If hackers have access to the outside world (something they would need to be effective), they'd know the world thinks Kim is fat.
"He's very fat, haha!", end of story.
Edit: wait, or better yet: "how on earth would I know, and why are you asking this in a job interview? Is this because I'm Korean? I'd like to file a complaint with HR, what was your name again?"
Besides, you cannot have it both ways: either North Korean hackers are a "50ct army" or they are a credible threat. Most seem to be arguing they are a credible threat.
Also, he can always take the second option: "why are you asking about this in a job interview?", something many legitimate Korean candidates could ask.
The skill and IQ level varies widely, from super smart to super unskilled. And these roughly get sorted out into different groups with different MO's. North Koreans aren't some uniformly skilled group. You could be targeted by a team of world class bytecode exploit geniuses who rehearses every move, or by the equivalent of Milton from Office Space.
Dissing Kim is something that is not currently widely permitted in NK. Just isn't worth personally.
Not saying no one from NK never will, but so far almost everyone will immediately stop the conversation at this point. There are plenty of crypto people who have monthly or weekly encounters with NK job applicants.
I find some people's attitude to NK hackers slightly schizophrenic: either they are a credible threat or they are amateurs. Which one is it?
> Dissing Kim is something that is not currently widely permitted in NK
This wouldn't be "widely", this would be a specific interaction with a hostile foreigner for the purpose of infiltrating them. It's not the same as being allowed to say this to fellow North Koreans.
> Not saying no one from NK never will, but so far almost everyone will immediately stop the conversation at this point.
Legitimate candidates would at this point too, so as a tactic this is useless.
You are talking about North Korea attackers from a theoretical point of view. For many people dealing with them is just a normal part of work. It's not an unknown that needs to be worked out logically from an armchair.
I'm saying this as someone who personally chatted with a North Korea persona that later tried to drop exploits on people, and the persona belonged to hacking group with at least one 50 million dollar heist. I've also seen the screenshots on many chats with North Koreans.
I'm curious about your personal experience though. Did you try this tactic, and did it work? And how sure are you these weren't random hackers or trolls, but actual NK agents?
> many are amateurs
So basically this would only get rid of the amateurs, low hanging fruit that would have been caught soon enough anyway, and do a "natural selection" of only the non-stupid NK hackers to infiltrate your org?
"Agents" is way too big of a word. Just cogs in a corporate theft machine.
There's a lot of reasons I'm sure, but the biggest is because before a hack they asked for help doing something simple with a crypto address that was later used to test run the 50 million dollar theft that was North Korea. And also trying to drop North Korean linked malware is another data point.
This also hits my point about both dangerous and amateurs. They pulled off pretty sophisticated heist but, had to ask for help, asked for help using a crypto address tied to the theft, and blew the cover on an identity they had been building up for a year.
Here's a twitter thread I put together of both my conversation and others with this particular account:
Do you think asking them to say something offensive about Kim Jong Un would have outed them?
I have no clue whether the proposed approach works, but there's a pretty coherent model that explains how it could, no schizophrenia needed: They are competent people in a cult.
Being unable/unwilling to diss Dear Leader even when it's advantageous to do so is very typical cult stuff. In fact, it's sort of why cults are dangerous. They compel people to do maladaptive things in service of the "ideals" of the group/leader.
This applies both to the spy directly (perhaps they would personally be unwilling to say such a thing), but also to their entire chain of command. Cults by their nature are not good at passing nuanced instruction like "you can say bad things about Dear Leader under these circumstances." Just because you're willing to diss KJU to get in the door doesn't mean you know your entire chain of superiors are cool with it.
Ok, fair enough. In common perception of NK, they do seem bizarre, not like the Soviets during the Cold War.
I think it's unwise to dismiss them as lunatics incapable of deceit. If I were a NK agent, I'd work towards this notion, "NK are incapable of lying if it would diss their leader, that's how we get them!". In fact, I would spread this notion in Reddit, like the OP mentioned.
By the way, this still leaves the easy way out of "why are you asking about Kim Jong Un in a job interview, is it because I'm Korean? I'd like to speak to your HR department please".
I mean, I totally agree that this should not be relayed as a working method to identify spies haha. Just that it’s not beyond believability it’d work in some circumstances.
