They used their leet "OSINT" skillz to ask the most basic of questions and background checks that nearly any traditional interview process would immediately uncover, then think it's so novel it's worthy of a blog post.
On the surface it seems the "security" industry is lacking in the most basic of security processes when hiring.
I don't think I've ever worked anywhere that could accidentally hire a North Korean without uncovering it somewhere in the hiring process, and all my jobs have been especially uninteresting.
What bothers me more is there are talented people sitting on unemployment right now that can't find a job, yet fake people are getting hired left and right. Something in the industry as a whole is quite broken.
bri3d · 2h ago
> On the surface it seems the "security" industry is lacking in the most basic of security processes when hiring.
They found this person at the top of the funnel, before they even started the process, and then chose to go through with it out of curiosity / for advertising. I personally think it's silly (I don't think the advertising or learning about some comically basic TTP like "interview coaching" was worth their team's time) but it's not a lack of basic process in this case.
I will say that hiring for remote jobs has gotten to be a gigantic time waste lately. Even though even moderate background checking can filter these candidates out, it's quite time consuming and with the rise of generative AI, these type of candidates (whether state-sponsored malicious actors or overemployment shops) are appearing in every industry and every role constantly by the hundreds. I disagree completely with other posts claiming only crypto and finance are being targeted; while it's hard to confirm and the North Korean operation specifically may be more tailored, fake candidates are rampant throughout the tech industry now.
hnlmorg · 44s ago
> I disagree completely with other posts claiming only crypto and finance are being targeted; while it's hard to confirm
I can definitely confirm it’s not just finance and crypto being targeted.
I can also confirm it’s not just state sponsored North Korean agents too. Sometimes it’s just individuals trying to fake it until they make it.
ryandrake · 1h ago
> I will say that hiring for remote jobs has gotten to be a gigantic time waste lately.
Not sure why this would be any different for remote jobs. All job interview processes (remote and in-office) I've ever done have had an in-person step, and that should be enough to filter these fake candidates, no? Are companies really doing 100% remote interviews, as in: you sign the offer letter without even meeting a single person in person??
Also, the in-person step is usually at the end, which means yes, you can waste a lot of time phone- and Zoom-chatting with fake candidates, but that is equally true for in-office vs. remote roles. Nobody starts with the in-person, on-site interview.
bluGill · 6m ago
10 years ago all interviews were in person. With the pandemic they all went 100% remote. We proved that 100% remote positions can work and so there is temptation to continue doing 100% remote interviews for people that will be working remote anyway.
Though we have been burned by someone we believe (but cannot prove) was 100% remote and working two jobs at the same time (they were laid off in a recent downsizing before we could get enough evidence, but they didn't seem as productive as we would expect). So I expect even if you apply for a 100% remote position you will need to do one round of interviews onsite. (though who knows if this will protect us)
squigz · 17m ago
All interview processes I've went through have indeed been 100% remote. When considering this, you should keep in mind the amount of developers that aren't earning top 1% incomes or being offered stock in companies. Things are probably a lot more casual than you may be used to.
andy99 · 1h ago
I will say that hiring for remote jobs has gotten to be a gigantic time waste lately. Even though even moderate background checking can filter these candidates out, it's quite time consuming and with the rise of generative AI...
Good. I hope the whole hiring process gets blown up. The root cause of this is transactional hiring. Companies treat applicants like commodities, and now bad actors have found out how to game it.
herculity275 · 1h ago
Do you want the industry to go back to only hiring from the top ~20 schools and by word-of-mouth networking? Coz that's the only viable alternative to the current interview process.
antisthenes · 51m ago
> Do you want to the industry to go back to hiring from the top ~20 schools and by word-of-mouth networking?
This never stopped and is still the case for "good" jobs btw.
herculity275 · 48m ago
Depends on what your definition of "good jobs" is but I know plenty of people from no name unis in third world countries who landed well paying jobs in FAANG thanks to the current process.
tough · 31m ago
He means their bosses are from top 20 schools and didnt get hired because of their skills but their status
bko · 1h ago
I think its useful to test as to what questions they are and aren't prepared for. In the future you won't necessarily know they were an imposter, so it's good to devise and test certain captcha like questions to tease out the fake from the real candidates.
corytheboyd · 2h ago
> yet fake people are getting hired left and right.
Hate to be that person, but what are you reading that makes you think this is true?
Agree that the article is pretty dumb though, especially the OSINT and Crypto “don’t trust, verify” comments. Feels like content marketing that didn’t really hit.
According to Crowdstrike (the company that wiped out most of global technology last year) at least
> My favorite interview question, because we've interviewed quite a few of these folks, is something to the effect of 'How fat is Kim Jong Un?' They terminate the call instantly
ductsurprise · 1h ago
> My favorite interview question, because we've interviewed quite a few of these folks, is something to the effect of 'How fat is Kim Jong Un?' They terminate the call instantly
I'm sure there were a lot of false positives with that question.
If I was not reading HN and a few other sources I would likely hang up the phone too.
Thinking that it couldn't be a real job,... some phishing scam or hoax, asking ridiculous questions like that.
Depending on the job, it is quite likely the real talent would not be able to take the interview seriously after hearing suck a question.
Seriously weird times...
psygn89 · 1h ago
That's actually hilarious. Edit: Oops, accidentally responded to you instead of original quote.
eunos · 40m ago
> How fat is Kim Jong Un
Ha if I got asked that during an interview, I'd think either I went to the wrong interview or the interview is a red flag.
tough · 29m ago
In crypto has become a known joke to ask that before hiring bc NK state actors really are focsuesd on it and hacking companies etc.
jwilber · 1h ago
Hired left and right != interviewed left and right != interviewed quite a few at Crowdstrike.
Maybe you’re contributing to the narrative with the posts like above. It’ll certainly drive engagement.
cj · 48m ago
80% of our recruiter's time is spent trying to figure out which candidates are real and which are fake.
It's really, really bad. We post a role, get 500 applicants, and nearly all of them are not legitimate. They all look amazing, really great resume, impressive LinkedIn, etc... but when you dig a little deeper, it's not that hard to find a bunch of red flags (LinkedIn profile create < 3 months ago, VOIP number, using VPN to submit job application, etc). You really have to know what signs to look for. They're very convincing fakes.
We're extremely vigilant about this issue as a company, yet we've had people get through 2 or 3 rounds before someone realized something was off (some people are really, really good at faking it).
I feel bad for small companies trying to hire. For us, it got to the point where we literally couldn't open a role unless we had a full time recruiter to sift through all the international candidates pretending to live in the US.
Edit: We've been dealing with this for a couple years now, and there still isn't a great solution. Unfortunately the only surefire "solutions" we can think of are also things that would make the interview process less enjoyable for real candidates, which sucks. (One idea was to ask candidates to show us photo ID during the video interview, but something about making a candidate do that just doesn't feel good - although we have tried it, and it has effectively stopped a few fake people from getting through)
tough · 28m ago
maybe leave the photo id ask for when there's suspicion only is fine
unsupp0rted · 1h ago
There's always that guy on X who posts about having n remote jobs at the same, waiting to be fired from each so that he can replace its slot with another.
Then next year it's a different guy, same schtick.
sanktanglia · 1h ago
I mean the article did point out that there were some official emails for other companies mixed in with the info for this user suggesting they or others have gotten hired and official emails at other companies
klodolph · 2h ago
The fake people are sometimes backed by entire teams (the article alludes to this). It’s easier to do well in your job when you’re supported by a team of people, maintaining the fiction that you’re one person.
This isn’t happening left and right. It’s an attack against specific industries, like crypto and finance. It’s one part of a broader pattern of attacks.
ash-ali · 2h ago
last years falcon (crowdstrike specific conference) they for the first time every showed live the interviews of 3 north koreans trying to get a job in software engineering positions at some forture 500 companies. i was baffled at every 'security' question to validate the person is actually in the US gets glossed over like: "my ID is at my home right now, and im in my office so i don't have that with me".
tekla · 1h ago
I mean you see that here on HN right? People claiming that any arbitrary question is something they have no idea about, like the color of their front door.
alwa · 1h ago
I’m not sure I know what you mean—I’m not sure I’d want to discuss the specifics of my living environment here though. Would you have any examples handy?
tekla · 1h ago
If your resume says you live in NYC for example, and I do something like "Man, I went to NYC once and got stuck in traffic on that stupid highway that goes up and down the coast of Brooklyn, what was the name of that thing?" and they respond with I-278, that would raise red flags. I have never heard of anyone calling the I-278 anything but the BQE.
