by Coinstrooper Crypto Articles
Quick Take
  • These workers have evolved beyond simple employment fraud to hack systems and actively threaten former employers with data leaks.
  • He cited a recent incident that included a major hack of an Indian outsourced service, which leaked U.S.
  • exchange user data, resulting in over $400 million in losses.
  • These funds flow back to North Korea’s weapons program through elaborate money laundering networks.

What Happened

Blockchain investigator ZachXBT has documented at least 25 instances of North Korean IT workers infiltrating crypto companies to steal funds or extort employers, contradicting misconceptions that these operatives only seek legitimate employment.

These workers have evolved beyond simple employment fraud to hack systems and actively threaten former employers with data leaks.

In fact, just earlier this month, Binance founder Changpeng Zhao warned about four primary attack vectors used by North Korean hackers, including fake job applications, fraudulent interviews with malware-laden links, customer support scams, and bribery of employees or outsourced vendors.

He cited a recent incident that included a major hack of an Indian outsourced service, which leaked U.S. exchange user data, resulting in over $400 million in losses.

The operations have generated massive profits, with North Korean hackers stealing over $1.3 billion across 47 incidents in 2024 and $2.2 billion in the first half of 2025 alone.

ZachXBT’s recent investigation has exposed five North Korean IT workers operating under more than 30 fake identities, using government-issued ID cards and professional LinkedIn and Upwork accounts to secure positions at crypto projects.

The compromised data included Google Drive exports, Chrome browser profiles, and device screenshots from a five-person syndicate conducting employment fraud operations.

These companies served as launching pads for the “Contagious Interview” campaign, a Lazarus Group subgroup specializing in sophisticated malware deployment.

ZachXBT traced one frequently used ERC-20 wallet address back to the $680,000 Favrr exploit in June 2025, where the project’s chief technology officer and additional developers were later identified as DPRK operatives using fraudulent credentials.

Market Context

The revelation came in response to a claim made by Amjad Masad, CEO of the AI coding platform Replit, that North Korean workers primarily pursue remote jobs for financial gain rather than malicious purposes.

Cyber Operations Generate Billions for Weapons Program

Why It Matters

ZachXBT’s findings reveal sophisticated operations in which agents from the Democratic People’s Republic of Korea pose as developers, security specialists, and finance professionals to gain insider access to crypto projects.

These funds flow back to North Korea’s weapons program through elaborate money laundering networks.

Details

Corporate Infiltration Through Elaborate Identity Fraud Networks

A breach of one operative’s device revealed systematic expense documentation for purchasing Social Security numbers, professional accounts, and VPN services.

Their expense spreadsheet detailed purchases of AI subscriptions, computer rental services, and proxy networks designed to meet blockchain industry employment requirements.

North Korean operatives established legitimate U.S. corporations, including Blocknovas LLC and Softglide LLC, using fake identities to create credible corporate fronts.

Silent Push researchers discovered Blocknovas registered to a vacant lot in South Carolina, while Softglide traced back to a Buffalo tax office.

The FBI seized Blocknovas’ domain as part of a law enforcement action against North Korean cyber actors who utilized fake job postings to distribute malware.

Advanced Malware Campaigns Target Global Developer Networks

The PylangGhost malware campaign, discovered in June, represents one of North Korea’s most sophisticated attacks targeting crypto professionals, particularly India-based blockchain developers, through elaborate fake interview schemes.

Cisco Talos researchers documented how Famous Chollima threat groups create fraudulent skill-testing websites using React frameworks.

Victims complete technical assessments designed to validate professional backgrounds before receiving invitations to record video interviews.

The sites request camera access through seemingly innocuous button clicks, then display instructions for downloading alleged video drivers containing malicious Python-based payloads.