CZ Issues Urgent Warning: North Korean Hackers Targeting Crypto Firms in Sophisticated Cyber Campaign
North Korean state-sponsored hackers are launching coordinated attacks against cryptocurrency platforms—and CZ says the industry isn't prepared.
Security Breach Patterns
Multiple exchange hot wallets have already been compromised using advanced social engineering tactics. These aren't random script kiddies—these are government-funded operatives with military-grade encryption bypass tools.
The Lazarus Playbook
They're employing the same phishing techniques that netted them $2 billion last year. Fake job offers, compromised developer tools, and poisoned npm packages—all designed to infiltrate internal systems.
Regulatory Blind Spots
While traditional finance spends millions on compliance theater, crypto firms are getting hacked through their Slack channels. Maybe next time allocate less for conference parties and more for cybersecurity audits?
The threat is evolving faster than security protocols—and until exchanges start treating this like warfare instead of inconvenience, the hacks will keep coming.
Operatives Are Exploiting Hiring Process
CZ shared his concerns via a September 18 X post, describing the hackers as “advanced, creative, and patient.” He explained how the most common method used by these individuals involves posing as job candidates to secure roles in companies, particularly in developer, security, and finance positions, giving them a “foot in the door.”
In other cases, the group poses as employers and attempts to interview staff, using the process to distribute malware. Zhao noted that during these sessions, the attackers often claim there is a problem with Zoom and then send a LINK to an “update” carrying a virus, or they provide coding questions followed by “sample code” embedded with malware.
Another tactic involves pretending to be users who file customer support requests containing malicious links. CZ added that hackers also pay or bribe employees and hired vendors to gain access to data, pointing to a recent case in India where an outsourcing service was compromised, resulting in the leak of data from a major U.S. exchange and losses exceeding $400 million.
This alert follows the release of a report by cybersecurity group Security Alliance (SEAL), profiling over 60 impostors linked to North Korean operations. The report says that these attackers built fake LinkedIn profiles, set up GitHub portfolios, and used forged government IDs to make their applications look real.
Shift in Methods
North Korean hackers have always been a major threat in the crypto industry, with over $1.3 billion worth of assets stolen in 2024 alone. Traditionally, they have relied on phishing, malware, and private key compromises to loot from exchanges. However, recent reports suggest they are moving towards targeting human resources.
A separate investigation by ZachXBT also uncovered how a small DPRK team of five IT workers operated over 30 fake identities at crypto firms. Elsewhere, Coinbase also recently reported a similar threat from these bad actors. The exchange shared that they are increasingly targeting their remote worker policy to infiltrate sensitive systems.
CEO Brian Armstrong has since announced changes to the company’s internal security protocols, including mandatory in-person onboarding in the U.S., fingerprinting, and U.S. citizenship requirements for employees with system-level access. The exchange also introduced stricter interview procedures, such as requiring cameras to remain on, to prevent impersonation and AI-assisted coaching.
In light of the growing threat to the job market, CZ has urged crypto platforms to train their employees not to download files and to screen potential candidates carefully.