It's just like the bar scene in Inglorious Bastards, with the fingers. There are so many obvious tells you can have people divulge if they aren't actually telling the truth.
krisoft · 37m ago
> "Man, I went to NYC once and got stuck in traffic on that stupid highway that goes up and down the coast of Brooklyn, what was the name of that thing?"
I lived in NYC for a year and I have no clue. My answer would be probably something along the line of "Haha! Yeah. Traffic is terrible in the city... or so do my friends with cars say. I for one take the subway everywhere, so no clue what you are talking about. But sounds like a pain! Hope you were not delayed too long."
> It's just like the bar scene in Inglorious Bastards, with the fingers.
The problem is that's a work of fiction. These shibboleth tests work great in fiction where the author has full control over the whole universe. Work less well in reality where "universal" signals turn out to be a lot less universal. You will have a ton of false positives and a ton of false negatives.
kelseyfrog · 2h ago
If this harms the crypto industry even a little I'm not sure I'd feel even a twinge of sympathy. Is there anything I can do to assist NK in these affairs?
klodolph · 2h ago
“These people (crypto industry) are bad people so it is justified to ignore the rule of law when hurting them” is a classic bad take. What you can do is regulate crypto into oblivion and make people feel bad about working in crypto.
If you assist NK, then you’re hurting crypto but you’re funding NK operations (e.g. NK soldiers assisting Russia against Ukraine).
kelseyfrog · 1h ago
If I don't assist NK then I'm tacitly assisting the crypto industry. We're in trolley problem territory now.
catlikesshrimp · 1h ago
False dichotomy territory. You can assist neither of them and be happy.
klodolph · 1h ago
You’re on a roll.
danielvf · 2h ago
It used to be only against specific industries, but now it's evolving. Now they have groups just going after remote IT jobs regardless of industry.
nradov · 51m ago
Beyond just the salary, once they have access to the corporate network they can execute other attacks to steal from company accounts and infiltrate connected business partners. Most organizations still have very weak protection against insider threats.
hn_throwaway_99 · 6m ago
Couldn't agree more. While I might not be as harsh against the blog post author, they made it seem like they were doing some high-level reconnaissance work, and at the end of the day the thing that made the NK candidate "unravel" was questions like "tell me about some restaurants in your town".
All this goes to show is that, for many companies, their hiring process for offshore employees is so sad that basic human interactions that would easily uncover blatant attempts like this are skipped.
data4lyfe · 1h ago
You really have to just ask dumb interview questions. Testing them on answering questions while putting their hand over their face or their hands covering their eyes now. It's really dumbi-fied our interview processes (see https://datastream.substack.com/p/my-foolproof-interview-que...)
duxup · 1h ago
I know some folks good folks who work in the security industry.
It seems like there's a very WIDE range of quality people / companies, and an awful lot of compete FRAUDS.
For whatever reason "security" seems to have attracted a lot of carpetbaggers.
The good folks are very sensitive about it.
donnachangstein · 1h ago
Absolutely! It's probably 90/10.
Nothing gives someone away as a poser as much as bragging about OSINT as if it's some sort of tradecraft meanwhile they're executing the same skills your average wine aunt does stalking her ex-boyfriend on Facebook.
sam-cop-vimes · 2h ago
This sounds unnecessarily dismissive. It was a quick and interesting read, and there are some useful data points for every company that is hiring to improve their processes.
z3t4 · 1h ago
> Something in the industry as a whole is quite broken.
The problem is that it's very difficult to assess how good someone is in their job.
The solution is to promote the best engineers into management so they can vet the candidates.
nradov · 48m ago
The best engineers don't necessarily make good resource managers. Often it's the opposite. But good managers and recruiters will involve engineers early in the hiring process.
mvdtnz · 27m ago
You need to keep in mind that only the dumbest people on Earth remain in the crypto space in 2025.
rvz · 1h ago
> What bothers me more is there are talented people sitting on unemployment right now that can't find a job, yet fake people are getting hired left and right. Something in the industry as a whole is quite broken.
It IS "broken" by design as employers just don't want to go through the effort into finding great candidates (even if they are truly exceptional) and now it is even easier for candidates to cheat it thanks to AI.
The ones claiming to "fix" it aren't fixing anything and are making it worse for both the interviewer and the candidate and are just extracting money from the process.
The reality is, there is no fix.
zdragnar · 1h ago
Even at small startups, posting engineering jobs will get you hundreds of applications a day. There's simply no way for employers to fairly go through them.
LinkedIn et al make everything worse by making the application process so easy.
If you're a small company, the fix is to outsource the top of your funnel to a recruiting company you trust.
If you're a medium or large company, the fix is to require on-site work.
ryandrake · 53m ago
This isn't really a new problem. I remember back during a previous tech downturn, the small-ish (~200 people) no-name company I worked for also got hundreds of applications a day. Yes, today, fake candidates and AI make it worse, but fundamentally the "huge number of people in the top of the funnel" problem has been a thing for a long time.
libraryatnight · 1h ago
Dude you ain't kidding. Security is all SaaS sales now and chasing corporate buzzwords, it's not security they're selling, it's insurance and the ability to outsource blame when you get popped.
Get a new CISO? You'll probably be buying the software from the last company he worked with and spending the next 3 years installing it all over just in time for them to declare mission accomplished you are secure and move on to the next square in the C-suite game of Life these dudes play. Then there's the people beneath them who want to be them mucking up the system playing get to the c-suite and not 'secure the company' or 'build good things'
Oh and if you've gone public your core business is probably on auto pilot with some gremlins keeping it running while your execs placate shareholders with layoffs and introducing AI.
People who actually want to do things, help people, and understand why the work needs done and is worth doing (the work that is anyway) are burnt the fuck out.
ta1243 · 1h ago
It took me worryingly long in my career (like 20 years) to realise that the CTO doesn't care if the technology solutions work, or if they're cost effective. What he cares about is not being interrupted on the golf course.
If you have a system that is down for 12 hours 3 times a year, it's fine - as long as a lot of other companies are also down. If you have one that's down for 2 hours once every 3 years, but you're the only one affected, that's terrible. Not because you're "losing sales", but because you can't bemoan a common supplier, point to "it's a global problem", and then get taken for a nice apology lunch by the account manager when your bill goes up 10% next year.
tinktank · 1h ago
Why the condescending negativity? What would you they rather have done instead?
Multiplayer · 2h ago
Here's a heretical thought: Remote hiring is a massive achilles heel.
I've been duped simply by hiring a great engineering candidate who then farmed out the actual work to remote workers in Pakistan and India. We caught on fairly quickly thanks to one of them forgetting to login to one of our backend systems via vpn a few times. No idea how many companies he was "working for" but I'd bet we were one of many.
Remote work has amazing upsides and tremendous security implications.
causal · 2h ago
So that's probably a sign that your team culture and management isn't the best... Healthy teams communicate a lot and really get to know each other, whether in person or remote. Ideally with regular in-person meetups to reinforce those working relationships.
If you're just throwing work over the fence and it takes network analysis to figure out who's doing it...then maybe you should just be hiring a contractor anyway.
sanderjd · 1h ago
Yeah I similarly find this baffling. This very flatly would not work in any job I've had, whether in person or remote.
skippyboxedhero · 1h ago
I have worked in places where this would work...all terrible places that usually had someone with a "maverick" view of how organizations worked derived from reading Warhammer books or something.
herculity275 · 59m ago
> with a "maverick" view of how organizations worked derived from reading Warhammer books or something
Did they want to serve the god emperor of SAAS?
qingcharles · 1h ago
I had a colleague doing this in 2006, and he wasn't remote. He would just sit playing games on his phone all day yet he would check in code. I could never figure it out, so I just asked him and he showed me the chat window to his friend back in the Czech Republic that he paid 25% of his wages to each month.
ryandrake · 1h ago
I'm not sure I'm really against this! --IF-- the company is happy with the results and code being delivered, and the compensation they are paying for that code, what is the actual, meaningful business difference between whether your colleague wrote it or the Czech guy wrote it?
I'm not asking what the moral or ethical difference is. They're paying for engineering output, and if they are getting that output, why does it really matter whose fingers are typing it in?
herculity275 · 54m ago
I can think of a few reasons, most obviously that it's a security nightmare - you've got a non-employee accessing and modifying your company's code and possibly having access to customer data. Some shops might not care about this, but it's ridiculously irresponsible in principle.
ryandrake · 40m ago
What if, instead, the guy was 100% honest and up front about it, and offered to enroll the Czech guy in all security checks that any other contractor would get, and treat them legally as any contractor would be treated?