I don't believe they are earnestly identifying spies, even if they believe it. Not that they need spies to hack our system anyway, they managed to bring half the country to a halt by themselves.
On the surface it seems the "security" industry is lacking in the most basic of security processes when hiring.
I don't think I've ever worked anywhere that could accidentally hire a North Korean without uncovering it somewhere in the hiring process, and all my jobs have been especially uninteresting.
What bothers me more is there are talented people sitting on unemployment right now that can't find a job, yet fake people are getting hired left and right. Something in the industry as a whole is quite broken.
Hate to be that person, but what are you reading that makes you think this is true?
Agree that the article is pretty dumb though, especially the OSINT and Crypto “don’t trust, verify” comments. Feels like content marketing that didn’t really hit.
https://www.theregister.com/2025/04/29/north_korea_worker_in...
According to Crowdstrike (the company that wiped out most of global technology last year) at least
> My favorite interview question, because we've interviewed quite a few of these folks, is something to the effect of 'How fat is Kim Jong Un?' They terminate the call instantly
Maybe you’re contributing to the narrative with the posts like above. It’ll certainly drive engagement.
I'm sure there were a lot of false positives with that question.
If I was not reading HN and a few other sources I would likely hang up the phone too.
Thinking that it couldn't be a real job,... some phishing scam or hoax, asking ridiculous questions like that.
Depending on the job, it is quite likely the real talent would not be able to take the interview seriously after hearing suck a question.
Seriously weird times...
Ha if I got asked that during an interview, I'd think either I went to the wrong interview or the interview is a red flag.
Then next year it's a different guy, same schtick.
If the employer is satisfied with the employees output, who is being harmed?
Or a company that is handling HIPAA, GDPR or other sensitive data and is certifying that they are following policies around employee training, data sovereignty and document handling?
It's really, really bad. We post a role, get 500 applicants, and nearly all of them are not legitimate. They all look amazing, really great resume, impressive LinkedIn, etc... but when you dig a little deeper, it's not that hard to find a bunch of red flags (LinkedIn profile create < 3 months ago, VOIP number, using VPN to submit job application, etc). You really have to know what signs to look for. They're very convincing fakes.
We're extremely vigilant about this issue as a company, yet we've had people get through 2 or 3 rounds before someone realized something was off (some people are really, really good at faking it).
I feel bad for small companies trying to hire. For us, it got to the point where we literally couldn't open a role unless we had a full time recruiter to sift through all the international candidates pretending to live in the US.
Edit: We've been dealing with this for a couple years now, and there still isn't a great solution. Unfortunately the only surefire "solutions" we can think of are also things that would make the interview process less enjoyable for real candidates, which sucks. (One idea was to ask candidates to show us photo ID during the video interview, but something about making a candidate do that just doesn't feel good - although we have tried it, and it has effectively stopped a few fake people from getting through)
These rules have become weaponized in a culture war, such as the requirement that an ID match the name on the birth record, meaning women whose last names changed during marriage require additional paperwork, often crossing state lines and in person visits. Bingo, disenfranchised a large population of women.
Personally I think voting should be mandatory as some countries have done, and verification should be easy.
Obviously you need documentation to work, and it’s fair to gather that documentation as early in the process as is reasonable (as in when an application is submitted)
Elephant in the room, someone who can't produce photo ID to vote also can't produce it to work. So obviously you don't always need it to work (even if that's technically illegal). So long as the systemic issues remain I don't see an issue with that.
Actually come to think of it the low skill jobs I had when I was younger never asked for ID. Just my social, full legal name, and date of birth for their tax paperwork. Whereas the higher skill ones I had later demanded multiple forms of ID - I generally furnished them with both my passport and driver's license, which they took copies of and independently verified.
None of that is relevant for a high skill 100% remote job though. Not only does that demographic generally have easy access to ID, those rules really should be strictly enforced for remote positions since the internet is global.
If I produce a social security card and any government ID, that is typically enough to work (in the US).
It won't be enough to vote under the proposed act. In many cases, what will be required is a birth certificate that exactly matches other ID. If your name has changed, unspecified documentation will be required beyond a marriage license or court approved name change. A government issued ID such as military or REAL ID will not suffice.
