Binance founder Changpeng Zhao “CZ” issued urgent warnings about sophisticated North Korean hackers infiltrating crypto companies through elaborate job application schemes, fake interview processes, and bribery of employees. The former CEO detailed four primary attack vectors, including posing as job candidates for developer and security positions, conducting fraudulent interviews with malware-laden links, and bribing outsourced vendors for data access. These North Korean hackers are advanced, creative and patient. I have seen/heard: 1. They pose as job candidates to try to get jobs in your company. This gives them a “foot in the door”. They especially like dev, security, finance positions. 2. They pose as employers and try to… https://t.co/axo5FF9YMV — CZ BNB (@cz_binance) September 18, 2025 Billions Stolen Through Fake Employees and Employers The warning follows extensive documentation of North Korean cyber operations targeting the crypto industry, with hackers stealing over $1.3 billion across 47 incidents in 2024, and over $2.2 billion in the first half of 2025 alone. Recent investigations revealed operatives creating legitimate U.S. corporations , including Blocknovas LLC and Softglide LLC, using fake identities to establish corporate fronts for attacking crypto developers. ZachXBT’s August investigation also exposed five North Korean IT workers operating under more than 30 fake identities, using government-issued ID cards and professional LinkedIn accounts to secure positions at crypto projects. The breach of one operative’s device revealed systematic expense documentation for purchasing Social Security numbers, professional accounts, and VPN services to maintain fraudulent employment. The schemes have also evolved to include Python-based malware called PylangGhost , deployed through fake interview websites impersonating major companies like Coinbase and Robinhood to steal credentials from over 80 browser extensions and crypto wallets. Corporate Infiltration Through Fake Companies and Stolen Identities North Korean operatives established multiple legitimate business entities across US states to create credible corporate fronts for their infiltration campaigns. Silent Push researchers discovered Blocknovas LLC registered to a vacant lot in South Carolina, while Softglide LLC traced back to a small Buffalo tax office, with Angeloper Agency operating as an unregistered third entity. The FBI seized Blocknovas’ domain as part of law enforcement action against North Korean cyber actors utilizing fake job postings to distribute malware. These companies served as launching pads for the “ Contagious Interview ” campaign, a Lazarus Group subgroup specializing in sophisticated malware deployment targeting crypto wallet developers. North Korean cyber spies reportedly set up fake US firms to deploy malware targeting crypto developers, violating Treasury sanctions. #NorthKorea #CyberSecurity https://t.co/TvCmrspaep — Cryptonews.com (@cryptonews) April 25, 2025 The elaborate schemes include purchasing stolen American identities and using complex laundering tactics to mask fund origins before routing money back to North Korea’s weapons program. In June, US authorities seized over $7.7 million in crypto allegedly earned through networks of covert IT workers posing as foreign freelancers. In fact, according to CZ, a recent case includes a major Indian outsource service hack that leaked U.S. exchange user data, resulting in over $400 million in user asset losses. The Justice Department linked these operations to Sim Hyon Sop, a Foreign Trade Bank representative, and Kim Sang Man, CEO of state-linked IT firm Chinyong operating under North Korea’s Ministry of Defense. The workers used sophisticated concealment methods, including fake accounts, transaction splitting, token-swapping techniques, and NFT purchases as value stores. Advanced Malware Campaigns Target Global Crypto Professional Networks The PylangGhost malware campaign is one of the most recent large-scale attacks by North Korea targeting crypto professionals, particularly focusing on India-based blockchain developers through elaborate fake interview schemes. Cisco Talos researchers documented how Famous Chollima threat groups create fraudulent skill-testing websites using React frameworks that closely mimic legitimate company assessment platforms. Victims complete technical assessments designed to validate professional backgrounds before receiving invitations to record video interviews. The sites request camera access through seemingly innocuous button clicks, then display platform-specific instructions for downloading alleged video drivers containing malicious Python-based payloads. The malware establishes persistent system access through registry modifications while targeting over 80 browser extensions, including MetaMask, Phantom, Bitski, and TronLink. North Korean hackers deploy "PylangGhost" trojan posing as Coinbase recruiters to steal crypto credentials through fake job interviews, part of $1.3 billion cyber campaign targeting industry professionals. #NorthKorean #Coinbase https://t.co/CGeDVs7s3J — Cryptonews.com (@cryptonews) June 20, 2025 It also has advanced capabilities that include remote file access, OS shell control, and comprehensive data harvesting from password managers like 1Password and NordPass. Supply chain attacks have also expanded to include malicious JavaScript insertions into GitHub repositories and NPM packages. The Marstech1 malware campaign targeted popular crypto wallets, with SecurityScorecard identifying 233 victims between September 2024 and January 2025. International responses have intensified with South Korea and the European Union formalizing cybersecurity cooperation agreements specifically targeting North Korean crypto operations. As it stands now, CZ has warned companies to train employees against downloading files and implement careful candidate screening procedures to protect themselves from these malicious workers. The post CZ Warns of Advanced North Korean Hackers Posing as Job Candidates to Infiltrate Crypto Companies appeared first on Cryptonews .