I wouldn't see anything wrong with this, but I would be willing to bet that 99% of companies would not go along with it--for reasons I'm not sure I understand.
sally_glance · 47m ago
Ironically if he told management that he's able to manage a remote team which provides the same amount of work for 25% cost there's a good chance they give him a raise and promotion to outsourcing manager /s
ryandrake · 1h ago
I don't think this has anything to do with remote vs. onsite work. It has more to do with remote vs. onsite interviews. A thorough onsite interview should catch all of these fake candidates. Companies should be doing at least one onsite interview regardless of whether the role itself is remote or onsite.
vunderba · 4m ago
A friend of mine's company is completely remote only, but they use a shared workspace to conduct interviews for exactly this reason.
hughes · 43m ago
A very easy way to verify a remote candidate's identity is to buy them a plane ticket to an in person interview.
If they cannot board a plane using their claimed identity from their claimed city of origin, you can stop there.
sam-cop-vimes · 2h ago
Totally agreed. The number of "engineers" who try to cheat their way through interviews, juggle multiple jobs without disclosing them makes it a total nightmare.
beezlebroxxxxxx · 2h ago
I've heard through the grapevine of some designers (one who worked at Shopify) getting caught using Fiverr (or something similar) to farm out all of their work.
Despite all the weird crazy dog and pony show and jumping through hoops that most companies do now, most companies are abysmal at hiring.
criddell · 1h ago
What can you do during the hiring process to know that this amazing person, who aces every part of the interview, will farm out their work to cheap subcontractors?
darepublic · 1h ago
Nothing I guess? Except that they will continue to be vetted after being hired for the quality of their work.
just spitballing but even if someone has a remote computer after getting hired, and is onboarded they should not have access to sensitive systems. So while you can't completely prevent the possibility of hiring a malicious actor security should not simply be on/off. The register article mentioned how after these devs were hired they were immediately able to kick off their plans. I think security is not structured properly if that is the case.
qingcharles · 1h ago
It's hard. I mentioned in another comment I had a work colleague in 2006 who farmed out all his work. He was capable of doing the job, but it was simply more enjoyable for him to play video games all day while someone else did the work for 25% of his salary.
sanderjd · 1h ago
The thing I'm always curious about with this is: What is the actual bad thing happening here?
Is the subcontracted work not good enough? Well, then the problem is that the work is not good enough.
Is the person not contributing in other ways that you want them to contribute because they have other jobs? (eg. chat conversations, meetings, team building, etc.) Well, then the problem is that they aren't making those contributions.
Or is it just that you're paying them more than you would have to pay the subcontractors if you found and managed them yourself? Well, then you are totally free to skip the middleman and do that yourself. But there is, actually, value in finding and managing freelance work. I certainly don't want to do that myself! If someone is good at doing that, and the quality of the work they are managing is acceptable to me, then it seems like they might be earning their paycheck?
I do get that the dishonesty element is bad in and of itself, but I honestly wonder whether, if this is a problem a firm is having, they should consider hiring the work out to subcontractors, without any subterfuge.
criddell · 1h ago
Where I work, it would be sharing of credentials and lying (or at least being dishonest) about who did the work.
sanderjd · 1h ago
Yeah I hear that. My underlying point here is: Maybe you don't actually need a full time employee doing this job, if someone can successfully do it by spending a little time farming out to subcontractors.
ferguess_k · 2h ago
Some people did this with in-office too I think, some years ago. Some people actually had two jobs, both sort of in-office. It's still possible to pull the tricks.
financypants · 50m ago
The rate of this happening has got to be so low it's negligible.
ferguess_k · 37m ago
I agree. It's kinda hard to pull this off. Just saying.
woah · 1h ago
The funny part is that in these stories about fake candidates using a whole team of people, it sounds like they are actually successful in doing the work, something that had not been achieved in software dev outsourcing before
eloisant · 1h ago
Between this and legit candidates cheating with AI, I think we'll soon see the return of on-site interviews - even for remote positions.
pokstad · 2h ago
Don’t forget remote workers who are required to work in one area and then travel to restricted areas and continue to work.
tomrod · 1h ago
Unless you're in a regulated industry, you might just have a new cost reduction strategy presented to you.
corytheboyd · 2h ago
How do weekly 1:1 meetings with a manager not catch this very quickly? Okay, maybe the original suave interviewer comes back for those… Still feels like a good EM would pick up on discrepancies between work done and how the suave person talks about it.
It depresses me, but you’re probably right about in-office work being the only guarantee against this type of scam. I wish we could just have nice things.
noitpmeder · 2h ago
This isn't necessarily the issue here -- this attempt seemed to be fairly motivated and had access to resources (AI, coaches, ...) to help them get through the process.
IF they can get such a 'candidate' hired... whats to say they couldn't continue the sham. One could imagine a team of hackers could easily pass of work that a single IC could reasonably have produced.
If their goal is exfiltration (or some other hack) of a {bitcoin exchange, govt, ...} actually putting in {weeks/months/year[s]} of actual work to insert someone into the right position at the right company is insanely worth it.
ta1243 · 1h ago
Do you not have regular calls with teammates?
Sure I guess someone could physically turned up to an office to collect a laptop, be onboarded, get ID checked, then dial in to a few hours of meetings a week, muddle through any questions, rely on the team back at base helping, turn up in person to team get togethers every few months and manage to bluff their way through. It's not unprecedented - Frank Abagnale was running that type of con decades ago, Russia had the "Illegals" program of deep cover spies.
That's not exactly low cost.
corytheboyd · 1h ago
Yeah, that feels more right, and feels like a problem that is only going to get worse.
barbazoo · 2h ago
I also can’t imagine this not getting caught if not in the interview process surely during every day work. Maybe this says more about their work culture and not actually connecting with co workers. Perhaps the manager was just garbage who knows.
fhd2 · 2h ago
On their first day, they will get a lot of accounts, if they syphon data and m set up backdoors quickly, one day could be enough to cause a good chunk of the damage.
Saddens me a bit. I like to trust hires and give them pretty wide access to everything. For my own company, I've so far only hired people I worked with in the past, but when hiring strangers remotely, I'll probably have to rethink my trust-first model.
barbazoo · 1h ago
True, personally I have never gotten much of my access the first day, week or even month but it's certainly possible. Not sure though if syphoning data is the main goal here though as opposed to 1) syphoning money to NK or 2) planting backdoors.
whatnow37373 · 2h ago
Hate to be that guy, but.. what’s the problem? The work is getting done for the price you agreed on. You care how it’s done suddenly?
If AI does it, it’s the best thing since sliced bread.
I’m sorry but capitalists that want to have it both ways annoy me. Agree on what gets delivered for how much and get out of the way. The “employer” mindset doesn’t jive with capitalism ya’ll are so fond of.
mr_mitm · 2h ago
An arrangement like that is probably violating data protection rules that everybody agreed on. In my company, customer data must not leave company systems, let alone the country.
whatnow37373 · 1h ago
I get the security issues, but let’s be honest. It’s not about that.
The poster included a sneer about “work”. This is about something else.
triceratops · 41m ago
It may cause the company to violate data protection, privacy, labor, and tax laws.
badmintonbaseba · 2h ago
If you don't want to be an employee then don't sign an employment contract.
whatnow37373 · 1h ago
Ah, now suddenly you not only need to deliver work but you need to behave in a certain non-specified way. The contract then should arrange for that and perhaps pay extra because it’s a sign of dysfunction.
dboreham · 2h ago
And yet: do the same thing with AI and you're a cutting edge genius.
mattlondon · 2h ago
Yep. It started with COVID where understandably 100% of interviews were remote.
But now with COVID a thing of the past, for "fairness" reasons (DEI?) we still do 100% remote interviews, but now have the ludicrous situation where we're asking interviewers to do absurd things like look for the reflections in the candidates' eyes/glasses to see if they're using ChatGPT, ask the candidate to swing the webcam around to make sure there are not other people in the room, ask them to hold their hands up to the camera to show they're not typing a prompt (which is even more stupid than it sounds because voice recognition is amazing these days), or ask them not to look away from the camera when answering questions (so not reading answers from another monitor) and other stupid things. How ridiculous.
The sooner we get back to in-person interviews the better. Get them to come to the office (which they'll need to do one day if they get the job) and sit next to them while they code on a work laptop).