Is the issue skilled candidates that are misrepresenting where they live, unqualified candidates with fake resumes trying to land the position anyway, or something else?
What have you tried?
If they trip enough red flags and it's an international issue, you could just be up front that you're suspicious (including why) and ask them to go outside and take a video of themselves in front of wherever they live. Then you check it against street view, scrutinize the vegetation, that sort of thing. Require the rest of the interview process to be via video call with a wide view of the room to ensure it's the same person. That solution is respectful of their time since it's quick and easy for them. They also presumably already shared their address with you so it's not particularly invasive.
To me, what you call "red flags" rather looks like a description of often outstanding programmers who are quite privacy-conscious (think into the direction of "somewhat cypherpunky").
This isn’t happening left and right. It’s an attack against specific industries, like crypto and finance. It’s one part of a broader pattern of attacks.
If you assist NK, then you’re hurting crypto but you’re funding NK operations (e.g. NK soldiers assisting Russia against Ukraine).
Regulation is just repression, rebranded.
I simply don't care anymore. Cryptocurrency's value is as a cultural shibboleth to identify individuals who deserve social interaction.
It's just like the bar scene in Inglorious Bastards, with the fingers. There are so many obvious tells you can have people divulge if they aren't actually telling the truth.
I lived in NYC for a year and I have no clue. My answer would be probably something along the line of "Haha! Yeah. Traffic is terrible in the city... or so do my friends with cars say. I for one take the subway everywhere, so no clue what you are talking about. But sounds like a pain! Hope you were not delayed too long."
> It's just like the bar scene in Inglorious Bastards, with the fingers.
The problem is that's a work of fiction. These shibboleth tests work great in fiction where the author has full control over the whole universe. Work less well in reality where "universal" signals turn out to be a lot less universal. You will have a ton of false positives and a ton of false negatives.
A counterstory: When my former boss started at the company, for the first years [!] he only "knew" very specific places (office, appartment, and one or two places associated with intensely practiced hobbies of him) in the city where the company is located, and basically lived inside the bubbles associated with these places and their surroundings.
Thus, to me it is very plausible that even if you lived in a city for many years, it is very easy to live in very isolated bubbles, and have barely any contact to people and their habits outside these bubbles.
Later I looked more closely at the resume and saw some more red flags, like, he had a degree from "CA State University" -- like, which of the 23 CSUs bro?
We did have a couple fake people make it to the final round, the last one was cheating and still bombing -- I sent a picture to the guy who did the second-round interview like "is this the Jason Smith you interviewed?" and he said "Lol, no"
They found this person at the top of the funnel, before they even started the process, and then chose to go through with it out of curiosity / for advertising. I personally think it's silly (I don't think the advertising or learning about some comically basic TTP like "interview coaching" was worth their team's time) but it's not a lack of basic process in this case.
I will say that hiring for remote jobs has gotten to be a gigantic time waste lately. Even though even moderate background checking can filter these candidates out, it's quite time consuming and with the rise of generative AI, these type of candidates (whether state-sponsored malicious actors or overemployment shops) are appearing in every industry and every role constantly by the hundreds. I disagree completely with other posts claiming only crypto and finance are being targeted; while it's hard to confirm and the North Korean operation specifically may be more tailored, fake candidates are rampant throughout the tech industry now.
Not sure why this would be any different for remote jobs. All job interview processes (remote and in-office) I've ever done have had an in-person step, and that should be enough to filter these fake candidates, no? Are companies really doing 100% remote interviews, as in: you sign the offer letter without even meeting a single person in person??
Also, the in-person step is usually at the end, which means yes, you can waste a lot of time phone- and Zoom-chatting with fake candidates, but that is equally true for in-office vs. remote roles. Nobody starts with the in-person, on-site interview.
Though we have been burned by someone we believe (but cannot prove) was 100% remote and working two jobs at the same time (they were laid off in a recent downsizing before we could get enough evidence, but they didn't seem as productive as we would expect). So I expect even if you apply for a 100% remote position you will need to do one round of interviews onsite. (though who knows if this will protect us)
Stuff can be forged but that needs local spy level of skills to make it work.
They were also hiring a company specialized in background checks, I literally had to fill up a form with the 14 places I had been living in all my life with dates of entry and exit, super annpying given the UI was slow as hell and that I had low recollection of addresses and date of my early years, I had to ask my parents. I may have been able to cheat probably but I didn't try.
