North Korean hackers targeting crypto companies pose as IT candidates, vendors or customers to gain insider access via fake resumes, malicious “update” files and bribery. Crypto firms should strengthen hiring vetting, restrict privileged system access, and train staff to refuse unsolicited file downloads and links.
-
Impersonation tactics: fake IT candidates, sham interviews and malicious update links
-
Security teams must enforce strict candidate screening and limit privileged access.
-
Chainalysis reports a 102% increase in crypto thefts linked to North Korean actors in 2024.
North Korean hackers targeting crypto companies are exploiting hiring and helpdesk workflows—read immediate mitigation steps and expert guidance from COINOTAG.
What are North Korean hackers doing to infiltrate crypto companies?
North Korean hackers targeting crypto companies now commonly pose as job applicants, vendors or users to gain a “foot in the door.” They exploit recruitment, remote interviews and customer-support channels to deliver malware, request privileged access or bribe insiders, according to Binance co-founder Changpeng Zhao and white hat researchers.
Source: Changpeng Zhao
How did Changpeng Zhao and ethical hackers describe the threat?
Zhao warned on X that attackers pose as employees and employers during hiring and interviews, using fake “updates” or sample code to deliver malware. Ethical hackers from Security Alliance (SEAL) compiled profiles of impersonators and urged platforms to screen candidates, avoid unsolicited file downloads, and tighten vendor controls.
According to the security findings, North Korean operatives will: send malicious links via support channels, ask candidates to submit “sample code” that later contains backdoors, and sometimes attempt to bribe employees or outside vendors for data access.
How did the Security Alliance uncover 60 impersonators?
Security Alliance (SEAL) compiled a repository of at least 60 suspected North Korean impersonators using aliases, fake identities and email addresses. The repository documents apparent citizenship claims, GitHub and salary data, hire histories and public associations to help firms identify suspicious applicants.
Brian Armstrong, right, on the Cheeky Pint podcast. Source: YouTube
Coinbase reported a related wave of threats last month. In response, Coinbase implemented stricter internal controls requiring in-person training, US-only citizenship for sensitive access and fingerprinting for privileged roles, according to Coinbase CEO Brian Armstrong.
SEAL team repository of 60 North Korean IT worker impersonators. Source: lazarus.group/team
SEAL’s public repository lists aliases, fake emails and the firms that hired suspected impersonators, plus observable GitHub accounts and other public artifacts. The white hat group was formed to document and disrupt these recruitment scams and to assist affected firms with attribution and remediation.
SEAL team repository of North Korean IT worker impersonator ‘Kazune Takeda’. Source: lazarus.group/team
Historical context: North Korean groups such as Lazarus Group remain primary suspects in high-value crypto heists, including the $1.4 billion Bybit incident. Chainalysis data shows North Korean-linked thefts exceeded $1.34 billion across 47 incidents in 2024, up 102% from 2023.
SEAL Whitehat Safe Harbor Agreement. Source: Security Alliance
Frequently Asked Questions
How can hiring teams spot impersonators during recruitment?
Verify identities via multiple data points, require in-person or secure video interviews, confirm employment histories, review public code repositories carefully, and cross-check email domains and claimed citizenship to detect inconsistencies.
What signs indicate a malicious “sample code” submission?
Look for obfuscated code, unexpected network calls, binary blobs, or requests for elevated privileges. Sandbox and review all submissions with automated static analysis before any developer runs unfamiliar code.
How widespread is this threat?
Chainalysis data indicates North Korean-linked crypto theft rose sharply in 2024, with over $1.34 billion stolen across 47 incidents, signaling growing operational scale and sustained intent against crypto firms.
How can crypto firms defend against impersonation and insider access?
Implement layered defenses that combine vetting, least-privilege access, developer sandboxing and mandatory security training to reduce the risk of credential or insider compromise.
- Screen candidates rigorously: validate identities, references and public code artifacts.
- Limit privileged access: apply least-privilege, MFA and role-based controls for critical systems.
- Train and test staff: phishing drills, file-handling protocols, and escalation procedures.
Key Takeaways
- Impersonation is rising: North Korean actors are using recruitment and support channels to infiltrate crypto firms.
- Practical defenses: Strict vetting, access controls and sandboxing reduce risk.
- White hat response: SEAL’s repository and investigations are helping firms identify and mitigate impersonation campaigns.
Conclusion
North Korean hackers targeting crypto companies are exploiting recruitment and support workflows to gain insider access. Firms should immediately tighten candidate screening, limit privileged access, sandbox external code and train staff to refuse unsolicited files. Continued collaboration with white hat teams and law enforcement will be critical to reducing future losses.
