Changpeng Zhao details how North Korean hackers target crypto firms

TL;DR Breakdown

• Binance co-founder Changpeng Zhao has warned the crypto community to be wary of North Korean hackers.
• Zhao listed the many formats that they use when targeting high-profile crypto platforms.
• Crypto hacks on the rise in 2025 as theft hits above $2 billion.

Binance co-founder Changpeng Zhao has warned the crypto community of North Korean hackers and their latest modus operandi. In his post on blogging platform X, Zhao mentioned the possible ways they undertake to carry out their infiltration, noting that he has witnessed some of it firsthand.

According to Changpeng Zhao, over the past few years, North Korean hackers have employed numerous methods to infiltrate top cryptocurrency companies. In his post, he mentioned that many of the state-funded groups, like the notorious Lazarus Group, have been known to breach blockchains and infiltrate these firms, stealing important data needed to gain access to crypto wallets and funds. “These North Korean hackers are advanced, creative, and patient,” Changpeng Zhao said in his post.

Changpeng Zhao discusses North Korean hackers’ modus operandi

In his post, CZ mentioned that he has witnessed some of the cases firsthand, while he has heard some stories of how people and firms got scammed by individuals and syndicates operating out of North Korea. According to CZ, one of the methods that they used was to pose as candidates applying for a job so that they could get hired by crypto companies. This way, they can infiltrate the companies as insiders.

These North Korean hackers are advanced, creative and patient. I have seen/heard:

1. They pose as job candidates to try to get jobs in your company. This gives them a “foot in the door”. They especially like dev, security, finance positions.

2. They pose as employers and try to… https://t.co/axo5FF9YMV

— CZ 🔶 BNB (@cz_binance) September 18, 2025

“This gives them a ‘foot in the door.” They especially like dev, security, and finance positions,” CZ added. He further went on to note that if they are not successful as job candidates, they will switch things by posing as recruitment agents that are trying to poach employees that are already working at these crypto firms. Zhao mentioned that most times, they pose as competitor sites looking for new talent, giving their potential weak link something to lure them.

According to CZ, during the initial interview phase, the hackers will say there is a problem with Zoom and urge the employee to update their Zoom through a link that they share. In addition, he mentioned that the hackers also use a sample code technique, asking their potential victims a coding question. These codes end up giving the hackers the needed loophole to access their victim’s device.

In the past, this method has been used by hackers from Famous Chollima, a hacking group that creates fake job ads, mimicking popular crypto firms to lure in potential candidates and enable access to their devices by making them run codes that would spread malware all over their systems. The same method was used by hackers who deployed the JSCEAL malware to infiltrate devices by masquerading as major crypto platforms.

Crypto hacks in 2025 rise to $2.17 billion

Changpeng Zhao also mentioned that some hackers also like to pose as users seeking help from the customer support of popular crypto platforms. They make requests with hopes that whoever is in charge of support falls for it. CZ highlights that some of them even go as far as sending malicious links through the ticket request, links that make sure that viruses are downloaded on the device used by the victims once they are clicked on.

In his final point, CZ made an example of a case that involved a major outsource service in India. He noted that the event happened a few months ago, and it involved the service center leaking information from a major United States exchange that resulted in a breach that saw the hackers steal more than $400 million in user assets. Although he refused to mention the name of the platform involved in the hack, users were quick to point out that it was Coinbase.

Coinbase was a victim of a large-scale attack that involved customer services based in India. The customer service was bribed by the hackers, leading them to hand over unauthorized access to client data to the bad actors. The hackers gained access to critical personal information, including names, addresses, nationalities, identification numbers, and banking information. The breach resulted in several high-profile companies being targeted. According to Chainalysis, over $2.17 billion has been stolen from crypto firms this year, with Bybit’s $1.5 billion theft still in the lead.