I am also seeking a new position and I have realized that most b2b / work from anywhere jobs you could apply for were for cryptocurrencied / blockchain related companies so they surely make it easier for malicious remote applicants. I think it means they are kind of desperate / have difficulty to find talents. In other areas most companies only hire people who live in same juridiction they have an office and hr department.
You're dating yourself with that question. (yes, and they have been for a while)
I will say that hiring for remote jobs has gotten to be a gigantic time waste lately. Even though even moderate background checking can filter these candidates out, it's quite time consuming and with the rise of generative AI...
This never stopped and is still the case for "good" jobs btw.
So many roles are basically interchangeable and I’ll choose whichever one looks best on my resume or gives me some other tangible benefit. And I am prepared to bounce as soon as my vesting schedule drops. We all game this system too.
The days of us loyally working at any firm for 20 years, singing the corporate cheer songs and retiring with a pension are stuff of a different age.
I can definitely confirm it’s not just finance and crypto being targeted.
I can also confirm it’s not just state sponsored North Korean agents too. Sometimes it’s just individuals trying to fake it until they make it.
However I dont agree with your conclusion that remote interviews are not dead because of this. Yes it’s annoying and time consuming filtering out these culprits, but the interview process already was an annoying and time consuming process to begin with. So I wouldn’t be so quick to throw the baby out with the bath water.
It seems like there's a very WIDE range of quality people / companies, and an awful lot of compete FRAUDS.
For whatever reason "security" seems to have attracted a lot of carpetbaggers.
The good folks are very sensitive about it.
Nothing gives someone away as a poser as much as bragging about OSINT as if it's some sort of tradecraft meanwhile they're executing the same skills your average wine aunt does stalking her ex-boyfriend on Facebook.
The problem is that it's very difficult to assess how good someone is in their job. The solution is to promote the best engineers into management so they can vet the candidates.
It IS "broken" by design as employers just don't want to go through the effort into finding great candidates (even if they are truly exceptional) and now it is even easier for candidates to cheat it thanks to AI.
The ones claiming to "fix" it aren't fixing anything and are making it worse for both the interviewer and the candidate and are just extracting money from the process.
The reality is, there is no fix.
LinkedIn et al make everything worse by making the application process so easy.
If you're a small company, the fix is to outsource the top of your funnel to a recruiting company you trust.
If you're a medium or large company, the fix is to require on-site work.
> employers just don't want to go through the effort into finding great candidate
The notion that employers can put in the effort to give every candidate a totally fair shot so they can find the best ones is, I think, wrong, let alone the notion that they could but choose not to.
At my last company, we would have needed more people doing application reviews and interviews than we actually had employees if we wanted to do that.
Hell, I remember in college applying for a stock job at the local liquor store. When I went to hand in the application, I was told to put it on the pile- a stack of filled out applications thicker than several of my textbooks put together, suspiciously placed at the edge of a desk right next to a trash can.
Sure there is. Randomly sample N, filter down to M, go through preliminary interview stages. Depending on how many that leaves you with rinse and repeat.
The important thing here isn't fairness from the perspective of the applicant. It's a process that works reliably for the company and doesn't unfairly waste applicant's time.
If the very first stage (application plus resume) is no longer a reliable signal then accept that fact and rework the process to match.
I've been through multiple rounds of interviews with some companies with no end in sight, as many people have. I refer to the endless number of interview rounds as an obsession with process because employers tend to think that the more they evaluate people, the better result they get, regardless of how useful the processes they subject applicants to are. I've generally found people to be going through motions more than anything else, and the additional process is just more work that is not particularly useful to evaluate the candidates. It's still a lot of effort for both the employer and applicants.
That said, I do agree wholeheartedly that they should direct their efforts more towards the result of hiring a good candidate rather than just falling back to blind devotion to some series of processes to weed people out. They should focus on getting the most meaningful bit of information at each round to eliminate the most candidates possible, kinda like a form of optimal experimental design [1] if you are familiar with that term.
