North Korean hackers are finding increasingly sophisticated ways to infiltrate leading crypto companies, according to Binance founder Changpeng Zhao (CZ). In a recent post, Zhao detailed how state-backed groups—most notably the Lazarus Group—pose as job seekers, recruiters, or even customer support users to gain access to sensitive company systems.
“These North Korean hackers are advanced, creative, and patient,” Zhao said, stressing that their tactics are designed to exploit both individuals and institutions from the inside.
These North Korean hackers are advanced, creative and patient. I have seen/heard:
— CZ 🔶 BNB (@cz_binance) September 18, 2025
1. They pose as job candidates to try to get jobs in your company. This gives them a “foot in the door”. They especially like dev, security, finance positions.
2. They pose as employers and try to… https://t.co/axo5FF9YMV
Inside the Hackers’ Playbook
Job Candidate Impersonation
One of the most common infiltration methods involves hackers posing as job applicants for technical roles such as development, security, or finance. By getting hired, they gain insider access to critical infrastructure.
When this fails, attackers often switch strategies, masquerading as recruiters working for rival firms. In these cases, they lure employees into interviews and trick them into downloading malware. According to Zhao, one frequent ploy involves sending a fake Zoom update link or asking candidates to run “sample code” that secretly infects their device.
This approach has been linked to Chollima, a hacking group that previously published fake job postings for major crypto firms in order to distribute malware.
Fake Customer Support Requests
Another tactic involves hackers posing as users submitting customer service tickets. They often include malicious links disguised as troubleshooting files. If clicked, these links deploy viruses directly into the company’s system.
A Costly Breach Allegation
Zhao also referenced a case involving a major U.S. crypto exchange that allegedly lost more than $400 million after data was leaked by an outsourced support service in India. While Zhao did not name the exchange, speculation online pointed toward Coinbase.
Earlier this year, Coinbase confirmed a large-scale breach in which outsourced staff were bribed into handing over client information. Stolen data reportedly included names, government IDs, banking details, and account credentials. High-profile investors, such as Sequoia Capital’s Roelof Botha, were among those affected.
Chainalysis Team
Billions Already Lost to Crypto Hacks
According to blockchain analytics firm Chainalysis, hackers have stolen an estimated $2.17 billion in crypto assets so far this year. The Bybit exploit alone accounted for $1.5 billion, making it the largest single hack of 2025 to date.
