Shocking Report: North Korean Hackers Infiltrate 900+ Crypto Jobs Worldwide
The crypto industry faces an unprecedented security breach—over 900 positions now occupied by DPRK-linked cyber operatives. Here’s how they did it.
Silent infiltration, loud consequences
Pyongyang’s digital soldiers bypassed KYC checks, faked credentials, and embedded themselves in exchanges, DAOs, and DeFi projects. No vaults were drained—yet. Their play? Long-term access to infrastructure and insider knowledge.
When ‘bullish hiring’ goes wrong
The explosive growth of crypto jobs created perfect cover. HR teams—under pressure to fill roles during the last bull run—prioritized technical skills over background checks. (Wall Street bankers would’ve demanded three generations of family references—but that’s why they’re still using fax machines.)
The new cold war is remote
These aren’t smash-and-grab hackers. They’re patient, fluent in Solidity, and happy to collect paychecks in XMR while studying attack vectors. Sleep well, builders.
North Korean Hackers are Silently Infiltrating Crypto Businesses
Since the Lazarus Group pulled off the biggest theft in crypto history this year, the industry has been wary of North Korean hackers.
Crypto crime is at an elevated rate across the board, further contributing to the panic. However, there hasn’t been a concrete analysis of potential infiltrators working in crypto, which ZachXBT is attempting to remedy.
1/ My recent investigation uncovered more than $16.58M in payments since January 1, 2025 or $2.76M per month has been sent to North Korean IT workers hired as developers at various projects & companies.
To put this in perspective payments range from $3K-8K per month meaning… pic.twitter.com/pjHZG9wJ4r
ZachXBT, one of the industry’s most famous sleuths, has been tracking North Koreans in DeFi for several months. Some of the first major infiltrators were unmasked in May, but the trend is increasing.
Last week, these hackers stole $1 million from several NFT projects, showing their increasing capabilities. So, how does this infiltration work?
Tracking the Breaches
Many hackers are paid exclusively in crypto, or a mix of crypto and fiat, enabling sleuths to track their blockchain data. ZachXBT tracked legitimate salary payments to clusters of suspected North Koreans, which totaled $16.58 million this year.
Many applicants worked multiple jobs at once, so there may not be 900+ simultaneous hackers.
Still, that’s a small comfort for many. North Korean hackers are likely present in almost every regional crypto industry, regardless of KYC/AML requirements.
Many smaller startups are facing a talent shortage, encouraging them to ignore potential red flags. These hackers also post fake job postings, further developing their ability to mimic normal applicants.
Nonetheless, common red flags can help companies identify these candidates during the hiring process, like sketchy digital footprints, failed KYC checks, and refusal to meet coworkers in the cities they allegedly live in.
The most important indicator, however, is shoddy performance and a high turnover rate. North Korean hackers routinely take IT and software development jobs at multiple firms at once, trying to get any inside access they can.
They are frequently unable to meet the workload, especially because they’re mainly interested in breaching security.
All that is to say, crypto startups should be able to prevent North Korean infiltration. So far, many of these techniques are surprisingly amateurish.
A security firm recently claimed that the Lazarus Group sends weaker hackers to breach companies, employing more veteran thieves to actually steal the assets. Dedicated watchers can prevent these breaches.