[1] https://en.wikipedia.org/wiki/Optimal_experimental_design
Get a new CISO? You'll probably be buying the software from the last company he worked with and spending the next 3 years installing it all over just in time for them to declare mission accomplished you are secure and move on to the next square in the C-suite game of Life these dudes play. Then there's the people beneath them who want to be them mucking up the system playing get to the c-suite and not 'secure the company' or 'build good things'
Oh and if you've gone public your core business is probably on auto pilot with some gremlins keeping it running while your execs placate shareholders with layoffs and introducing AI.
People who actually want to do things, help people, and understand why the work needs done and is worth doing (the work that is anyway) are burnt the fuck out.
If you have a system that is down for 12 hours 3 times a year, it's fine - as long as a lot of other companies are also down. If you have one that's down for 2 hours once every 3 years, but you're the only one affected, that's terrible. Not because you're "losing sales", but because you can't bemoan a common supplier, point to "it's a global problem", and then get taken for a nice apology lunch by the account manager when your bill goes up 10% next year.
All this goes to show is that, for many companies, their hiring process for offshore employees is so sad that basic human interactions that would easily uncover blatant attempts like this are skipped.
An entire country has dedicated significant resources to getting some of their hackers hired. Those talented people you mention are likely trying to get hired by themselves. It’s not an industry problem so much as a coordinated attack.
Because I got no explanation the potential reasons for my rejection rolled over in my head. I finished the exam to the best of my ability - was my ability just not good enough? If I went to e.g. the library or something to hunt for a station with webcams in time would I have not come off so suspect?
Since then I've gotten no other interview offers elsewhere and feel like a moron for blowing my one chance last month over such a stupid coincidence, if it really was the case they rejected me for thinking I was some kind of corporate spy. It really was the definition of "too good to be true." I will now pay way more attention to how I appear to the interviewer from now on, and carry extra devices/webcams in case the worst happens.
> our Red Team launched an investigation using Open-Source Intelligence gathering (OSINT) methods.
basically mean "some guys in the company googled him"?
I've been duped simply by hiring a great engineering candidate who then farmed out the actual work to remote workers in Pakistan and India. We caught on fairly quickly thanks to one of them forgetting to login to one of our backend systems via vpn a few times. No idea how many companies he was "working for" but I'd bet we were one of many.
Remote work has amazing upsides and tremendous security implications.
Despite all the weird crazy dog and pony show and jumping through hoops that most companies do now, most companies are abysmal at hiring.
just spitballing but even if someone has a remote computer after getting hired, and is onboarded they should not have access to sensitive systems. So while you can't completely prevent the possibility of hiring a malicious actor security should not simply be on/off. The register article mentioned how after these devs were hired they were immediately able to kick off their plans. I think security is not structured properly if that is the case.
Is the subcontracted work not good enough? Well, then the problem is that the work is not good enough.
Is the person not contributing in other ways that you want them to contribute because they have other jobs? (eg. chat conversations, meetings, team building, etc.) Well, then the problem is that they aren't making those contributions.
Or is it just that you're paying them more than you would have to pay the subcontractors if you found and managed them yourself? Well, then you are totally free to skip the middleman and do that yourself. But there is, actually, value in finding and managing freelance work. I certainly don't want to do that myself! If someone is good at doing that, and the quality of the work they are managing is acceptable to me, then it seems like they might be earning their paycheck?
I do get that the dishonesty element is bad in and of itself, but I honestly wonder whether, if this is a problem a firm is having, they should consider hiring the work out to subcontractors, without any subterfuge.
It depresses me, but you’re probably right about in-office work being the only guarantee against this type of scam. I wish we could just have nice things.
Saddens me a bit. I like to trust hires and give them pretty wide access to everything. For my own company, I've so far only hired people I worked with in the past, but when hiring strangers remotely, I'll probably have to rethink my trust-first model.
IF they can get such a 'candidate' hired... whats to say they couldn't continue the sham. One could imagine a team of hackers could easily pass of work that a single IC could reasonably have produced.
If their goal is exfiltration (or some other hack) of a {bitcoin exchange, govt, ...} actually putting in {weeks/months/year[s]} of actual work to insert someone into the right position at the right company is insanely worth it.