Sorry to all those folks who want 100% remote, but this is why we can't have nice things.
sanderjd · 1h ago
And similarly forbid them from using AIs while they code on that work laptop in person? Are employees forbidden from using AIs for work? If not, why require that during evaluation? If it's not required during evaluation in person, why require it remotely?
(I don't know the answers to how to interview in this brave new world, but I'm increasingly skeptical of forbidding tools that people will be using for the job.)
suzzer99 · 1h ago
Because job interviews don't test real-world programming skills, which is a whole other issue.
willcipriano · 1h ago
I think the best interview question, and really the only one you need to determine technical ability is ask someone to describe a http request in as much detail as possible.
To write code (even with the benefit of AI) effectively you need a mental model of the systems you work with, reading the chatGPT response doesn't prove you have that.
nradov · 40m ago
That's a stupid interview question for the vast majority of software jobs. Many people don't work with HTTP or web software at all.
Espressosaurus · 1h ago
My suspicion is that it's purely monetary and driven by the finance people.
a) Don't have to pay to fly candidates out, pay for their hotel, etc.
b) Don't have to pay relocation
c) Get access to a larger pool of candidates, so can price the wages lower than local wages would require
My last company there was a top down directive that in-person interviews were straight up not allowed, everything had to be over Zoom. Even for local candidates, for a job that was supposed to be in-person! Completely crazy IMO.
sanderjd · 1h ago
The advantage of a larger pool of candidates is not mostly a financial benefit, IMO. The benefit is mostly the ability to hire from a larger pool of people especially with a specialized skillset, and also to have less of an echo chamber.
But yes, that directive to interview local candidates over zoom does seem very silly.
Espressosaurus · 1h ago
My experience is that yes it opens up the wider pool, but it makes the filtering process much more difficult in trade.
Opening up the wider pool without the in person interview is where things hit the wall since the filtering criteria everyone learned over their careers went out the door thanks to the online interview process. And the online interview process is much more subject to cheating--not exactly a huge concern in-person.
eloisant · 1h ago
Only a) is valid, as you can fly candidates for interviews and have them go back to their home city to work remotely.
exhilaration · 1h ago
Yeah after a disastrous remote hire I started requiring in-person 2nd round interviews. Company policy is that all future hires are hybrid only (not that we or anyone else is hiring these days...) so it just makes sense.
For developers I share my screen on MS Teams so everyone can watch, then hand them my laptop with Visual Studio. They've got 90 minutes to complete a small assignment while we look at them code - Google is allowed, so is copying and pasting from Stack Overflow, and we'll probably allow Copilot as well. The code needs to run and return the expected results. One candidate said, "this was great, it felt like real work".
For cloud admins, our Devops lead creates a new resource group, hands over his laptop, and we ask them to create a few resources and do the network and authentication to make them talk to each other. Most candidates can't do that anymore - we're finding they've become Terraform operators that don't know how the underlying technology works.
emchammer · 1h ago
If you want to work as a clerk at Target, the video is not even an interview, it’s a one-way audition you record to be judged anonymously.
tehjoker · 54m ago
COVID isn't in the past, just no one doing anything about it. :)
stavros · 2h ago
This is an interesting article, but doesn't this:
> our Red Team launched an investigation using Open-Source Intelligence gathering (OSINT) methods.
basically mean "some guys in the company googled him"?
spacebanana7 · 2h ago
You can go further. Reach out to data brokers and see whether they've got any information from ad tracking / leaks.
stavros · 2h ago
Is that OSINT, at that point? I guess maybe if you get a free trial, but isn't that stretching the definition a bit?
42lux · 2h ago
Sophisticated.
anonymousiam · 1h ago
Commenting on the events, CSO Nick Percoco, said:
“Don’t trust, verify. This core crypto principle is more relevant than ever in the digital age. State-sponsored attacks aren’t just a crypto, or U.S. corporate, issue – they’re a global threat. Any individual or business handling value is a target, and resilience starts with operationally preparing to withstand these types of attacks.”
It's funny to see the CSO of a crypto firm say this. It's the opposite of the whole way crypto works. In crypto, the transaction is processed (trusted) if all the credentials and keys are correct, regardless of who's behind it.
udev4096 · 1h ago
Apart from that, he is running a crypto exchange which is completely against the whole ideology of bitcoin and other notable crypto. The guy is a fucking joke. Every crypto exchange has been extremely shady, from coinbase to binance to tether. Kraken is no different
gouggoug · 36m ago
Not to mention the silliness of this statement: "This core crypto principle is more relevant than ever in the digital age"
I wonder what crypto-currency looked like before the digital age...
Edit: added -currency suffix to crypto :p
arandomhuman · 20m ago
One time pads, enigma machines, Caesar ciphers :p
orbital-decay · 1h ago
I don't see anything about the guy being North Korean in the article. It's pure clickbait full of bragging about "our DNA".
> Their resume was linked to a GitHub profile containing an email address exposed in a past data breach.
How is it an indicator of anything? Any actively used e-mail address that is older than a few years will be listed on haveibeenpwned.
layer8 · 1h ago
The establishing link was this:
> We received a list of email addresses linked to the [North Korean] hacker group, and one of them matched the email the candidate used to apply to Kraken.
udev4096 · 1h ago
> Any actively used e-mail address that is older than a few years will be listed on haveibeenpwned.
Which is why everyone needs to switch to passkeys. It's crazy that we still use passwords for authentication
moshegramovsky · 1h ago
100%. There is a bragging tone that felt completely unwarranted. Like being on a date with someone who is really insecure.
noitpmeder · 2h ago
Before this interview, industry partners had tipped us off that North Korean hackers were actively applying for jobs at crypto companies.
We received a list of email addresses linked to the hacker group, and one of them matched the email the candidate used to apply to Kraken.
This doesn't sound so impressive?
This single red flag should invalidate the candidate immediately, end of story.
sam-cop-vimes · 2h ago
The article explains why they didn't invalidate the candidate immediately. They wanted to learn how they operate.
Dachande663 · 2h ago
From somewhere in the depths of an old reddit thread, someone recommended asking candidates "How fat is Kim Jong Un?" Instant hang-up.
arduanika · 1h ago
In the depths of an old reddit thread, OR in a different thread that happens to appear today, alongside this one, on HN front page!
I'm with others: This is a silly anecdote from Crowdstrike of all companies. If I was asked how fat Kim Jong Un was, I would probably wait for some kind of "I'm kidding," and hang up if I didn't get it.
I don't believe they are earnestly identifying spies, even if they believe it. Not that they need spies to hack our system anyway, they managed to bring half the country to a halt by themselves.
the_af · 2h ago
Why would this work? Spies are trained to behave like the host country would expect, why wouldn't hackers?
If hackers have access to the outside world (something they would need to be effective), they'd know the world thinks Kim is fat.
"He's very fat, haha!", end of story.
Edit: wait, or better yet: "how on earth would I know, and why are you asking this in a job interview? Is this because I'm Korean? I'd like to file a complaint with HR, what was your name again?"
danielvf · 2h ago
These aren't spies first. They are often children of well to do, high loyalty group North Koreans. It's just a privileged job.
The skill and IQ level varies widely, from super smart to super unskilled. And these roughly get sorted out into different groups with different MO's. North Koreans aren't some uniformly skilled group. You could be targeted by a team of world class bytecode exploit geniuses who rehearses every move, or by the equivalent of Milton from Office Space.
Dissing Kim is something that is not currently widely permitted in NK. Just isn't worth personally.
Not saying no one from NK never will, but so far almost everyone will immediately stop the conversation at this point. There are plenty of crypto people who have monthly or weekly encounters with NK job applicants.
the_af · 2h ago
I find this answer highly implausible, not the least because maintaining cover doesn't count as dissing ("I infiltrated the org by telling them the lies they wanted to hear" is hacking 101). Also, North Koreans aren't dumb.
I find some people's attitude to NK hackers slightly schizophrenic: either they are a credible threat or they are amateurs. Which one is it?
> Dissing Kim is something that is not currently widely permitted in NK
This wouldn't be "widely", this would be a specific interaction with a hostile foreigner for the purpose of infiltrating them. It's not the same as being allowed to say this to fellow North Koreans.
> Not saying no one from NK never will, but so far almost everyone will immediately stop the conversation at this point.
Legitimate candidates would at this point too, so as a tactic this is useless.
danielvf · 1h ago
I am saying they are both a credible threat and many are amateurs. Those are not mutually exclusive.
You are talking about North Korea attackers from a theoretical point of view. For many people dealing with them is just a normal part of work. It's not an unknown that needs to be worked out logically from an armchair.
