest Crypto Robbery in History. This Is How They Did It