Sure I guess someone could physically turned up to an office to collect a laptop, be onboarded, get ID checked, then dial in to a few hours of meetings a week, muddle through any questions, rely on the team back at base helping, turn up in person to team get togethers every few months and manage to bluff their way through. It's not unprecedented - Frank Abagnale was running that type of con decades ago, Russia had the "Illegals" program of deep cover spies.
That's not exactly low cost.
But now with COVID a thing of the past, for "fairness" reasons (DEI?) we still do 100% remote interviews, but now have the ludicrous situation where we're asking interviewers to do absurd things like look for the reflections in the candidates' eyes/glasses to see if they're using ChatGPT, ask the candidate to swing the webcam around to make sure there are not other people in the room, ask them to hold their hands up to the camera to show they're not typing a prompt (which is even more stupid than it sounds because voice recognition is amazing these days), or ask them not to look away from the camera when answering questions (so not reading answers from another monitor) and other stupid things. How ridiculous.
The sooner we get back to in-person interviews the better. Get them to come to the office (which they'll need to do one day if they get the job) and sit next to them while they code on a work laptop).
Sorry to all those folks who want 100% remote, but this is why we can't have nice things.
a) Don't have to pay to fly candidates out, pay for their hotel, etc.
b) Don't have to pay relocation
c) Get access to a larger pool of candidates, so can price the wages lower than local wages would require
My last company there was a top down directive that in-person interviews were straight up not allowed, everything had to be over Zoom. Even for local candidates, for a job that was supposed to be in-person! Completely crazy IMO.
But yes, that directive to interview local candidates over zoom does seem very silly.
Opening up the wider pool without the in person interview is where things hit the wall since the filtering criteria everyone learned over their careers went out the door thanks to the online interview process. And the online interview process is much more subject to cheating--not exactly a huge concern in-person.
If you want a software engineer silicone valley you can stay all local. There are companies in remote small towns who need a software engineer - they have to open up to non-local candidates as there are zero people in town who could do the job that don't work for them. There is always someone from elsewhere excited to move to a small town, but finding those people is hard. (and for those people finding a company that wants them is hard)
I haven't run into this thing where I'm talking to a video AI, but maybe I'll sing a different tune if that ever happens and is high fidelity enough to trick me.
If "cheating" just means using AI assistants to answer my interview questions, honestly I think I've done a poor job structuring the question and interview.
I do recognize this as a giant challenge right now, to structure interviews in a way that provides real signal, while allowing candidates to use the tools they'll actually be using for the job. But I don't think the challenge is significantly different between remote and in-person.
(I don't know the answers to how to interview in this brave new world, but I'm increasingly skeptical of forbidding tools that people will be using for the job.)
To write code (even with the benefit of AI) effectively you need a mental model of the systems you work with, reading the chatGPT response doesn't prove you have that.
For developers I share my screen on MS Teams so everyone can watch, then hand them my laptop with Visual Studio. They've got 90 minutes to complete a small assignment while we look at them code - Google is allowed, so is copying and pasting from Stack Overflow, and we'll probably allow Copilot as well. The code needs to run and return the expected results. One candidate said, "this was great, it felt like real work".
For cloud admins, our Devops lead creates a new resource group, hands over his laptop, and we ask them to create a few resources and do the network and authentication to make them talk to each other. Most candidates can't do that anymore - we're finding they've become Terraform operators that don't know how the underlying technology works.
If you're just throwing work over the fence and it takes network analysis to figure out who's doing it...then maybe you should just be hiring a contractor anyway.
Did they want to serve the god emperor of SAAS?
If AI does it, it’s the best thing since sliced bread.
I’m sorry but capitalists that want to have it both ways annoy me. Agree on what gets delivered for how much and get out of the way. The “employer” mindset doesn’t jive with capitalism ya’ll are so fond of.
The poster included a sneer about “work”. This is about something else.
It's essentially a subsidy heavily distorting a very specific market.
I'm not asking what the moral or ethical difference is. They're paying for engineering output, and if they are getting that output, why does it really matter whose fingers are typing it in?
I wouldn't see anything wrong with this, but I would be willing to bet that 99% of companies would not go along with it--for reasons I'm not sure I understand.
There's legal aspects to the employer-employee relationship that are different than the company-vendor relationship.
Even reporting the pay to the IRS as personal income would probably be legally problematic, because from a legal aspect a vendor is being paid for a service not an individual receiving income from an employer.