I'm saying this as someone who personally chatted with a North Korea persona that later tried to drop exploits on people, and the persona belonged to hacking group with at least one 50 million dollar heist. I've also seen the screenshots on many chats with North Koreans.
smallnix · 2h ago
Not sure some rank and file 50ct army "hacker" wants to take the risk to insult their god-dictator.
the_af · 2h ago
If he's acting under NK command, this wouldn't be insulting, it's just doing a hacker's work.
Besides, you cannot have it both ways: either North Korean hackers are a "50ct army" or they are a credible threat. Most seem to be arguing they are a credible threat.
Also, he can always take the second option: "why are you asking about this in a job interview?", something many legitimate Korean candidates could ask.
ianhawes · 1h ago
This is pretty boring. Let me know when you drop an implant on their host device and move laterally to other attackers devices or engage in a long-con and get them to travel to a US-extraditable country.
rs186 · 2h ago
> asking the candidate to verify their location, hold up a government-issued ID, and even recommend some local restaurants in the city they claimed to be in.
I don't know, if I run into these questions in a job interview, especially with a small, less known company, I would be having serious questions about what this company is doing
TechDebtDevin · 1h ago
"yeah, could you just hold up that ID please... Thanks, also a few more questions..Who was your favorite teacher, and what was the first car you owned
?"
65 · 1h ago
"Hah, I love software engineering, like my mother did. After all, her maiden name is Smith, and she used to be called a codesmith! What's your mother's maiden name? Maybe it also makes a funny engineering pun!"
koliber · 1h ago
I’ve had 4 such people interview. These guys were much easier to spot than the one at Kraken. I wrote up an article about how to spot these fake North Korean devs.
I think they detected instead of identified, as far as I know they didn't get the identity of the hacker.
ThinkBeat · 2h ago
Someone said that North Koreas are trying to get jobs.
Ok
Then they had a candidate who was trying to cheat the systemeat
How did they establish and verify that the candidate
was North Korean?
Are North Koreans the only ones who try to remote work
byt lying about their whereabouts?
Not at all.
If you live in a country outside of the US and you see
the money software poeple make in the US it is mighty
tempting to land a gig.
The fact that the persdon made simple mistakes and
needed to be coached does not sound like a North
Korean state operation.
If someone had told them Russian hackers are trying to
get jbos.
Would they have asummed the person was Russian?
layer8 · 1h ago
The article notes the following as the establishing link:
> We received a list of email addresses linked to the [North Korean] hacker group, and one of them matched the email the candidate used to apply to Kraken.
abhisek · 56m ago
This is happening with high value crypto companies with large security teams. Imagine what happens when OSS maintainers are asked to work on GitHub repositories with malicious code as part of fake job interviews?
If its not insider access then might as well hack an OSS maintainer and publish malicious open source package that everyone depends on to reach your target organization.
TheGCMadeMeDoIt · 2h ago
I fail to understand the whole "advancing the candidate through the interview to learn more about how they do this" plan.
They already knew the candidate's name, email, and GitHub were all part of past beaches. I could understand if they were fishing for more information to contribute to a shared list, but it seems like they knew virtually everything they needed to know.
Asking the candidate to justify the inconsistencies outright would've been just as helpful as the final interview IMO.
Is there something I'm missing there?
klodolph · 2h ago
Dollars to donuts the NK team is reading this article and adapting their strategies. IMO, rather than ask candidates to justify inconsistencies, you should forward the information to law enforcement and tell the candidate you’re hiring somebody else.
TheGCMadeMeDoIt · 2h ago
Well they claim the final interview involved asking the candidate very specific questions about the town they claimed to be living in, and hold up government issued ID to the camera.
My assumption based on this was they weren't certain it was someone malicious and they were double checking their own conclusion. If not it makes no sense to tip the candidate off that you're suspicious about them.
At that point I'd say asking the candidate outright is better than playing a weird game of "Name 5 restaurants not on Google maps in the town you live in".
But if they were sure, then yeah, skip the interview altogether and forward the information to law enforcement.
CharlieDigital · 1h ago
> Name 5 restaurants not on Google maps in the town you live in".
I'm definitely a US based human and no way I get this right.
renewiltord · 2h ago
Right, so if you have a tell-tale sign, you concoct a story around other things instead. Parallel construction. They fix all the silly things but you still have the tell-tale.
cosmicgadget · 2h ago
> our security and recruitment teams strategically advanced them through our rigorous recruitment process – not to hire, but to study their approach.
mystraline · 2h ago
Its quite saying, that in order to get interviews, you have to basically lie your way with various generative AI.
Whereas, I've been looking for quite a while, with very few bites. And nobody so far on HN Who's hiring responds, except for a place that seems to want 60h/week and pay for 40h/week.
Being genuine and truthful in the age of generative AI, LLMs, quiet quitting, /r/overemployed (on the sly working multiple 40h week jobs).... Being honest in this environment seems to be a losing endeavor.
klodolph · 2h ago
I’m a little skeptical that generative AI is an effective way to land a job.
It doesn’t really seem like it helps that much in résumé generation. Are people applying to enough hundreds of jobs that generative AI helps you keep up with the sheer volume of text you need to send? Some people are… but these aren’t people who know what good résumés look like, because those people write their own résumés, and these people aren’t people who are good with LLMs, because that skill is in-demand.
I think it’s just a tight, tough market. What I’ve seen is job searches that take longer and have higher standards. You’re competing with a larger pool of experienced candidates. And various companies are worsening the work conditions because the market favors it (and they want “unregretted attrition”).
It’s hard not to be cynical. But I think it’s just a shitty market to be looking for a job, it’s not a paradigm shift that favors dishonesty.
JumpCrisscross · 2h ago
> confirming the signal chat leaks were real
To the degree I skim resumes for anything nowadays, it’s AI slop. Automatic bin.
ninjazee124 · 2h ago
This is pretty common stuff I saw with just even regular startups with remote applicants -- I take their claim that it was NK hacker with a grain of salt.
junon · 2h ago
The interview a friend conducted a few weeks ago had a rich GitHub account of shoddy code across what was no less than 15 different languages, and a lot of it, all with names related to interview questions (many having the company name in them).
The interview call over zoom was clearly an AI avatar, and the answers were verbally spoken but constructed in a "bulleted" way that an LLM might produce.
All of the timestamps in the commits were made with the KST timezone.
eunos · 48m ago
> The candidate used remote colocated Mac desktops but interacted with other components through a VPN, a setup commonly deployed to hide location and network activity.
How can Kraken found this out based only on Videocall?
danielvf · 2h ago
North Korea's efforts have been evolving.
In the past, they just tried to break into bank computers, then into crypto company's computers. For the last two years, they've been working on getting people into crypto companies.
But now they appear to have enough people to spare than they also have groups working on "honest" employment as remote workers, who may not even have theft as the first thing on their mind.
Here's a federal case where a US woman was convicted of helping North Korea steal the identities of 70 people, and then remote in as them, to do remote work:
It's not just crypto, nearly all orgs at this point. As someone building in this space, it's pretty clear the N Koreans developed a deepfake toolkit that is being used/sold amongst the N Korean hacking groups there. Apparently it is for acquiring laptops, salaries to funnel to the State, and internal systems access for further damage.
nikcub · 40m ago
The North Korean efforts are amateur compared to government intel ops either placing or recruiting employees at large tech firms.
lmeyerov · 1h ago
We had similar earlier on at Graphistry. It was pretty obvious, especially by the time of video screens. We are still unsure if whether a hacker or just someone avoiding their history/nationality
- online history was sparse and somewhat mismatching, and weird profile image reuse
- unexpectedly strong accent in calls, does not show video
- background reference checks a mess
tough · 32m ago
Just ask them to badmouth their leader on interview.
If people are hiring this sort of applicant I'm of the opinion they kind of deserve to be "pwned". The most basic of process should have weeded this dude out instantly at any modern company.
I'm sure this wasn't a case of the most advanced/sophisticated attempt from North Korea and other bad actors, and probably just a case of them casting a wide net. But regardless based off of this writeup and the video shown dude should have never been given the time of day.
Havoc · 2h ago
Is there an uptick in this feels like there are suddenly multiple stories about it
ecocentrik · 1h ago
I'm surprised it wasn't the government sanctioned haircut.
paradite · 2h ago
I wonder what if this is just a decoy to get the more sophisticated candidate in.
dabber21 · 2h ago
I wonder if something like eIDAS could help here (at least in EU countries)
rvz · 2h ago
> Not all attackers break in, some try to walk through the front door.
