The investigation was spearheaded by Heiner Garcia, a cyber threat intelligence expert at Telefónica and a blockchain security researcher. Garcia’s research revealed how North Korean operatives were securing freelance work online without resorting to the use of a VPN, which is often used to mask their location and identity.
Garcia’s work connected the suspect to a network of fake Japanese identities and GitHub accounts, believed to be part of North Korean operations. In February, Garcia invited news outlets to observe a mock job interview he set up with a suspected DPRK (Democratic People’s Republic of Korea) agent named “Motoki.”
Source: Ketman
What followed was a series of events that eventually led Motoki to unintentionally expose connections to a network of North Korean cyber actors before he abruptly left the call in frustration.
The investigation began in late January when Garcia discovered Motoki on GitHub, amidst a broader cluster of accounts believed to be tied to a suspected DPRK threat actor known as “bestselection18.” This account is widely associated with an experienced DPRK IT infiltrator, and it is part of a broader group of operatives infiltrating the freelance crypto gig economy through platforms like OnlyDust.
One notable aspect of Motoki’s profile was the presence of a photo, which is uncommon for North Korean operatives, who generally avoid using personal photos. Garcia was immediately intrigued by this, prompting him to reach out via Telegram.
“I contacted him directly on Telegram. I didn’t even need to mention the company’s name, getting his attention was quite simple,” Garcia explained.
On February 24th, Garcia invited a South Korean reporter to join the interview under the guise of a fake company, hoping to converse with the suspected DPRK agent in Korean by the end of the call.
The interview, which was conducted in English, quickly turned awkward. Motoki often repeated the same answers to different questions, making the conversation feel forced and disconnected.
Motoki’s behavior raised several red flags. For instance, when asked to speak in Japanese, he failed to do so fluently, despite claiming to be a native speaker. This inconsistency only deepened suspicions about his true identity.
Garcia asked Motoki to introduce himself in Japanese. The light from his screen reflected off his face as he appeared to frantically search for a script to help him respond. After a tense silence, Garcia repeated the request in Japanese, and Motoki abruptly ended the interview by ripping off his headset and leaving the call.
Despite Motoki’s rushed exit, the interview revealed crucial information. During the call, he accidentally shared his screen, revealing private GitHub repositories linked to bestselection18, suggesting that Motoki was indeed working with a known North Korean cyber group.
“He made a critical mistake by sharing his screen and revealing that he was working with bestselection18 on a private repo,” Garcia noted. “This was how we were able to connect the entire operation.”
In addition to his suspicious behavior, linguistic clues further suggested that Motoki was not a native Japanese speaker. During the interview, Motoki’s pronunciation of English words revealed a distinctive pattern.
He frequently substituted “r” sounds with “l,” a hallmark of Korean-accented English. While Japanese speakers also struggle with this distinction, they usually merge the sounds into a neutral flap.
Source: GitHub
Motoki’s responses to personal questions provided additional insight. He claimed to have been born and raised in Japan and spoke fluent Japanese, but his accent, along with his casual mention of liking football with a distinct “p” sound, pointed more toward a Korean origin.
Garcia’s investigation did not end with the interview. A week later, he reached out to Motoki again, pretending to be a recruiter. He told Motoki that his boss had fired him following the suspicious interview, prompting a series of private exchanges over the next three weeks.
Eventually, Garcia asked Motoki for help finding a job. In response, Motoki offered a deal that exposed another North Korean operational tactic: they would send Garcia money to buy a computer, which they could then access remotely.
This method would allow North Korean hackers to carry out work without the need for a VPN, which could raise red flags on freelancing platforms. Instead, they could use remote access tools, such as AnyDesk, to control the computer from a different location.
On April 16th, Garcia and his team published their findings on the investigative platform Ketman, shedding light on the group of suspected DPRK operatives connected to bestselection18.
Soon after, Garcia contacted the news with a troubling update:
“The guy we interviewed is gone. All his socials have changed, and everything related to him has been deleted.”
Motoki has not been heard from since.
Subscribe to stay informed and receive latest updates on the latest happenings in the crypto world!
Subscribe to stay informed and receive latest updates on the latest happenings in the crypto world!
