Security Expert Warns of Deep North Korean Presence in Crypto Jobs

A security specialist speaking at Devconnect in Buenos Aires warned that North Korean operatives may be embedded inside a large share of global crypto companies. The concerns reflect years of rising cyber activity linked to Pyongyang and highlight ongoing vulnerabilities across the digital asset industry.

Good to Know

• Up to one fifth of crypto companies may employ hidden North Korean workers
• Thirty to forty percent of job applicants in some cases are suspected North Korean attempts
• Funds stolen by cyber groups support nuclear weapons development programs

Pablo Sabbatella, founder of Opsek and a member of the Security Alliance, shared estimates showing that infiltration far exceeds isolated cases. He noted that job applications received by crypto firms often include candidates who are not who they claim to be. According to his estimates, as many as 30 to 40 percent of applicants originate from North Korean networks attempting to gain access through falsified identities.

Identity Masking Through External Recruits

Strict international sanctions bar North Korean citizens from seeking legitimate employment abroad. To get around these rules, recruiters in other countries offer their identities or verified records, enabling North Korean agents to appear as local workers. Freelance job platforms such as Upwork and Freelancer often serve as the first point of contact, especially in markets like Ukraine and the Philippines.

The compensation structure generally favors the North Korean agent, who receives 80 percent of the earnings while the collaborator keeps the remainder. In many cases, collaborators allow remote access to their computers or documents to maintain the illusion of legitimate employment.

Tactics Target U.S. Companies Most Often

U.S. firms rank among the highest priority targets. Sabbatella explained that North Korean operatives often pose as non-English speaking applicants from China who request interview assistance. During this process, the front person has malware installed on their device, giving the operative direct access to American IP addresses and broader internet capabilities not available inside North Korea.

These arrangements frequently remain undetected for long periods. Sabbatella said:

“They work well, they work a lot, and they never complain.”

Dependable output keeps concerns low while the worker gains deeper access into company systems.

Billions in Stolen Cryptocurrency Fuel State Programs

U.S. Treasury Department figures released in November reported more than 3 billion dollars in stolen cryptocurrency over a three year period tied to North Korean cyber activity. These funds directly support nuclear weapons development and other state programs.

Sabbatella criticized industry practices for enabling these operations. He argued that crypto companies maintain weaker operational security than any other computing sector. Founders often share their personal identities openly, mismanage private keys, and fall for manipulation tactics that skilled operatives use to gain trust.