WEBVTT

00:00:00.493 --> 00:00:05.040
JACK: I was doomscrolling on Twitter and I came across this tweet which was

00:00:05.040 --> 00:00:09.520
so remarkable that I just had to call the guy up who tweeted it to hear the story.

00:00:09.520 --> 00:00:13.200
JON: I’m Jon Wu. I am head of growth at Aztec Network.

00:00:13.200 --> 00:00:17.760
JACK: Aztec is a crypto company which aims to make your cryptocurrency usage more private,

00:00:17.760 --> 00:00:24.560
and to do that, you can use their system to move your money around. They sort of shield it so that

00:00:24.560 --> 00:00:28.480
you can move it around without anybody knowing that you’re doing that. But because their tool

00:00:28.480 --> 00:00:34.240
is catching on, a lot of people are using it and moving their money around through Aztec’s network,

00:00:34.240 --> 00:00:39.120
which means at any point, they’ve got control over quite a bit of their user’s money.

00:00:39.120 --> 00:00:47.360
JON: Yes, so if you look at all the public dashboards, our smart contract holds about $15

00:00:47.360 --> 00:00:54.400
million last I checked, although the market has come down a bit and we’ve had – again, depending

00:00:54.400 --> 00:01:00.800
on Eth price, but as of a couple weeks ago, $80 to $100 million of throughput. So, certainly a lot of

00:01:00.800 --> 00:01:04.480
value has moved through the system. JACK: Now, Aztec is growing which means they’re

00:01:04.480 --> 00:01:09.760
hiring and have open positions, and Jon is the one who looks at resumes and does interviews to

00:01:09.760 --> 00:01:14.160
hire new people who work there. JON: Yeah, that’s right. So, we get lots

00:01:14.160 --> 00:01:19.040
of inbound resumes all the time for our full-stack engineering roles and

00:01:19.040 --> 00:01:26.960
smart contract dev roles. I’m on the hiring team at Aztec. So, I got automatically assigned a

00:01:26.960 --> 00:01:33.840
resume that had already been internally reviewed and looked super legit. The person had a GitHub

00:01:33.840 --> 00:01:41.280
with a bunch of projects on it and had a resume with some things that I’d heard about like F2Pool.

00:01:41.280 --> 00:01:44.480
The name was Bobby Sierra. JACK: [MUSIC] He set up a time to do an

00:01:44.480 --> 00:01:50.240
interview with Bobby Sierra, a remote one through video conferencing. John and Bobby

00:01:50.240 --> 00:01:53.440
both got on the video call. JON: I immediately noticed that the person’s

00:01:53.440 --> 00:01:59.600
camera was off and that there was a little bit of latency, but also that there was just

00:01:59.600 --> 00:02:02.880
a lot of background noise, so just a bunch of chatter in the background.

00:02:02.880 --> 00:02:05.200
JACK: Did you ask to turn the video on?

00:02:05.200 --> 00:02:12.000
JON: I did, and he made some excuse about how he couldn’t do so. I talk to folks

00:02:12.000 --> 00:02:18.800
not infrequently who are uncomfortable on video, but it is one of the best tools that we have for

00:02:18.800 --> 00:02:23.440
validating identity. Bobby Sierra, again, not to be stereotypical, but it’s obvious on the

00:02:23.440 --> 00:02:29.600
face that Bobby Sierra is a Western name and this person had a heavy Korean accent.

00:02:29.600 --> 00:02:34.400
The way I was able to tell is I’m Asian too; I’m Taiwanese. I grew up in an immigrant community

00:02:34.400 --> 00:02:39.120
around New York, and some of my absolute best friends growing up were Korean. I spent a lot

00:02:39.120 --> 00:02:44.880
of time in Korean households, and I was like, this guy’s obviously Korean. I’ve heard an accent like

00:02:44.880 --> 00:02:49.760
this and some of the mannerisms a thousand times. Then I kind of flat-out asked him,

00:02:49.760 --> 00:02:55.680
where are based? He said I’m based in Hong Kong. I’m like, that’s not what your resume says.

