EXPOSED: How North Korean Crypto Hackers Sneak Past Defenses—ZachXBT Drops Bombshell Report

North Korea’s Lazarus Group just got sloppier—or bolder. Blockchain sleuth ZachXBT unpacks their latest infiltration tactics, revealing gaping holes in crypto security.

Phishing, Fake Jobs, and Supply Chain Attacks

No zero-days, no fancy tech. Just old-school social engineering—with a crypto twist. Fake LinkedIn recruiters, poisoned npm packages, and ‘audited’ smart contracts that drain wallets overnight.

The $3B Heist Nobody’s Talking About

While VCs obsess over ape JPEGs, Pyongyang’s hackers quietly siphoned more value than most Series C rounds. (Take notes, ‘security’ tokens.)

Cold Wallet Won’t Save You Now

Their new playbook targets devs and infra—compromising GitHub repos, hijacking CI/CD pipelines. Even air-gapped hardware wallets get smoked when build scripts turn malicious.

Wake-up call? More like a fire alarm. The industry’s ‘trustless’ mantra rings hollow when your MetaMask gets drained by a fake Trezor update.

North Korean Crypto Secrets Exposed

Since perpetrating the Bybit hack earlier this year, North Korean hackers have developed a fearsome reputation in the crypto industry.

A dangerous new tactic involves infiltrating Web3 startups; this sophisticated practice has led to several notorious thefts this year. However, one crypto sleuth recently published a report detailing these operations:

1/ An unnamed source recently compromised a DPRK IT worker device which provided insights into how a small team of five ITWs operated 30+ fake identities with government IDs and purchased Upwork/LinkedIn accounts to obtain developer jobs at projects. pic.twitter.com/DEMv0GNM79

ZachXBT, a popular crypto investigator, pursues all sorts of Web3 criminals, yet North Korean hackers remain a special area of interest. He’s tracked everything from security breaches to money laundering, and has repeatedly warned of vast infiltration.

Today, however, ZachXBT is circulating valuable intel on how these groups work.

How Infiltrators Operate

Essentially, North Korean hackers split into five-man teams to impersonate crypto job seekers. These teams collectively acquire and operate upwards of 30 fake identities, purchasing government IDs, Upwork/LinkedIn accounts, VPNs, and more.

After doing this, they start applying for crypto jobs and looking for security flaws when they find employment. They vastly prefer IT roles, as this gives them ample chances to look for weaknesses and collaborate on the cover job’s workload.

These North Korean crypto scams are very sophisticated, but these documents show how to fight back. A few essential clues, like their choice of VPN, can expose a fake job applicant. Instead, the biggest problem is arrogance.

When cybersecurity investigators warn Web3 startups of potential infiltration, they might get a dismissive response:

“The main challenge faced in fighting [North Korean hackers] at companies includes the lack of collaboration. There’s also the negligence by the teams hiring them who become combative when alerted. [These hackers] are in no way sophisticated, but are persistent, since there’s so many flooding the job market globally for roles,” ZachXBT claimed.

These hackers never stay committed to one job, only lingering long enough to find a security exploit. Once they find one, groups like Lazarus employ a totally different unit to perpetrate the hack.

These methods encourage North Korean crypto hackers to maintain flimsy cover identities, hoping that lazy hiring practices indicate vulnerable security measures.

Web3 startups should be aware of North Korean hackers, not paralyzed by fear of them. A little diligence and caution can help keep any project SAFE from these infiltration attacks.