-
Binance founder Changpeng Zhao has warned that North Korean state-backed hackers are using sophisticated methods, such as fake job applications, malicious recruitment schemes, and customer support exploits, to infiltrate top crypto firms.
-
High-profile breaches, including a $400 million hack allegedly tied to Coinbase’s outsourced support team.
North Korean state-backed hackers are stepping up their efforts to infiltrate top cryptocurrency firms, using increasingly sophisticated social engineering tactics, according to Binance founder Changpeng Zhao (CZ).
In a recent post, CZ outlined the common strategies employed by groups such as Lazarus Group and Famous Chollima, warning the crypto industry to remain vigilant.
These North Korean hackers are advanced, creative and patient. I have seen/heard:
1. They pose as job candidates to try to get jobs in your company. This gives them a “foot in the door”. They especially like dev, security, finance positions.
2. They pose as employers and try to… https://t.co/axo5FF9YMV
— CZ 🔶 BNB (@cz_binance) September 18, 2025
“These North Korean hackers are advanced, creative, and patient,” Zhao cautioned, stressing that their infiltration campaigns target both company infrastructure and unsuspecting employees.
Disguised as Job Seekers and Recruiters
One of the most common infiltration methods involves posing as job candidates for positions in development, finance, or security. By securing insider access, hackers attempt to gain critical entry points to a firm’s systems.
When job applications fail, the hackers often shift tactics, pretending to be recruiters from competing firms. During fake interviews, they may direct employees to update their Zoom client via a malicious link or run “sample coding tests” that secretly install malware on the user’s device. Zhao pointed to the Famous Chollima group as a notable example, known for crafting fake job ads that trick candidates into downloading compromised code.
Customer Support Exploits and Malware Links
Beyond recruitment ruses, hackers also impersonate regular users seeking customer support. In this scenario, they inject malicious links into help tickets, hoping unsuspecting agents click and unknowingly compromise internal systems. Previous cases have involved malware like JSCEAL, which masqueraded as legitimate crypto platforms before embedding itself in target networks.
Insider Breaches and High-Profile Hacks
Zhao further highlighted insider risks, citing a recent case involving a large outsourcing service in India that was linked to a major U.S. exchange. While he did not name the exchange directly, community speculation suggested he was referring to Coinbase, which suffered a breach in May 2025.
Reports indicated customer service workers had been bribed to provide unauthorized access to sensitive user data, resulting in losses exceeding $400 million.
Leaked data included personal and financial details such as names, government IDs, and banking information. High-profile victims, including Sequoia Capital’s Roelof Botha, were among those affected, with users receiving security warnings in the aftermath.
Billions Stolen in Crypto Hacks
According to Chainalysis, North Korean hacking syndicates are responsible for some of the largest crypto thefts to date, with as much as $2.17 billion stolen in 2025 alone. The Bybit hack, amounting to $1.5 billion, stands as the largest single incident so far this year.
Zhao’s warnings serve as a reminder that while blockchain networks themselves are resilient, the human and corporate vulnerabilities surrounding them remain key targets. As crypto adoption grows, the industry faces an urgent need for stricter security protocols, employee training, and awareness of the evolving playbook of state-backed hackers.