00:02:55.680 --> 00:03:00.160
Your resume says you’re based in Canada. Then he did this multiple times through the call,

00:03:00.160 --> 00:03:04.640
but then he would just mute me. He would just go on mute and then he would come back online

00:03:04.640 --> 00:03:08.320
and pretend like nothing happened. JACK: Did you ask any technical questions that

00:03:08.320 --> 00:03:11.600
he knew? Like, did he know his chops about what you wanted him to know?

00:03:11.600 --> 00:03:17.840
JON: No, absolutely not. He didn’t say almost anything coherent. [MUSIC] He kinda just kept

00:03:17.840 --> 00:03:22.320
repeating stuff like I’m an experienced blockchain developer or I’ve worked on many successful

00:03:22.320 --> 00:03:30.560
projects, I’ll bring you a lot of success. Of course, the infamous line from his cover letter

00:03:30.560 --> 00:03:37.680
was ‘the world will see a great result from my hands’, which was just so villainous-sounding as

00:03:37.680 --> 00:03:43.440
to be comical. So yeah, no, he really couldn’t answer any technical questions. Couldn’t even

00:03:43.440 --> 00:03:48.320
answer the basic questions of where he had worked previously. The whole thing was super

00:03:48.320 --> 00:03:54.000
bizarre and he was just either unfazed or didn’t understand when I was pointing out red flags and

00:03:54.000 --> 00:04:00.400
inconsistencies. He was clearly spoofing someone’s legitimate resume and pretending to be them, like,

00:04:00.400 --> 00:04:04.000
had just downloaded it from an open resume site or a recruiting site.

00:04:04.000 --> 00:04:09.840
But it was when I was like hey man, it says here that you worked here at F2Pool. Tell me about

00:04:09.840 --> 00:04:19.520
F2Pool. If I were to recreate what he said, he literally was like, yeah, and then muted.

00:04:19.520 --> 00:04:25.040
I was like hey, are you there? I would say at least a minute or two minutes went by just silence

00:04:25.040 --> 00:04:32.000
on the other line. I was like, no one does this. It doesn’t matter how incompetent you are. If

00:04:32.000 --> 00:04:36.800
you think about – there’s two axes I’m judging on this interview; are you competent or incompetent?

00:04:36.800 --> 00:04:40.800
That’s the standard interview framework. Like, am I gonna move you on to the next step or not?

00:04:40.800 --> 00:04:44.560
But the other one that you don’t consider usually when you talk to someone is like,

00:04:44.560 --> 00:04:51.680
is this person nefarious? It wasn’t until he kind of went dark for like, two minutes after

00:04:51.680 --> 00:04:58.000
being asked a really simple question, and then came back again with this renewed purpose, like

00:04:58.000 --> 00:05:01.520
pretending like that didn’t happen. Like, I want to work with you, I’m an experienced

00:05:01.520 --> 00:05:07.040
blockchain developer, I’ll make you successful, that I was like dude, something’s going on here.

00:05:07.040 --> 00:05:14.640
It’s a scam, it’s a behavioral hack, and that’s when I hung up. Honestly, right when I left the

00:05:14.640 --> 00:05:19.440
call room, I shut the door to the call room, and I remember being in the office and I was like

00:05:19.440 --> 00:05:24.480
guys, I think I just interviewed a North Korean hacker. That was my intuition. My intuition – and

00:05:24.480 --> 00:05:30.160
it was biased from weeks of having observed it and reported on it, and I had already been

00:05:30.160 --> 00:05:36.320
covering some of these security hacks of really famous crypto individuals like Arthur0x and

00:05:36.320 --> 00:05:40.960
a lot of the coverage on Lazarus Group, so I was already primed to be thinking about this.

