North Korean hackers are using increasingly sophisticated methods to infiltrate crypto companies, according to Binance founder Changpeng Zhao. In a recent post, CZ detailed tactics used by state-backed groups like Lazarus, warning the industry of insider threats and creative schemes designed to steal funds and user data.
Inside Tactics Used by North Korean Hackers
Zhao explained that these hackers often pose as job seekers, applying for positions such as developer, security, or finance roles. By getting hired, they gain insider access to sensitive systems and company infrastructure. Even when they fail to secure a position, they switch tactics. Some pose as recruiters offering opportunities with rival firms. During fake interviews, they ask employees to download “updated” software through malicious links, often disguised as Zoom installers.
These North Korean hackers are advanced, creative and patient. I have seen/heard:
1. They pose as job candidates to try to get jobs in your company. This gives them a “foot in the door”. They especially like dev, security, finance positions.
2. They pose as employers and try to… https://t.co/axo5FF9YMV
— CZ 🔶 BNB (@cz_binance) September 18, 2025
Another common trick involves coding tests. Hackers send candidates questions that require running “sample code,” which secretly installs malware. Zhao pointed out that the Famous Chollima group previously used this method by creating fake job ads from leading crypto firms. Once installed, the malware provides hackers with access to devices and company networks. Similarly, other groups deploy programs like JSCEAL by impersonating crypto platforms to lure unsuspecting workers.
Hackers also use customer support requests as a weapon. They pose as users in need of assistance, then send links containing hidden viruses. If clicked, the malware spreads across internal systems. Zhao warned that these schemes are highly effective because they target human trust rather than technical flaws.
Breaches and Industry Impact
Zhao highlighted a recent case where an Indian outsourcing firm leaked information from a major U.S. exchange, leading to a $400 million loss. While he did not name the company, many speculated it was Coinbase, which reported a major hack in May 2025. Attackers allegedly bribed outsourced staff to hand over sensitive client data, including IDs, banking details, and personal information. High-profile figures such as Sequoia Capital’s Roelof Botha were among those affected.
According to Chainalysis, North Korean hackers have stolen over $2.17 billion in crypto this year, with Bybit’s $1.5 billion breach being the largest. Zhao emphasized that these groups are patient, creative, and persistent. He urged firms to tighten hiring processes, train staff on phishing tactics, and secure outsourcing channels. With state-backed groups targeting every weak point, he warned, the industry must prepare for increasingly advanced attacks.