If they cannot board a plane using their claimed identity from their claimed city of origin, you can stop there.
Of course if they hire me as opposed to that person in India directly there is likely a reason they wanted someone in the US. Often those reasons are legal and somewhere a law is being broken.
Are you really going to do this for all candidates that make it to the final round of interview?
Are you also going to compensate the time for the candidate if he doesn't get selected?
Unless what you're proposing is more a formality, and that unless the person doesn't show up he's guaranteed to get the job.
I'm sure this wasn't a case of the most advanced/sophisticated attempt from North Korea and other bad actors, and probably just a case of them casting a wide net. But regardless based off of this writeup and the video shown dude should have never been given the time of day.
Whereas, I've been looking for quite a while, with very few bites. And nobody so far on HN Who's hiring responds, except for a place that seems to want 60h/week and pay for 40h/week.
Being genuine and truthful in the age of generative AI, LLMs, quiet quitting, /r/overemployed (on the sly working multiple 40h week jobs).... Being honest in this environment seems to be a losing endeavor.
It doesn’t really seem like it helps that much in résumé generation. Are people applying to enough hundreds of jobs that generative AI helps you keep up with the sheer volume of text you need to send? Some people are… but these aren’t people who know what good résumés look like, because those people write their own résumés, and these people aren’t people who are good with LLMs, because that skill is in-demand.
I think it’s just a tight, tough market. What I’ve seen is job searches that take longer and have higher standards. You’re competing with a larger pool of experienced candidates. And various companies are worsening the work conditions because the market favors it (and they want “unregretted attrition”).
It’s hard not to be cynical. But I think it’s just a shitty market to be looking for a job, it’s not a paradigm shift that favors dishonesty.
To the degree I skim resumes for anything nowadays, it’s AI slop. Automatic bin.
> It turns out there is a burgeoning sub-industry of college-aged males of Asian ancestry who cannot wait to get paid for participating in these schemes. There are Discord channels all around the world just for this. They make a few hundred to a few thousand dollars for allowing their identity to be misused or participating in the scheme. That way, they can interview in person or take drug tests if the job requires that.
https://blog.knowbe4.com/our-interview-of-a-north-korean-fak...
They already knew the candidate's name, email, and GitHub were all part of past beaches. I could understand if they were fishing for more information to contribute to a shared list, but it seems like they knew virtually everything they needed to know.
Asking the candidate to justify the inconsistencies outright would've been just as helpful as the final interview IMO.
Is there something I'm missing there?
My assumption based on this was they weren't certain it was someone malicious and they were double checking their own conclusion. If not it makes no sense to tip the candidate off that you're suspicious about them.
At that point I'd say asking the candidate outright is better than playing a weird game of "Name 5 restaurants not on Google maps in the town you live in".
But if they were sure, then yeah, skip the interview altogether and forward the information to law enforcement.
> Name 5 restaurants not on Google maps in the town you live in".
Then they had a candidate who was trying to cheat the systemeat
How did they establish and verify that the candidate was North Korean? Are North Koreans the only ones who try to remote work byt lying about their whereabouts?
Not at all.
If you live in a country outside of the US and you see the money software poeple make in the US it is mighty tempting to land a gig.
The fact that the persdon made simple mistakes and needed to be coached does not sound like a North Korean state operation.
If someone had told them Russian hackers are trying to get jbos.
Would they have asummed the person was Russian?
> We received a list of email addresses linked to the [North Korean] hacker group, and one of them matched the email the candidate used to apply to Kraken.
In the past, they just tried to break into bank computers, then into crypto company's computers. For the last two years, they've been working on getting people into crypto companies.
But now they appear to have enough people to spare than they also have groups working on "honest" employment as remote workers, who may not even have theft as the first thing on their mind.
Here's a federal case where a US woman was convicted of helping North Korea steal the identities of 70 people, and then remote in as them, to do remote work:
https://www.justice.gov/usao-dc/pr/arizona-woman-pleads-guil...
Before this interview, industry partners had tipped us off that North Korean hackers were actively applying for jobs at crypto companies.
We received a list of email addresses linked to the hacker group, and one of them matched the email the candidate used to apply to Kraken.
This single red flag should invalidate the candidate immediately, end of story.
