Coinbase’s Fortress: How America’s Crypto Giant Thwarts North Korean Cyber Attacks
North Korea's Lazarus Group keeps targeting crypto exchanges—but Coinbase keeps shutting them down cold.
Multi-Billion Dollar Defense Arsenal
Coinbase deploys military-grade encryption, real-time threat detection systems, and decentralized cold storage solutions that make traditional banks look like piggy banks. Their security team operates 24/7 across three continents, analyzing patterns even before hackers know they're patterns.
The Human Firewall
Every employee undergoes mandatory cybersecurity training quarterly—because the strongest encryption won't stop a phishing email. Coinbase's bug bounty program pays white hats millions annually, turning potential vulnerabilities into fortified assets.
Regulatory Armor
While some exchanges cut corners, Coinbase over-complies with every SEC and FinCEN requirement. Their compliance department is larger than most startups—because nothing deters hackers like the threat of three-letter agencies breathing down their necks.
Blockchain's Built-In Advantage
Unlike traditional finance's messy paper trails, every crypto transaction is permanently recorded and auditable. Try laundering that, Pyongyang.
Meanwhile, Wall Street still uses fax machines for billion-dollar transfers—but sure, crypto's the risky investment.
North Korea takeaways from Armstrong’s interview
On Aug. 20, 2025, the Stripe YouTube channel released a new video. In it, Collison and Armstrong, who are the heads of Stripe and Coinbase, have a conversation about notable trends in the cryptocurrency space.
Collison asked Armstrong what the general tech public does not appreciate about the cybercrime landscape, and Armstrong’s nearly immediate response was “a lot of North Korean agents are trying to work at these companies,” most of the time remotely.
Armstrong said that while companies are working with law enforcement and get notified about some candidates as “known actors,” it feels like 500 more agents graduate from “some kind of school” in the DPRK each quarter, and infiltrating tech companies is their “whole job.”
He emphasized that he does not blame individuals for becoming agents:
“In many of these cases, it’s not the individual person’s fault. Their families will be coerced or detained if they don’t cooperate. So actually, they’re the victim as well in many cases.”
During online job interviews, the DPRK agents usually have some kind of a coach around who assists them, so Coinbase employees have to demand that candidates turn on the camera to make sure they are talking with a real person and no one is nearby to give instructions.
If an employee needs to access any sensitive system, they are required to come to the U.S. in person for orientation. Coinbase limits access to sensitive data by allowing only fingerprinted employees with U.S. citizenship and family in-country. Such a strict approach is dictated by increased security concerns associated with the DPRK infiltration attempts.
Another concern voiced by Armstrong during the interview is the cases when threat actors were trying to bribe Coinbase support team agents, offering hundreds of thousands of dollars in exchange for smuggling in personal phones, taking screen photos, and sharing other types of data. To address the risk of leaks resulting from bribery, Coinbase had to increase control over the support team and MOVE customer support offices to the U.S. and Europe. Armstrong said:
“[We] really started to make a deterrent in the sense of, when we catch people doing this – and we red‑team it consistently — we don’t walk them out the door — they go to jail. We try to make it very clear that you’re destroying the rest of your life by taking this, even if you think it’s some life‑changing amount of money, it’s not worth going to jail.”
Another measure is putting out a $20 million bounty for information that could help arrest or convict attackers. Armstrong emphasized that Coinbase is not only going after insiders but targets the threat actors themselves.
What is known about hackers from the DPRK?
During the same interview, Armstrong said that “DPRK is very interested in stealing crypto,” and this statement cannot be underestimated. According to a blockchain analyst company, Elliptic, the hacking of a crypto exchange, ByBit, by North Korean hackers was the biggest heist in history. Hackers from the infamous Lazarus Group associated with the DPRK managed to steal $1.46 billion in crypto assets. Since 2017, the DPRK has stolen over $5 billion in crypto. Allegedly, 40% of the North Korean military’s nuclear program is funded via stolen cryptocurrencies. Over $300 million of money stolen from ByBit was probably used to fund nuclear weapons.
The North Korean hackers use diverse tactics to steal crypto and launder money. On Aug. 13, 2025, a prominent anonymous crypto sleuth using the ZachXBT handle on X shared documents leaked from the North Korean hackers who pretended to be IT workers in Western companies.
The leak revealed that five agents have been operating 30 fake identities and had bogus LinkedIn and Upwork IT worker accounts. They were communicating mostly in English and using various Google services to conduct their operations, buying accounts on job platforms, serial security numbers, etc. Some of the screenshots of the browser history of these agents reveal low levels of tech competency. According to ZachXBT, hiring a North Korean agent is “100% negligence.” In his opinion, figuring out that the candidate is a DPRK agent is not that hard.
9/ Other interesting items from their searches and browser history included: pic.twitter.com/nyBhf82v7g
— ZachXBT (@zachxbt) August 13, 2025However, despite the fact that the DPRK agents are bad at work and get fired quickly, they find new jobs; usually, several agents are taking positions at the same company simultaneously, and eventually manage to steal crypto.
6/ I am closely monitoring five other larger clusters of DPRK ITWs but will not share those addresses publicly since they are active.
One thing to note is the number does not include exploits conducted by them on projects (LND, ChainSaw, Favrr, Munchables, Dream, etc)
They… pic.twitter.com/kIbFewIM8b
North Korean hackers used to launder stolen assets via Binance and Coinbase, but had to find other ways as these exchanges increased KYC/AML scrutiny. They developed a chain of over-the-counter brokers. Also, Korean hackers use crypto mixer platforms that obfuscate transaction data. In relation to the Lazarus Group activity, the U.S. Treasury named such mixer platforms as Sinbad, Tornado Cash, and Blender.
According to ZachXBT, public company Circle, which is a prime competitor of Tether, is neglecting the use of its stablecoin USDC in the DPRK-related money laundering operations, being the only company that didn’t freeze flagged wallets when ZachXBT brought up the connection. The company eventually froze the addresses involved in hacking months later. The Circle CEO, Jeremy Allaire, responded to ZachXBT’s criticism by saying that the company WOULD not freeze addresses solely based on ZachXBT’s investigation. The request from the law enforcement was necessary.
5/ USDC was sent directly from Circle accounts to three addresses in this cluster.
It’s 1 hop from an address blacklisted by Tether in April 2023 tied to Hyon Sop Sim.
Other DPRK ITW clusters currently have decent sized quantities of USDC sitting.
I think it’s misleading… pic.twitter.com/vGCcMZX6wL
ZachXBT accuses Circle of allowing Korean hackers to use USDC so that the company will earn via transaction fees. Similar claims were made against the MetaMask wallet, which was allegedly involved in the DPRK money laundering operations.
While ZachXBT dismisses the sophistication of the DPRK agents when they try to infiltrate tech companies, Coinbase has its reasons to be cautious. Given that Coinbase is responsible for the custody of over 2.2 million bitcoins, which is more than 10% of the total supply, extensive control over the works may not seem unnecessary.
