ZachXBT Exposes: North Korean IT Workers Behind 25+ Crypto Cyber Attacks

North Korean operatives are systematically targeting cryptocurrency platforms—and they're getting away with it.

The Scale of Infiltration

Digital investigator ZachXBT reveals state-sponsored IT workers have executed more than 25 coordinated attacks against crypto projects. These aren't random hacks—they're calculated operations draining millions from decentralized protocols.

Sophisticated Attack Vectors

The campaigns employ social engineering, fake job postings, and supply chain compromises. Attackers bypass traditional security measures by posing as legitimate developers—then strike from within.

Regulatory Blind Spots

While traditional finance spends billions on compliance theater, crypto's borderless nature creates perfect conditions for state-level exploitation. Another reminder that when VCs talk about 'disruption,' they rarely mean the kind that empties your wallet.

The pattern suggests this is just the beginning—and the industry's 'move fast and break things' mentality might finally be breaking something that can't be fixed.

ZachXBT claims North Korean IT workers mostly use USDC

This is not the first time ZachXBT warned crypto firms against North Korean IT workers. Last July, the crypto sleuth highlighted the fact that North DPRK hackers have reportedly been using USDC (USDC) to funnel millions of funds in illicit payments. The allegations surfaced as Circle filed for a national trust bank charter, which WOULD grant it authority to manage the reserves behind USD Coin.

The on-chain analyst criticized Circle’s approach, arguing the company has failed to address the issue despite the scale and transparency of the transactions. He claimed that the stablecoin issuer has failed to take action to detect or freeze the activity.

As more and more crypto firms and employees start to fall victim to hacks initiated by North Korean actors, more crypto figureheads have been warning the community against hiring remote workers from North Korea.

Most recently, former Binance head Changpeng “CZ” Zhao warned the crypto community of North Korean hackers disguising themselves as prospective employees in order to infiltrate top crypto companies.

One tactic he highlighted was the use of fake job applications, where operatives would pose as candidates for roles at crypto firms, specifically roles related to development, security, and finance, in order to gain insider access.

Another strategy he warned about was how they would often masquerade as recruiters, approaching existing employees under the guise of representing rival companies. According to CZ, during early interview stages these actors frequently claim there is a technical issue with Zoom, then they would ask potential victims to download a malicious “update” via a shared link.