I was scammed for a job search! How to identify Web3 social engineering attacks from the victim’s perspective

Recently, I received a strange message inquiring about my interest in a job position. The other party initially pretended to be an HR from a Hong Kong digital bank, but was vague about the job description. Later, they added me to a group and tried to forge human interactions to gain trust. Finally, they provided a KakaoVoice meeting link, rather than commonly used Zoom or Google Meet, which confirmed to me that this was a social engineering attack. I will now break down the event and suspicious points from my first-person perspective.

Seeking Collaboration via Strange Private Message

It all started on July 11th, when I received a private message from Twitter account @chuiso_eth. Although unexpected, since I create content and this account had many mutual followers, I broke my original principle of only collaborating through friend introductions. I still confirmed with friends around me, who also noted the many mutual followers, so I developed initial trust in this person.

The last and main speaker of the group, Coinacci, also has links to Boundless and WeLab on his Linktree. However, the Twitter link leads to an account named @Coinacci, which claims to be @0xCoinacci and reposts all of his posts. After I sent a direct message to @0xCoinacci, he stated that the account in the group was impersonating his identity.

(Web3 Anti-Phishing Platform Unphishable to Launch in July! Built by SlowMist, DeFiHack, and Scam Sniffer)

The Office of Foreign Assets Control (OFAC) under the U.S. Treasury announced sanctions on July 8 against a cybersecurity professional named Song Kum Hyok, who is associated with the North Korean hacker group "Andariel". OFAC pointed out that Song Kum Hyok is suspected of infiltrating global enterprises by impersonating foreign IT workers, earning foreign exchange for the North Korean regime, and even implanting malicious code. The sanctions also include a Russian individual and four related companies, highlighting how North Korea uses "remote work" to circumvent sanctions and develop nuclear weapons and missiles.

North Korean Hacker Groups Successively Named and Sanctioned by the UN and the US

OFAC first reviewed the UN Security Council Resolution 2270 in 2016, which targeted the North Korean "Reconnaissance General Bureau" (RGB), pointing out that the unit assisted North Korea in developing illegal weapons. Later, in September 2019, OFAC sanctioned three North Korea-sponsored hacker groups: "Lazarus", "Bluenoroff", and "Andariel".

These organizations all belong to the RGB and have repeatedly conducted cryptocurrency theft to supplement the regime's funds. In May 2023, the US further sanctioned North Korea's "Technical Reconnaissance Bureau" and its "110th Research Center" for developing malicious attack scripts.

North Korea's New Tactic: Infiltrating International Enterprises and Laundering Money Back Home

OFAC noted that in recent years, North Korea has mainly disguised itself as IT workers, sending a large number of technical personnel to countries like China and Russia, and then working in high-income countries globally through false identities or altered documents.

These individuals obtain work through mainstream or industry-specific freelance platforms, social media, cryptocurrency exchanges, and other platforms for work, payment, and even money laundering. The applications they develop span various fields including business, health, fitness, social, sports, entertainment, with many related to cryptocurrency.

OFAC stated that North Korean hackers typically remain anonymous, hiding their location and nationality, and often use US citizen identities to impersonate locals when job seeking. The money they earn is then converted to cryptocurrency and remitted back to North Korea to support the development of nuclear weapons and missiles.

(North Korean Hackers Establish US Shell Companies: Fake Interviews, Real Phishing to Attract Job Seekers and Steal Personal Information)

North Korean Man Steals US Identity, Arranges Outsourced Workers to Impersonate US Citizens for Job Seeking

The main character on the sanctions list, Song Kum Hyok, is a North Korean cybersecurity professional responsible for coordinating foreign IT workers to apply for remote work using US identities. In 2022 and 2023, he directly stole US citizen identities and addresses to help fake workers successfully apply for accounts and jobs.

US investigators determined that Song Kum Hyok violated administrative orders by improperly obtaining or misusing commercial secrets, personal information, or financial information, thereby threatening US national security.

Russian Man Assists North Korea's Outsourced IT Work

Another sanctioned individual is a Russian named Gayk Asatryan. Starting from 2024, his companies have signed contracts with two North Korean official enterprises:

• Signed a 10-year contract with "Song Kwang Trading Corporation", planning to send 30 North Korean IT workers to work in Russia

• Signed a contract with "New Il Trading Company" to send 50 people to work at another of his companies

Asatryan used his companies "Asatryan LLC" and "Fortuna LLC" to receive North Korean workers, violating U.S. administrative orders, as he is suspected of helping export North Korean labor and generating foreign exchange income for the North Korean regime. The above two companies were also sanctioned. The two North Korean partners (Songguang and Sinri) were placed on the blacklist.

All Assets Frozen, U.S. Citizens and Businesses Must Report If Aware

OFAC stated that all individuals and companies on the sanctions list will have their U.S. assets completely frozen, and U.S. citizens or companies are prohibited from conducting any transactions with them or providing funds, goods, or services. If found in violation of the regulations, both U.S. and foreign individuals may face civil or criminal penalties. Even unintentional violations will result in fines.

(North Korean Hackers Strike Again! 2 Taiwanese Aided in Scamming $5 Million and Stealing $900,000 in Crypto Assets)