North Korean Hackers Apply Daily to Infiltrate Binance—Here’s How the Exchange Catches Them
Binance faces a relentless onslaught of North Korean hacking attempts—disguised as job applications. Every. Single. Day.
The world’s largest crypto exchange has turned hiring into a high-stakes game of spy vs. spy. Here’s their playbook for spotting Lazarus Group operatives before they strike.
The Red Flags That Never Lie
Over-polished resumes with suspiciously perfect English. Requests for remote work from Pyongyang-adjacent IPs. A sudden obsession with blockchain that magically started last Tuesday.
Why Binance? Follow the Money
With $76B in daily trading volume, the exchange is the ultimate honeypot for regime-backed hackers. (That’s 3x the GDP of their entire country—talk about career motivation.)
The Cybersecurity Arms Race Escalates
Binance’s vetting algorithms now scan for micro-tremors in typing patterns and VPN artifacts. Meanwhile, Pyongyang’s hackers keep upgrading their LinkedIn game—funded by last year’s $1.7B crypto heists.
One exchange security chief quipped: 'We’ve rejected more 'senior blockchain engineers' than most HR departments will see in a lifetime.'
As crypto’s hiring boom collides with geopolitics, even your recruiter might be packing malware. Sleep tight, bull market warriors.
How North Korea attacks crypto exchanges
The Democratic People's Republic of Korea, also referred to as the DPRK or North Korea, is home to the Lazarus Group, one of the most prolific hacker clans in the world. The group is believed to have been responsible for the infamous Bybit $1.4 billion hack in March—the largest hack in crypto history, according to the FBI.
Su said that Binance has mostly noticed North Korean attackers attempting to get hired at the firm. The centralized exchange claims to discard resumes daily, based on their tendency to use certain resume templates. The firm was not willing to share more specifics on resume red flags with Decrypt.
If those resumes make it past the initial vibe check, the company then must check that the applicant is legit on a video call—a challenge that is only getting harder with the rise of AI.
“Our tracking used to [show] that the actor, the operative, will have a resume, and they mostly either have a Japanese or Chinese surname,” Su explained. “But now, with AI and events in AI, they are able to fake to appear to be any kind of developer. More recently, we have seen them be candidates from Europe, from the Middle East. What they do is they actually use a voice changer during their interviews, and the video was a deepfake.”
“The only real good detection is that they almost always have a slow internet connection,” he added. “What's happening is that the translation and the voice changer are working during the call … that’s why they are always delayed.”
There are other ways that Binance can detect a North Korean applicant—such as asking them to put their hand over their face, which usually breaks the deepfake—but Binance doesn’t want to reveal all of its tricks out of fear that attackers may be reading this article.
Other employers have been known to ask candidates to say something negative about North Korean supreme leader Kim Jong Un, which is believed to be outlawed in the country, and have reported positive results.
Binance claims to have never hired a nation-state actor; however, they can’t be too certain. As a result, they even monitor their current employees for suspicious behavior—something all financial institutions do to some degree.
Ironically, according to Su’s research, DPRK employees are usually among the company’s top performers in the given role. That’s likely because there may be multiple people doing the same job across multiple time zones, he explained. So Binance tracks when employees are working, along with their output.
If a worker doesn’t appear to ever sleep, it might be a sign they’re part of the infamous Lazarus Group.
How else is North Korea attacking?
There are two other frequent modes of attack employed by North Korean state actors, Su said. One involves poisoning public NPM libraries with malicious code, while the other sees the rogue state making fake job offers to crypto employees.
Node Package Manager (NPM) libraries, or packages, are collections of reusable code that developers will frequently use. Malicious attackers can duplicate these packages and insert a small line of code that could have grave consequences—all while maintaining its original function. If this is even picked up once, the malicious code will embed itself deeper and deeper into the system as developers build on top of it, Su said.
To prevent this from becoming an issue, Binance has to go through the code with a fine-tooth comb. Major crypto exchanges also share intelligence related to security in Telegram and Signal groups—meaning they’re able to flag poisoned libraries and emerging DPRK techniques with their peers.
“The DPRK group will [also] try to schedule calls with the external-facing employees,” Su told Decrypt. “Either as a DeFi project or investment firm. Worst yet, they’ll be recruiting them for a high-level job, paying twice, three times as much, just to get them onto an interview.”
During the fake interview, Su explained, the DPRK hackers will claim that the call has “some kind of video or voice issues,” before sending the victim a LINK to update their Zoom. Then, he said, their device is infected with malware.
Binance has trained its employees to report every phishing attempt made on them. By the frequency of these reports, Su is confident that DPRK attackers are messaging Binance employees on LinkedIn every day.
North Korean hackers stole $1.34 billion across 47 crypto-related incidents last year, a Chainalysis report revealed. Since then, the DPRK attacks have persisted, with Wiz's Director of Strategic Threat Intelligence estimating that $1.6 billion in crypto has been stolen so far this year via fake IT job offers.
“Lazarus Group has always been an issue,” Su told Decrypt. “But in the last two, three years, they have switched their focus, more of their resources onto crypto. Just because of the industry’s [large] dollar amount.”