The interview call over zoom was clearly an AI avatar, and the answers were verbally spoken but constructed in a "bulleted" way that an LLM might produce.
All of the timestamps in the commits were made with the KST timezone.
this is a tongue in cheek test in crypto circles for like a year now
I don't know, if I run into these questions in a job interview, especially with a small, less known company, I would be having serious questions about what this company is doing
Actually, that's a job for counter-intelligence agencies (NSA? RCMP?), but I guess they will just laugh you call them.
“Don’t trust, verify. This core crypto principle is more relevant than ever in the digital age. State-sponsored attacks aren’t just a crypto, or U.S. corporate, issue – they’re a global threat. Any individual or business handling value is a target, and resilience starts with operationally preparing to withstand these types of attacks.”
It's funny to see the CSO of a crypto firm say this. It's the opposite of the whole way crypto works. In crypto, the transaction is processed (trusted) if all the credentials and keys are correct, regardless of who's behind it.
I wonder what crypto-currency looked like before the digital age...
Edit: added -currency suffix to crypto :p
> Their resume was linked to a GitHub profile containing an email address exposed in a past data breach.
How is it an indicator of anything? Any actively used e-mail address that is older than a few years will be listed on haveibeenpwned.
> We received a list of email addresses linked to the [North Korean] hacker group, and one of them matched the email the candidate used to apply to Kraken.
Which is why everyone needs to switch to passkeys. It's crazy that we still use passwords for authentication
- online history was sparse and somewhat mismatching, and weird profile image reuse
- unexpectedly strong accent in calls, does not show video
- background reference checks a mess
What happened to standard procedures? 1. Phone interview. 2. Video interview. 3. In-person interview. 4. Job offer and hired. Heck, even standard was 1. Phone interview. 2. In-person interview. 3. Job offer and hired.
> From the outset, something felt off about this candidate. During their initial call with our recruiter, they joined under a different name from the one on their resume...
Use this to your advantage during the interview process to weed them out: https://news.ycombinator.com/item?id=43853382
If I were able to predict the future I would say that soon GitHub, GitLab and others will release inproved security sensors.
https://koliber.com/articles/how-to-avoid-hiring-a-north-kor...
So basic HR processes?
If its not insider access then might as well hack an OSS maintainer and publish malicious open source package that everyone depends on to reach your target organization.
How can Kraken found this out based only on Videocall?
And at one point i was getting a lot of candidates with european names, no picture, good resume.
And when I met them over a call it was very strange: they were all asian(with really typical nordic names), they were like clones in the way they talked and answered questions exactly the same. They also claimed to be from Sweeden/Finland/Norway for most of them but yet they had a strong asian accent. Not nordic at all.
This was really fishy and since the fit wasn’t there I stopped the interview without thinking about it too much. but the more I think about it, the more i tend to lean on North Corean candidates.
At a previous remote job for a financial institution, they required a full background check with fingerprinting, reference checking, past employment verification, drug testing and in-person verification of identity and employment authorization. This was done for everyone, not just people they found "suspicious."
Frankly, the laws against applicant discrimination also makes having different processes or demanding different information from candidates because of national origin/ancestry/accent/etc. legally questionable.
The article could have been this short.
This article also helps the Korean hackers by providing in depth commentary on how they were caught and how to improve.
On a serious note, as a Kraken customer, I am very happy that they take security issues seriously. Reassuring.
Sounds like you had to really push the boundaries of what is humanly possible to uncover this one.
rvz•4h ago
Now made even easier for fraudsters and including state actors thanks to Generative AI. Also:
> Generative AI is making deception easier, but isn’t foolproof. Attackers can trick parts of the hiring process, like a technical assessment, but genuine candidates will usually pass real-time, unprompted verification tests.
This is why Leetcode / Hackerrank and other (online assessments) OA in the technical interview is unfit for use in the age of AI.
> In the modern era, it’s an organizational mindset.
Security is a way of life for this company, but it would have easily fooled a less security-oriented company and it will just only get worse.
spacebanana7•4h ago
I wonder these are similar to the "tests" in Suits, where they (somewhat inadvertently) check whether someone went to Harvard by asking about the food places students typically went to.
xyzhut•4h ago
cosmicgadget•4h ago