Hack of North Korean hacker reveals crypto employment scheme
Date: 2025-08-15 Author: Henry Casey Categories: BUSINESS
According to his data, six North Korean citizens created over 30 fake identities to get jobs at cryptocurrency companies. They bought fake documents, as well as LinkedIn and Upwork accounts, posing as experienced blockchain developers. One of the participants in the scheme even passed an interview at Polygon Labs for a full-stack engineer position, indicating fictitious work experience at OpenSea and Chainlink.
To complete the tasks, the attackers used AnyDesk and VPN, and for planning - Google services. In May, their expenses on equipment rental and software amounted to $1,489. Financial transactions were conducted through Payoneer, and one of the wallets was linked to an attack on the Favrr marketplace, which resulted in the theft of $680,000.
A study of the search history revealed interest in the deployment of ERC-20 on Solana and European AI companies, as well as regular use of Google Translate from Korean to English via a Russian IP. A frequent request is “how to determine that they are from the DPRK?” ZachXBT noted that the main problem is weak verification of candidates due to the overload of HR departments and the lack of cooperation between government agencies and businesses.
According to Jimmy Su, Binance’s chief security officer, the exchange has been receiving fake resumes from North Korean hackers on a daily basis for many years. Previously, they used template applications with Asian names, but now they use deepfakes and voice modulators, posing as specialists from Europe or the Middle East. A characteristic sign is a delay in responses due to the work of translators and simulators.
Su said that a reliable verification method is to ask the candidate to cover their face with their hand, which often “breaks” the deepfake. Binance, according to him, has never hired DPRK agents, but monitors employees for suspicious behavior. Unnatural productivity, lack of breaks and working in several shifts can indicate a connection with Lazarus. At some companies, candidates are asked to speak critically about Kim Jong-un, which is prohibited in the DPRK.
Lazarus is also known for other attack methods: adding malicious code to NPM libraries, conducting phishing “interviews” with the installation of infected versions of Zoom. The group has been linked to the February Bybit hack, which saw $1.46 billion stolen, and the July attack on Indian platform CoinDCX, which saw $44.2 million stolen.
The story once again demonstrates how purposefully North Korean cybercriminals are using employment as a channel for attacks, and the importance of companies stepping up their screening of job seekers, especially in the crypto industry.
