CZ Issues Urgent Alert: North Korean Hackers Now Posing as Job Applicants to Infiltrate Crypto Firms

Binance CEO sounds alarm on sophisticated recruitment phishing campaigns targeting digital asset companies.

THE NEW FRONTLINE

North Korean state-sponsored actors have perfected the art of the fake interview—bypassing traditional HR safeguards with meticulously crafted backstories and technical credentials. These aren't script kiddies; they're professionals playing the long game.

INFILTRATION PLAYBOOK

Hackers submit flawless resumes, ace technical screenings, then request 'onboarding software' that drops payloads directly into corporate networks. Once inside, they pivot toward treasury wallets and exchange API keys—because why bother trading when you can just steal the whole vault?

SECURITY WAKE-UP CALL

Crypto firms now face dual pressures: regulatory scrutiny and nation-state adversaries treating them as premium targets. Traditional finance spends millions on penetration testing—crypto startups still think 'hardware wallet' counts as a security department.

The irony? These companies will spend more vetting a junior developer's GitHub than the person requesting access to nine-figure cold storage. Maybe next bull run we'll see 'chief paranoia officer' become an actual hiring priority.

Billions Stolen Through Fake Employees and Employers

The warning follows extensive documentation of North Korean cyber operations targeting the crypto industry, with hackers stealing over $1.3 billion across 47 incidents in 2024, and over $2.2 billion in the first half of 2025 alone.

Recent investigations revealed operatives creating legitimate U.S. corporations, including Blocknovas LLC and Softglide LLC, using fake identities to establish corporate fronts for attacking crypto developers.

ZachXBT’s August investigation also exposed five North Korean IT workers operating under more than 30 fake identities, using government-issued ID cards and professional LinkedIn accounts to secure positions at crypto projects.

The breach of one operative’s device revealed systematic expense documentation for purchasing Social Security numbers, professional accounts, and VPN services to maintain fraudulent employment.

The schemes have also evolved to include Python-based malware called PylangGhost, deployed through fake interview websites impersonating major companies like Coinbase and Robinhood to steal credentials from over 80 browser extensions and crypto wallets.

Corporate Infiltration Through Fake Companies and Stolen Identities

North Korean operatives established multiple legitimate business entities across US states to create credible corporate fronts for their infiltration campaigns.

Silent Push researchers discoveredregistered to a vacant lot in South Carolina, whiletraced back to a small Buffalo tax office, with Angeloper Agency operating as an unregistered third entity.

The FBI seized Blocknovas’ domain as part of law enforcement action against North Korean cyber actors utilizing fake job postings to distribute malware.

These companies served as launching pads for the “Contagious Interview” campaign, a Lazarus Group subgroup specializing in sophisticated malware deployment targeting crypto wallet developers.

North Korean cyber spies reportedly set up fake US firms to deploy malware targeting crypto developers, violating Treasury sanctions.#NorthKorea #CyberSecurity https://t.co/TvCmrspaep

The elaborate schemes include purchasing stolen American identities and using complex laundering tactics to mask fund origins before routing money back to North Korea’s weapons program.

In June, US authorities seized over $7.7 million in crypto allegedly earned through networks of covert IT workers posing as foreign freelancers.

In fact, according to CZ, a recent case includes a major Indian outsource service hack that leaked U.S. exchange user data, resulting in over $400 million in user asset losses.

The Justice Department linked these operations to Sim Hyon Sop, a Foreign Trade Bank representative, and Kim Sang Man, CEO of state-linked IT firm Chinyong operating under North Korea’s Ministry of Defense.

The workers used sophisticated concealment methods, including fake accounts, transaction splitting, token-swapping techniques, and NFT purchases as value stores.

Advanced Malware Campaigns Target Global Crypto Professional Networks

The PylangGhost malware campaign is one of the most recent large-scale attacks by North Korea targeting crypto professionals, particularly focusing on India-based blockchain developers through elaborate fake interview schemes.

Cisco Talos researchers documented how Famous Chollima threat groups create fraudulent skill-testing websites using React frameworks that closely mimic legitimate company assessment platforms.

Victims complete technical assessments designed to validate professional backgrounds before receiving invitations to record video interviews.

The sites request camera access through seemingly innocuous button clicks, then display platform-specific instructions for downloading alleged video drivers containing malicious Python-based payloads.

The malware establishes persistent system access through registry modifications while targeting over 80 browser extensions, including MetaMask, Phantom, Bitski, and TronLink.

North Korean hackers deploy "PylangGhost" trojan posing as Coinbase recruiters to steal crypto credentials through fake job interviews, part of $1.3 billion cyber campaign targeting industry professionals.#NorthKorean #Coinbasehttps://t.co/CGeDVs7s3J

It also has advanced capabilities that include remote file access, OS shell control, and comprehensive data harvesting from password managers like 1Password and NordPass.

Supply chain attacks have also expanded to include malicious JavaScript insertions into GitHub repositories and NPM packages.

The Marstech1 malware campaign targeted popular crypto wallets, with SecurityScorecard identifying 233 victims between September 2024 and January 2025.

International responses have intensified with South Korea and the European Union formalizing cybersecurity cooperation agreements specifically targeting North Korean crypto operations.

As it stands now, CZ has warned companies to train employees against downloading files and implement careful candidate screening procedures to protect themselves from these malicious workers.