CZ Warns Crypto Firms of North Korean Hacker Threats

Binance founder Changpeng Zhao (CZ) has issued a warning to crypto projects about North Korean hackers.

He detailed how the group is using increasingly sophisticated tactics to gain access to companies.

Operatives Are Exploiting Hiring Process

CZ shared his concerns via a September 18 X post, describing the hackers as “advanced, creative, and patient.” He explained how the most common method used by these individuals involves posing as job candidates to secure roles in companies, particularly in developer, security, and finance positions, giving them a “foot in the door.”

In other cases, the group poses as employers and attempts to interview staff, using the process to distribute malware. Zhao noted that during these sessions, the attackers often claim there is a problem with Zoom and then send a link to an “update” carrying a virus, or they provide coding questions followed by “sample code” embedded with malware.

Another tactic involves pretending to be users who file customer support requests containing malicious links. CZ added that hackers also pay or bribe employees and hired vendors to gain access to data, pointing to a recent case in India where an outsourcing service was compromised, resulting in the leak of data from a major U.S. exchange and losses exceeding $400 million.

This alert follows the release of a report by cybersecurity group Security Alliance (SEAL), profiling over 60 impostors linked to North Korean operations. The report says that these attackers built fake LinkedIn profiles, set up GitHub portfolios, and used forged government IDs to make their applications look real.

Shift in Methods

North Korean hackers have always been a major threat in the crypto industry, with over $1.3 billion worth of assets stolen in 2024 alone. Traditionally, they have relied on phishing, malware, and private key compromises to loot from exchanges. However, recent reports suggest they are moving towards targeting human resources.

A separate investigation by ZachXBT also uncovered how a small DPRK team of five IT workers operated over 30 fake identities at crypto firms. Elsewhere, Coinbase also recently reported a similar threat from these bad actors. The exchange shared that they are increasingly targeting their remote worker policy to infiltrate sensitive systems.

CEO Brian Armstrong has since announced changes to the company’s internal security protocols, including mandatory in-person onboarding in the U.S., fingerprinting, and U.S. citizenship requirements for employees with system-level access. The exchange also introduced stricter interview procedures, such as requiring cameras to remain on, to prevent impersonation and AI-assisted coaching.

In light of the growing threat to the job market, CZ has urged crypto platforms to train their employees not to download files and to screen potential candidates carefully.