00:05:40.960 --> 00:05:48.720
So, between that, his undeniably Korean accent, and just how sketchy and scammy it was,

00:05:48.720 --> 00:05:54.400
that was kind of my intuition. JACK: Jon was actually pretty spooked by this. I

00:05:54.400 --> 00:06:01.680
mean, if this was a North Korean, that’s a pretty close encounter, to be on a video call with him,

00:06:01.680 --> 00:06:07.520
to have this whole e-mail exchange, to be opening resumes and e-mail attachments. [MUSIC] He starts

00:06:07.520 --> 00:06:13.520
retracing his steps, trying to remember exactly how much he shared with this Bobby Sierra. Did he

00:06:13.520 --> 00:06:19.200
do any screen-sharing? How much did he explain about the company and what tech they use?

00:06:19.200 --> 00:06:23.280
Jon was on high alert and feeling pretty disturbed by this.

00:06:23.280 --> 00:06:27.840
So, he tweeted the whole encounter. JON: The tweet went super viral because,

00:06:27.840 --> 00:06:31.600
you know, frankly it was entertaining. Even when I was in the room, I was kinda laughing

00:06:31.600 --> 00:06:37.120
at myself. I was like, who is this guy? This is so crazy. You don’t have interviews like that ever,

00:06:37.120 --> 00:06:41.200
you know? You don’t ever have those. It’s rare to have an experience in your life where that’s

00:06:41.200 --> 00:06:47.520
just so surreal. You’re like, is this happening? Like, this person’s just making stuff up and their

00:06:47.520 --> 00:06:51.920
resume’s not consistent with their GitHub, is not consistent with their real name, and

00:06:51.920 --> 00:06:57.200
their quote, unquote real name is “Bobby Sierra” and his cover letter sign-off is

00:06:57.200 --> 00:07:01.840
‘the world will see a great result from my hands’. So, it was just a funny thread and

00:07:01.840 --> 00:07:04.720
it just went super viral. It instantly got thousands of likes.

00:07:04.720 --> 00:07:08.160
JACK: Some people were saying no, dude, this is typical; if you interview enough people for

00:07:08.160 --> 00:07:12.160
a while, there’s some really weird ones that just show up. So, Jon was starting to doubt

00:07:12.160 --> 00:07:17.280
that it was North Korea, but another crypto investor who had his digital assets stolen

00:07:17.280 --> 00:07:21.920
a little before this said it was definitely North Korea because he’s seen this before.

00:07:21.920 --> 00:07:28.480
So, Jon wasn’t sure again. JON: But then yesterday, I think, this week,

00:07:28.480 --> 00:07:38.960
the US Treasury published a sixteen-page advisory on North Korean overseas IT workers. That advisory

00:07:38.960 --> 00:07:45.440
explained almost to the word the tactics that this guy Bobby Sierra was using on me.

00:07:45.440 --> 00:07:51.280
JACK: This advisory from the US Treasury and the FBI says that North Korea has

00:07:51.280 --> 00:07:57.360
been trying to dispatch IT workers to work for companies all over the world remotely,

00:07:57.360 --> 00:08:02.480
posing as non-North Koreans. Some of these people, when they get hired, they don’t even do the work;

00:08:02.480 --> 00:08:07.040
they just hire a subcontractor to actually do the job that they were supposed to do.

00:08:07.040 --> 00:08:13.200
Once again, North Korea has flabbergasted me. I mean, what level of social engineering even is

00:08:13.200 --> 00:08:18.640
this, to try to get a job at the very place you want to rob, and it’s done by the world’s worst

00:08:18.640 --> 00:08:25.840
social engineer? It’s bold and ridiculous at the same time. One thing that seems clear from this is

00:08:25.840 --> 00:08:31.680
that the Lazarus Group is on a tenacious mission to steal crypto from people and places all over

00:08:31.680 --> 00:08:36.320
the world, and they’re pretty creative at coming up with new ideas on how to do it. [MUSIC] It’s

00:08:36.320 --> 00:08:53.840
almost like the Lazarus Group has a whole RND department that cooks up ways to steal money.