North Korean Hackers Masquerade as IT Talent to Hijack Crypto Projects & Exchanges

Pyongyang's cybercriminals are at it again—this time posing as freelance developers to infiltrate blockchain teams. Their playbook? Social engineering with a side of weaponized code.

How the scam works

Fake LinkedIn profiles, glowing recommendations, and 'urgent' project bids—North Korea's Lazarus Group is running a full-spectrum IT con. Once hired, they slip malware into repositories or phish exchange API keys.

Why crypto? Easy laundering

Stolen altcoins get funneled through mixers faster than a Wall Street banker dodges SEC questions. The anonymity of DeFi protocols makes tracing funds nearly impossible.

Security teams are fighting back

Exchange compliance departments now treat unsolicited dev applicants like unexploded ordnance. Multi-sig wallets and mandatory code audits are becoming standard—but the hackers keep evolving.

Bottom line: In crypto, trust is the ultimate vulnerability. Verify everything—especially that 'rockstar developer' offering to work for 30% under market rate.

North Korean IT workers scour job boards 

Leaked documents showed the tools and tracking used by the team, including attempts to build the fake identities. 

The hackers used shared documents, revealing a series of Upwork credit purchases. The finding coincides with reports of attempts to buy or rent Upwork accounts and bid on software jobs. Some of the most common jobs included various blockchain roles, smart contract engineering, as well as work on specific projects, including Polygon Labs.

Earlier reports showed that not all North Korean IT workers had hacking in mind or targeted crypto. Some of the workers had the task of earning from legitimate IT jobs, later handing over their pay to the North Korean regime. 

An escaped IT worker outlined the scheme, showing that the presence of DPRK IT workers was a constant threat to traditional companies and crypto teams. 

Binance filters out DPRK applications almost daily

Binance’s security officer Jimmy Su said the exchange is constantly filtering out candidates. DPRK hackers try to gain access to key crypto positions, and Binance has intercepted both through CV monitoring and at the interview stage. Crypto space also carries unofficial lists of known fake identities, using legitimate-looking LinkedIn accounts and social media profiles. 

In the past, Cryptopolitan reported cases where DPRK hackers built the key infrastructure for Web3 projects, leading to compromised smart contracts with known exploit backdoors. These hackers have affected multiple projects, from DeFi to solana memes. Some of the teams also launched meme tokens as a way of laundering funds. 

In addition to public fake profiles, DPRK hackers also use infected code repos or malicious links to make users install malware. Techniques include fake job interviews with links to malware. DPRK hackers also pose as interviewers or project managers, setting up fake meetings with a fake download link.

In some cases, hackers have also proposed to Upwork users to connect to their computer remotely as a way to use new accounts without exposing their identity. Reports have it that some US-based persons agreed to the exchange, allowing the supposed IT workers access via AnyDesk. The hackers also used crypto payments through an intermediary ethereum wallet, which has been linked to addresses used in large-scale hacks. 

Want your project in front of crypto’s top minds? Feature it in our next industry report, where data meets impact.