North Korea has built a shadow workforce consisting of thousands of IT workers, according to U.S. officials.

This shadow workforce is linked with North Korea’s cybercrime operations and is used to carry out massive crypto hacks, The Wall Street Journal reported on June 11.

For instance, these shadow workers targeted a Sky Mavis engineer last year, posing as a recruiter on LinkedIn. After a phone conversation, the shadow worker gave him a document to review as part of the recruitment process. The document contained malicious code that allowed the North Korean hackers to break into Sky Mavis and steal over $600 million in the Ronin bridge hack.

These workers, spread across countries like Russia and China, earn as much as $300,000 per year doing mundane technology work. They have previously posed as Canadian IT workers, government officials, and freelance Japanese blockchain developers, the report said. The workers pose as potential recruiters or employees, conducting video interviews, as per the report.

To infiltrate crypto firms, the North Korean hackers hire Western “front people,” the report noted. These front people, or actors, sit through the interviews to get hired by crypto firms, which have no idea about their ties to the hackers. Once hired, they make small changes to the products to make them vulnerable, and the hackers take over.

With the help of these shadow workers, North Korean hackers have stolen over $3 billion over the past five years, as per Chainalysis.

Becoming increasingly sophisticated

As per the WSJ report, North Korean hackers have demonstrated technical sophistication in hacks that have impressed U.S. officials and researchers. They have pulled off elaborate maneuvers that have never been observed before, the report stated.

For instance, North Korean hackers perpetrated what some researchers called a first-of-its-kind cascading supply-chain attack last year.

They first attacked Trading Technologies, which develops online trading software. An employee of 3CX, a customer of Trading Technologies, downloaded a corrupted version of Trading Technologies software. Then the hackers corrupted 3CX software and used it to hack 3CX customers, including cryptocurrency exchanges.