Now made even easier for fraudsters and including state actors thanks to Generative AI. Also:
> Generative AI is making deception easier, but isn’t foolproof. Attackers can trick parts of the hiring process, like a technical assessment, but genuine candidates will usually pass real-time, unprompted verification tests.
This is why Leetcode / Hackerrank and other (online assessments) OA in the technical interview is unfit for use in the age of AI.
> In the modern era, it’s an organizational mindset.
Security is a way of life for this company, but it would have easily fooled a less security-oriented company and it will just only get worse.
spacebanana7 · 2h ago
> genuine candidates will usually pass real-time, unprompted verification tests.
I wonder these are similar to the "tests" in Suits, where they (somewhat inadvertently) check whether someone went to Harvard by asking about the food places students typically went to.
xyzhut · 2h ago
Its a pretty standard thing to do when you suspect someone of being not who they say they are. WW2 German spies would claim to be from New York, and OSS or MPs would ask them who the Yankees lead pitcher was. Not really a unique or new way of doing things.
cosmicgadget · 2h ago
And in Ronin when Deniro asks Sean Bean the color of the boathouse at Hereford.
wnevets · 2h ago
Thanks to AI this problem will only get much worse.
stackedinserter · 1h ago
You can't AI if in person.
wnevets · 1h ago
they just out source the in person parts
> It turns out there is a burgeoning sub-industry of college-aged males of Asian ancestry who cannot wait to get paid for participating in these schemes. There are Discord channels all around the world just for this. They make a few hundred to a few thousand dollars for allowing their identity to be misused or participating in the scheme. That way, they can interview in person or take drug tests if the job requires that.
Then what? It should be the same person at day 1, no?
wakeywakeywakey · 2h ago
This is cool, but we'd be naive to think the other side is not also learning from this operation. The "gotcha" questions that foiled them at the end will likely make it into their playbook for next go around, and these attacks are going to be more sophisticated.
iJohnDoe · 1h ago
There are so many talented people trying to get their first or second job in the cybersecurity industry. Legit, honest, hard-working individuals want to get their chance in cybersecurity. So many posts from cybersecurity companies saying, "Meet us at conferences! Write content! Get to know us, then we'll hire you!" Then in their article they write this. Companies that are even letting these resumes or candidates get a second look are disgraceful. Companies need to get their shit together.
What happened to standard procedures? 1. Phone interview. 2. Video interview. 3. In-person interview. 4. Job offer and hired. Heck, even standard was 1. Phone interview. 2. In-person interview. 3. Job offer and hired.
> From the outset, something felt off about this candidate. During their initial call with our recruiter, they joined under a different name from the one on their resume...
stackedinserter · 1h ago
I would hire this person, set up a very basic work environment, forced him to run a spyware, learn something about them and made more interesting blogpost.
Actually, that's a job for counter-intelligence agencies (NSA? RCMP?), but I guess they will just laugh you call them.
seasluggy · 1h ago
OSINT?
So basic HR processes?
yieldcrv · 2h ago
All you have to do is ask them to say "Fuck Kim Jong Un"
this is a tongue in cheek test in crypto circles for like a year now
wslh · 1h ago
In my lesser known company, we've been receiving leads who share their codebase repositories which contain malware or buggy dependencies, even though we offer cybersecurity services.
If I were able to predict the future I would say that soon GitHub, GitLab and others will release inproved security sensors.
aussieguy1234 · 1h ago
Apparently they're white brainwashed around Kim Jong Un and simply can't process any discussions that are even remotely negative about their dear leader.
The article says they received a list of known NK hackers' emails in advance and the hacker used one of those addresses to apply. Pretty big red flag there if you ask me. Is it really unfair to halt the process at that point?
joejoo · 2h ago
These elite state hackers seemed a little careless from the start, to say the least…
babuloseo · 2h ago
I got interviewed by Kraken lol
tsukikage · 1h ago
TLDR: "We received a list of email addresses linked to the hacker group, and one of them matched the email the candidate used to apply to Kraken."
On the surface it seems the "security" industry is lacking in the most basic of security processes when hiring.
I don't think I've ever worked anywhere that could accidentally hire a North Korean without uncovering it somewhere in the hiring process, and all my jobs have been especially uninteresting.
What bothers me more is there are talented people sitting on unemployment right now that can't find a job, yet fake people are getting hired left and right. Something in the industry as a whole is quite broken.
They found this person at the top of the funnel, before they even started the process, and then chose to go through with it out of curiosity / for advertising. I personally think it's silly (I don't think the advertising or learning about some comically basic TTP like "interview coaching" was worth their team's time) but it's not a lack of basic process in this case.
I will say that hiring for remote jobs has gotten to be a gigantic time waste lately. Even though even moderate background checking can filter these candidates out, it's quite time consuming and with the rise of generative AI, these type of candidates (whether state-sponsored malicious actors or overemployment shops) are appearing in every industry and every role constantly by the hundreds. I disagree completely with other posts claiming only crypto and finance are being targeted; while it's hard to confirm and the North Korean operation specifically may be more tailored, fake candidates are rampant throughout the tech industry now.
I can definitely confirm it’s not just finance and crypto being targeted.
I can also confirm it’s not just state sponsored North Korean agents too. Sometimes it’s just individuals trying to fake it until they make it.
Not sure why this would be any different for remote jobs. All job interview processes (remote and in-office) I've ever done have had an in-person step, and that should be enough to filter these fake candidates, no? Are companies really doing 100% remote interviews, as in: you sign the offer letter without even meeting a single person in person??
Also, the in-person step is usually at the end, which means yes, you can waste a lot of time phone- and Zoom-chatting with fake candidates, but that is equally true for in-office vs. remote roles. Nobody starts with the in-person, on-site interview.
Though we have been burned by someone we believe (but cannot prove) was 100% remote and working two jobs at the same time (they were laid off in a recent downsizing before we could get enough evidence, but they didn't seem as productive as we would expect). So I expect even if you apply for a 100% remote position you will need to do one round of interviews onsite. (though who knows if this will protect us)
This never stopped and is still the case for "good" jobs btw.
Hate to be that person, but what are you reading that makes you think this is true?
Agree that the article is pretty dumb though, especially the OSINT and Crypto “don’t trust, verify” comments. Feels like content marketing that didn’t really hit.
https://www.theregister.com/2025/04/29/north_korea_worker_in...
According to Crowdstrike (the company that wiped out most of global technology last year) at least
> My favorite interview question, because we've interviewed quite a few of these folks, is something to the effect of 'How fat is Kim Jong Un?' They terminate the call instantly
I'm sure there were a lot of false positives with that question.
If I was not reading HN and a few other sources I would likely hang up the phone too.
Thinking that it couldn't be a real job,... some phishing scam or hoax, asking ridiculous questions like that.
Depending on the job, it is quite likely the real talent would not be able to take the interview seriously after hearing suck a question.
Seriously weird times...
Ha if I got asked that during an interview, I'd think either I went to the wrong interview or the interview is a red flag.
Maybe you’re contributing to the narrative with the posts like above. It’ll certainly drive engagement.
It's really, really bad. We post a role, get 500 applicants, and nearly all of them are not legitimate. They all look amazing, really great resume, impressive LinkedIn, etc... but when you dig a little deeper, it's not that hard to find a bunch of red flags (LinkedIn profile create < 3 months ago, VOIP number, using VPN to submit job application, etc). You really have to know what signs to look for. They're very convincing fakes.
We're extremely vigilant about this issue as a company, yet we've had people get through 2 or 3 rounds before someone realized something was off (some people are really, really good at faking it).
I feel bad for small companies trying to hire. For us, it got to the point where we literally couldn't open a role unless we had a full time recruiter to sift through all the international candidates pretending to live in the US.
Edit: We've been dealing with this for a couple years now, and there still isn't a great solution. Unfortunately the only surefire "solutions" we can think of are also things that would make the interview process less enjoyable for real candidates, which sucks. (One idea was to ask candidates to show us photo ID during the video interview, but something about making a candidate do that just doesn't feel good - although we have tried it, and it has effectively stopped a few fake people from getting through)
Then next year it's a different guy, same schtick.
This isn’t happening left and right. It’s an attack against specific industries, like crypto and finance. It’s one part of a broader pattern of attacks.
It's just like the bar scene in Inglorious Bastards, with the fingers. There are so many obvious tells you can have people divulge if they aren't actually telling the truth.
