North Korean Hackers Intensify Efforts to Infiltrate Crypto Industry

North Korean Hackers Try to Get Hired at Binance Every Day -- Here's How They're Spotted - Decrypt

That's not all, North Korean attackers also poison public libraries of code and try to infect employees via a fake Zoom scam. Every day, Binance is inundated with fake resumes that it's certain were written by would-be North Korean attackers, the crypto exchange's chief security officer Jimmy Su told Decrypt. In his view, nation-state actors from North Korea are the single largest threat facing companies in the crypto industry today. Su explained that North Korean attackers have been an issue throughout the exchange's eight-year existence, but recently, the hackers have upped their game when it comes to crypto. "The largest vector currently against the crypto industry is state actors, particularly in the DPRK, [with] Lazarus," Su told Decrypt, adding that, "They've had a crypto focus in the last two, three years and have been quite successful in their endeavors." He added that "almost all the large DPRK hacks" have involved a fake employee helping facilitate the attack. The Democratic People's Republic of Korea, also referred to as the DPRK or North Korea, is home to the Lazarus Group, one of the most prolific hacker clans in the world. The group is believed to have been responsible for the infamous Bybit $1.4 billion hack in March -- the largest hack in crypto history, according to the FBI. Su said that Binance has mostly noticed North Korean attackers attempting to get hired at the firm. The centralized exchange claims to discard resumes daily, based on their tendency to use certain resume templates. The firm was not willing to share more specifics on resume red flags with Decrypt. If those resumes make it past the initial vibe check, the company then must check that the applicant is legit on a video call -- a challenge that is only getting harder with the rise of AI. "Our tracking used to [show] that the actor, the operative, will have a resume, and they mostly either have a Japanese or Chinese surname," Su explained. "But now, with AI and events in AI, they are able to fake to appear to be any kind of developer. More recently, we have seen them be candidates from Europe, from the Middle East. What they do is they actually use a voice changer during their interviews, and the video was a deepfake." "The only real good detection is that they almost always have a slow internet connection," he added. "What's happening is that the translation and the voice changer are working during the call ... that's why they are always delayed." There are other ways that Binance can detect a North Korean applicant -- such as asking them to put their hand over their face, which usually breaks the deepfake -- but Binance doesn't want to reveal all of its tricks out of fear that attackers may be reading this article. Other employers have been known to ask candidates to say something negative about North Korean supreme leader Kim Jong Un, which is believed to be outlawed in the country, and have reported positive results. Binance claims to have never hired a nation-state actor; however, they can't be too certain. As a result, they even monitor their current employees for suspicious behavior -- something all financial institutions do to some degree. Ironically, according to Su's research, DPRK employees are usually among the company's top performers in the given role. That's likely because there may be multiple people doing the same job across multiple time zones, he explained. So Binance tracks when employees are working, along with their output. If a worker doesn't appear to ever sleep, it might be a sign they're part of the infamous Lazarus Group. There are two other frequent modes of attack employed by North Korean state actors, Su said. One involves poisoning public NPM libraries with malicious code, while the other sees the rogue state making fake job offers to crypto employees. Node Package Manager (NPM) libraries, or packages, are collections of reusable code that developers will frequently use. Malicious attackers can duplicate these packages and insert a small line of code that could have grave consequences -- all while maintaining its original function. If this is even picked up once, the malicious code will embed itself deeper and deeper into the system as developers build on top of it, Su said. To prevent this from becoming an issue, Binance has to go through the code with a fine-tooth comb. Major crypto exchanges also share intelligence related to security in Telegram and Signal groups -- meaning they're able to flag poisoned libraries and emerging DPRK techniques with their peers. "The DPRK group will [also] try to schedule calls with the external-facing employees," Su told Decrypt. "Either as a DeFi project or investment firm. Worst yet, they'll be recruiting them for a high-level job, paying twice, three times as much, just to get them onto an interview." During the fake interview, Su explained, the DPRK hackers will claim that the call has "some kind of video or voice issues," before sending the victim a link to update their Zoom. Then, he said, their device is infected with malware. Binance has trained its employees to report every phishing attempt made on them. By the frequency of these reports, Su is confident that DPRK attackers are messaging Binance employees on LinkedIn every day. North Korean hackers stole $1.34 billion across 47 crypto-related incidents last year, a Chainalysis report revealed. Since then, the DPRK attacks have persisted, with Wiz's Director of Strategic Threat Intelligence estimating that $1.6 billion in crypto has been stolen so far this year via fake IT job offers. "Lazarus Group has always been an issue," Su told Decrypt. "But in the last two, three years, they have switched their focus, more of their resources onto crypto. Just because of the industry's [large] dollar amount."

Someone counter-hacked a North Korean IT worker: Here's what they found

A team of North Korean IT operatives behind 31 fake identities has been linked to the $680,000 hack of fan-token marketplace Favrr in June. A small team of North Korean IT workers -- linked to a $680,000 crypto hack in June -- have been using Google products and even renting computers to infiltrate crypto projects, according to newly leaked screenshots coming from one of the workers' devices. In an X post from ZachXBT on Wednesday, the crypto sleuth shared a rare inside look into the workings of a North Korean (DPRK) hacker. The information came from "an unnamed source" who was able to compromise one of their devices. North Korean-linked workers were responsible for $1.4 billion exploit of crypto exchange Bitbit in February and have siphoned millions from crypto protocols over the years. The data shows that the small team of six North Korean IT workers shares at least 31 fake identities, obtaining everything from government IDs and phone numbers to purchasing LinkedIn and UpWork accounts to mask their true identities and land crypto jobs. One of the workers supposedly interviewed for a full-stack engineer position at Polygon Labs, while other evidence showed scripted interview responses in which they claimed to have experience at NFT marketplace OpenSea and blockchain oracle provider Chainlink. The leaked documents show the North Korean IT workers secured "blockchain developer" and "smart contract engineer" roles on freelance platforms like Upwork, then use remote access software like AnyDesk to carry out the work for unsuspecting employers. They also use VPNs to hide their true location. Google Drive exports and Chrome profiles show they used Google tools to manage schedules, tasks and budgets, communicating mainly in English while using Google's Korean-to-English translation tool. One spreadsheet shows IT workers spent a combined $1,489.8 on expenses in May to carry out their operations. The North Koreans often use Payoneer to convert fiat into crypto for their work, and one of those wallet addresses -- "0x78e1a" -- is "closely tied" to the $680,000 exploit on fan-token marketplace Favrr in June 2025, ZachXBT said. Related: Crypto crime unit with $250M in seizures expands with Binance At the time, ZachXBT alleged the project's chief technology officer, known as "Alex Hong," along with other developers, were actually DPRK workers in disguise. The evidence also provides insight into their areas of curiosity. One search asked whether ERC-20 tokens can be deployed on Solana, while another sought information on the top AI development companies in Europe. ZachXBT called on crypto and tech firms to do more homework on potential hirees -- noting that many of these operations aren't highly sophisticated, but the volume of applications often leads to hiring teams becoming negligent. He added that a lack of collaboration between tech firms and freelance platforms further contributes to the problem. Last month, the US Treasury took matters into its own hands, sanctioning two people and four entities involved in a North Korea-run IT worker ring infiltrating crypto firms.