I lived in NYC for a year and I have no clue. My answer would be probably something along the line of "Haha! Yeah. Traffic is terrible in the city... or so do my friends with cars say. I for one take the subway everywhere, so no clue what you are talking about. But sounds like a pain! Hope you were not delayed too long."
> It's just like the bar scene in Inglorious Bastards, with the fingers.
The problem is that's a work of fiction. These shibboleth tests work great in fiction where the author has full control over the whole universe. Work less well in reality where "universal" signals turn out to be a lot less universal. You will have a ton of false positives and a ton of false negatives.
If you assist NK, then you’re hurting crypto but you’re funding NK operations (e.g. NK soldiers assisting Russia against Ukraine).
All this goes to show is that, for many companies, their hiring process for offshore employees is so sad that basic human interactions that would easily uncover blatant attempts like this are skipped.
It seems like there's a very WIDE range of quality people / companies, and an awful lot of compete FRAUDS.
For whatever reason "security" seems to have attracted a lot of carpetbaggers.
The good folks are very sensitive about it.
Nothing gives someone away as a poser as much as bragging about OSINT as if it's some sort of tradecraft meanwhile they're executing the same skills your average wine aunt does stalking her ex-boyfriend on Facebook.
The problem is that it's very difficult to assess how good someone is in their job. The solution is to promote the best engineers into management so they can vet the candidates.
It IS "broken" by design as employers just don't want to go through the effort into finding great candidates (even if they are truly exceptional) and now it is even easier for candidates to cheat it thanks to AI.
The ones claiming to "fix" it aren't fixing anything and are making it worse for both the interviewer and the candidate and are just extracting money from the process.
The reality is, there is no fix.
LinkedIn et al make everything worse by making the application process so easy.
If you're a small company, the fix is to outsource the top of your funnel to a recruiting company you trust.
If you're a medium or large company, the fix is to require on-site work.
Get a new CISO? You'll probably be buying the software from the last company he worked with and spending the next 3 years installing it all over just in time for them to declare mission accomplished you are secure and move on to the next square in the C-suite game of Life these dudes play. Then there's the people beneath them who want to be them mucking up the system playing get to the c-suite and not 'secure the company' or 'build good things'
Oh and if you've gone public your core business is probably on auto pilot with some gremlins keeping it running while your execs placate shareholders with layoffs and introducing AI.
People who actually want to do things, help people, and understand why the work needs done and is worth doing (the work that is anyway) are burnt the fuck out.
If you have a system that is down for 12 hours 3 times a year, it's fine - as long as a lot of other companies are also down. If you have one that's down for 2 hours once every 3 years, but you're the only one affected, that's terrible. Not because you're "losing sales", but because you can't bemoan a common supplier, point to "it's a global problem", and then get taken for a nice apology lunch by the account manager when your bill goes up 10% next year.
I've been duped simply by hiring a great engineering candidate who then farmed out the actual work to remote workers in Pakistan and India. We caught on fairly quickly thanks to one of them forgetting to login to one of our backend systems via vpn a few times. No idea how many companies he was "working for" but I'd bet we were one of many.
Remote work has amazing upsides and tremendous security implications.
If you're just throwing work over the fence and it takes network analysis to figure out who's doing it...then maybe you should just be hiring a contractor anyway.
Did they want to serve the god emperor of SAAS?
I'm not asking what the moral or ethical difference is. They're paying for engineering output, and if they are getting that output, why does it really matter whose fingers are typing it in?
I wouldn't see anything wrong with this, but I would be willing to bet that 99% of companies would not go along with it--for reasons I'm not sure I understand.
If they cannot board a plane using their claimed identity from their claimed city of origin, you can stop there.
Despite all the weird crazy dog and pony show and jumping through hoops that most companies do now, most companies are abysmal at hiring.
just spitballing but even if someone has a remote computer after getting hired, and is onboarded they should not have access to sensitive systems. So while you can't completely prevent the possibility of hiring a malicious actor security should not simply be on/off. The register article mentioned how after these devs were hired they were immediately able to kick off their plans. I think security is not structured properly if that is the case.
Is the subcontracted work not good enough? Well, then the problem is that the work is not good enough.
Is the person not contributing in other ways that you want them to contribute because they have other jobs? (eg. chat conversations, meetings, team building, etc.) Well, then the problem is that they aren't making those contributions.
Or is it just that you're paying them more than you would have to pay the subcontractors if you found and managed them yourself? Well, then you are totally free to skip the middleman and do that yourself. But there is, actually, value in finding and managing freelance work. I certainly don't want to do that myself! If someone is good at doing that, and the quality of the work they are managing is acceptable to me, then it seems like they might be earning their paycheck?
I do get that the dishonesty element is bad in and of itself, but I honestly wonder whether, if this is a problem a firm is having, they should consider hiring the work out to subcontractors, without any subterfuge.
It depresses me, but you’re probably right about in-office work being the only guarantee against this type of scam. I wish we could just have nice things.
IF they can get such a 'candidate' hired... whats to say they couldn't continue the sham. One could imagine a team of hackers could easily pass of work that a single IC could reasonably have produced.
If their goal is exfiltration (or some other hack) of a {bitcoin exchange, govt, ...} actually putting in {weeks/months/year[s]} of actual work to insert someone into the right position at the right company is insanely worth it.
Sure I guess someone could physically turned up to an office to collect a laptop, be onboarded, get ID checked, then dial in to a few hours of meetings a week, muddle through any questions, rely on the team back at base helping, turn up in person to team get togethers every few months and manage to bluff their way through. It's not unprecedented - Frank Abagnale was running that type of con decades ago, Russia had the "Illegals" program of deep cover spies.
That's not exactly low cost.
Saddens me a bit. I like to trust hires and give them pretty wide access to everything. For my own company, I've so far only hired people I worked with in the past, but when hiring strangers remotely, I'll probably have to rethink my trust-first model.
If AI does it, it’s the best thing since sliced bread.
I’m sorry but capitalists that want to have it both ways annoy me. Agree on what gets delivered for how much and get out of the way. The “employer” mindset doesn’t jive with capitalism ya’ll are so fond of.
The poster included a sneer about “work”. This is about something else.
But now with COVID a thing of the past, for "fairness" reasons (DEI?) we still do 100% remote interviews, but now have the ludicrous situation where we're asking interviewers to do absurd things like look for the reflections in the candidates' eyes/glasses to see if they're using ChatGPT, ask the candidate to swing the webcam around to make sure there are not other people in the room, ask them to hold their hands up to the camera to show they're not typing a prompt (which is even more stupid than it sounds because voice recognition is amazing these days), or ask them not to look away from the camera when answering questions (so not reading answers from another monitor) and other stupid things. How ridiculous.
The sooner we get back to in-person interviews the better. Get them to come to the office (which they'll need to do one day if they get the job) and sit next to them while they code on a work laptop).
Sorry to all those folks who want 100% remote, but this is why we can't have nice things.
(I don't know the answers to how to interview in this brave new world, but I'm increasingly skeptical of forbidding tools that people will be using for the job.)
To write code (even with the benefit of AI) effectively you need a mental model of the systems you work with, reading the chatGPT response doesn't prove you have that.
a) Don't have to pay to fly candidates out, pay for their hotel, etc.
b) Don't have to pay relocation
c) Get access to a larger pool of candidates, so can price the wages lower than local wages would require
My last company there was a top down directive that in-person interviews were straight up not allowed, everything had to be over Zoom. Even for local candidates, for a job that was supposed to be in-person! Completely crazy IMO.
But yes, that directive to interview local candidates over zoom does seem very silly.
Opening up the wider pool without the in person interview is where things hit the wall since the filtering criteria everyone learned over their careers went out the door thanks to the online interview process. And the online interview process is much more subject to cheating--not exactly a huge concern in-person.
For developers I share my screen on MS Teams so everyone can watch, then hand them my laptop with Visual Studio. They've got 90 minutes to complete a small assignment while we look at them code - Google is allowed, so is copying and pasting from Stack Overflow, and we'll probably allow Copilot as well. The code needs to run and return the expected results. One candidate said, "this was great, it felt like real work".
For cloud admins, our Devops lead creates a new resource group, hands over his laptop, and we ask them to create a few resources and do the network and authentication to make them talk to each other. Most candidates can't do that anymore - we're finding they've become Terraform operators that don't know how the underlying technology works.
> our Red Team launched an investigation using Open-Source Intelligence gathering (OSINT) methods.
basically mean "some guys in the company googled him"?
“Don’t trust, verify. This core crypto principle is more relevant than ever in the digital age. State-sponsored attacks aren’t just a crypto, or U.S. corporate, issue – they’re a global threat. Any individual or business handling value is a target, and resilience starts with operationally preparing to withstand these types of attacks.”
It's funny to see the CSO of a crypto firm say this. It's the opposite of the whole way crypto works. In crypto, the transaction is processed (trusted) if all the credentials and keys are correct, regardless of who's behind it.
I wonder what crypto-currency looked like before the digital age...
Edit: added -currency suffix to crypto :p
> Their resume was linked to a GitHub profile containing an email address exposed in a past data breach.
How is it an indicator of anything? Any actively used e-mail address that is older than a few years will be listed on haveibeenpwned.
> We received a list of email addresses linked to the [North Korean] hacker group, and one of them matched the email the candidate used to apply to Kraken.
Which is why everyone needs to switch to passkeys. It's crazy that we still use passwords for authentication
This single red flag should invalidate the candidate immediately, end of story.
https://news.ycombinator.com/item?id=43853382
I don't believe they are earnestly identifying spies, even if they believe it. Not that they need spies to hack our system anyway, they managed to bring half the country to a halt by themselves.
If hackers have access to the outside world (something they would need to be effective), they'd know the world thinks Kim is fat.
"He's very fat, haha!", end of story.
Edit: wait, or better yet: "how on earth would I know, and why are you asking this in a job interview? Is this because I'm Korean? I'd like to file a complaint with HR, what was your name again?"
The skill and IQ level varies widely, from super smart to super unskilled. And these roughly get sorted out into different groups with different MO's. North Koreans aren't some uniformly skilled group. You could be targeted by a team of world class bytecode exploit geniuses who rehearses every move, or by the equivalent of Milton from Office Space.
Dissing Kim is something that is not currently widely permitted in NK. Just isn't worth personally.
Not saying no one from NK never will, but so far almost everyone will immediately stop the conversation at this point. There are plenty of crypto people who have monthly or weekly encounters with NK job applicants.
I find some people's attitude to NK hackers slightly schizophrenic: either they are a credible threat or they are amateurs. Which one is it?
> Dissing Kim is something that is not currently widely permitted in NK
This wouldn't be "widely", this would be a specific interaction with a hostile foreigner for the purpose of infiltrating them. It's not the same as being allowed to say this to fellow North Koreans.
> Not saying no one from NK never will, but so far almost everyone will immediately stop the conversation at this point.
Legitimate candidates would at this point too, so as a tactic this is useless.
You are talking about North Korea attackers from a theoretical point of view. For many people dealing with them is just a normal part of work. It's not an unknown that needs to be worked out logically from an armchair.
I'm saying this as someone who personally chatted with a North Korea persona that later tried to drop exploits on people, and the persona belonged to hacking group with at least one 50 million dollar heist. I've also seen the screenshots on many chats with North Koreans.
Besides, you cannot have it both ways: either North Korean hackers are a "50ct army" or they are a credible threat. Most seem to be arguing they are a credible threat.
Also, he can always take the second option: "why are you asking about this in a job interview?", something many legitimate Korean candidates could ask.
I don't know, if I run into these questions in a job interview, especially with a small, less known company, I would be having serious questions about what this company is doing
https://koliber.com/articles/how-to-avoid-hiring-a-north-kor...
Then they had a candidate who was trying to cheat the systemeat
How did they establish and verify that the candidate was North Korean? Are North Koreans the only ones who try to remote work byt lying about their whereabouts?
Not at all.
If you live in a country outside of the US and you see the money software poeple make in the US it is mighty tempting to land a gig.
The fact that the persdon made simple mistakes and needed to be coached does not sound like a North Korean state operation.
If someone had told them Russian hackers are trying to get jbos.
Would they have asummed the person was Russian?
> We received a list of email addresses linked to the [North Korean] hacker group, and one of them matched the email the candidate used to apply to Kraken.
If its not insider access then might as well hack an OSS maintainer and publish malicious open source package that everyone depends on to reach your target organization.
They already knew the candidate's name, email, and GitHub were all part of past beaches. I could understand if they were fishing for more information to contribute to a shared list, but it seems like they knew virtually everything they needed to know.
Asking the candidate to justify the inconsistencies outright would've been just as helpful as the final interview IMO.
Is there something I'm missing there?
My assumption based on this was they weren't certain it was someone malicious and they were double checking their own conclusion. If not it makes no sense to tip the candidate off that you're suspicious about them.
At that point I'd say asking the candidate outright is better than playing a weird game of "Name 5 restaurants not on Google maps in the town you live in".
But if they were sure, then yeah, skip the interview altogether and forward the information to law enforcement.
Whereas, I've been looking for quite a while, with very few bites. And nobody so far on HN Who's hiring responds, except for a place that seems to want 60h/week and pay for 40h/week.
Being genuine and truthful in the age of generative AI, LLMs, quiet quitting, /r/overemployed (on the sly working multiple 40h week jobs).... Being honest in this environment seems to be a losing endeavor.
It doesn’t really seem like it helps that much in résumé generation. Are people applying to enough hundreds of jobs that generative AI helps you keep up with the sheer volume of text you need to send? Some people are… but these aren’t people who know what good résumés look like, because those people write their own résumés, and these people aren’t people who are good with LLMs, because that skill is in-demand.
I think it’s just a tight, tough market. What I’ve seen is job searches that take longer and have higher standards. You’re competing with a larger pool of experienced candidates. And various companies are worsening the work conditions because the market favors it (and they want “unregretted attrition”).
It’s hard not to be cynical. But I think it’s just a shitty market to be looking for a job, it’s not a paradigm shift that favors dishonesty.
To the degree I skim resumes for anything nowadays, it’s AI slop. Automatic bin.
The interview call over zoom was clearly an AI avatar, and the answers were verbally spoken but constructed in a "bulleted" way that an LLM might produce.
All of the timestamps in the commits were made with the KST timezone.
How can Kraken found this out based only on Videocall?
In the past, they just tried to break into bank computers, then into crypto company's computers. For the last two years, they've been working on getting people into crypto companies.
But now they appear to have enough people to spare than they also have groups working on "honest" employment as remote workers, who may not even have theft as the first thing on their mind.
Here's a federal case where a US woman was convicted of helping North Korea steal the identities of 70 people, and then remote in as them, to do remote work:
https://www.justice.gov/usao-dc/pr/arizona-woman-pleads-guil...
- online history was sparse and somewhat mismatching, and weird profile image reuse
- unexpectedly strong accent in calls, does not show video
- background reference checks a mess
[1] https://www.bbc.co.uk/programmes/w13xtvg9
I'm sure this wasn't a case of the most advanced/sophisticated attempt from North Korea and other bad actors, and probably just a case of them casting a wide net. But regardless based off of this writeup and the video shown dude should have never been given the time of day.
Now made even easier for fraudsters and including state actors thanks to Generative AI. Also:
> Generative AI is making deception easier, but isn’t foolproof. Attackers can trick parts of the hiring process, like a technical assessment, but genuine candidates will usually pass real-time, unprompted verification tests.
This is why Leetcode / Hackerrank and other (online assessments) OA in the technical interview is unfit for use in the age of AI.
> In the modern era, it’s an organizational mindset.
Security is a way of life for this company, but it would have easily fooled a less security-oriented company and it will just only get worse.
I wonder these are similar to the "tests" in Suits, where they (somewhat inadvertently) check whether someone went to Harvard by asking about the food places students typically went to.
> It turns out there is a burgeoning sub-industry of college-aged males of Asian ancestry who cannot wait to get paid for participating in these schemes. There are Discord channels all around the world just for this. They make a few hundred to a few thousand dollars for allowing their identity to be misused or participating in the scheme. That way, they can interview in person or take drug tests if the job requires that.
https://blog.knowbe4.com/our-interview-of-a-north-korean-fak...
What happened to standard procedures? 1. Phone interview. 2. Video interview. 3. In-person interview. 4. Job offer and hired. Heck, even standard was 1. Phone interview. 2. In-person interview. 3. Job offer and hired.
> From the outset, something felt off about this candidate. During their initial call with our recruiter, they joined under a different name from the one on their resume...
Actually, that's a job for counter-intelligence agencies (NSA? RCMP?), but I guess they will just laugh you call them.
So basic HR processes?
this is a tongue in cheek test in crypto circles for like a year now
If I were able to predict the future I would say that soon GitHub, GitLab and others will release inproved security sensors.
Use this to your advantage during the interview process to weed them out: https://news.ycombinator.com/item?id=43853382