Cz Targeted By ‘Government-Backed’ Hackers – Is North Korea’s Lazarus Group Behind It?

What Happened

Binance founder Changpeng “CZ” Zhao has revealed that he was the target of a hacking attempt linked to government-sponsored actors, reigniting concerns about North Korea’s Lazarus Group and its ongoing attacks on the crypto industry.

Google Alerts CZ to State-Sponsored Hack Attempt

Zhao’s warning comes amid a surge in cyberattacks attributed to North Korea’s Lazarus Group, one of the most notorious hacking collectives operating today.

The group is widely believed to be responsible for some of the industry’s largest heists, including the $1.4 billion Bybit hack earlier this year, the biggest crypto theft on record.

In September, he cautioned that hackers were applying for development, finance, and security positions in crypto startups to gain internal access to sensitive data.

Zhao’s comments coincided with findings from the Security Alliance (SEAL), an ethical hacking group that uncovered at least 60 North Korean agents posing as legitimate IT professionals seeking employment at U.S.-based crypto firms.

These operatives reportedly use fabricated identities, fake résumés, and LinkedIn profiles to secure remote jobs and exploit insider access.

Investigations have also exposed a network of North Korean-linked entities, including shell companies like Blocknovas LLC and Softglide LLC, allegedly set up to mask state-backed cyber operations.

Blockchain investigators, such as ZachXBT, have documented dozens of such cases, identifying multiple operatives who used U.S. identification numbers and professional accounts purchased on the dark web.

According to a cryptonews report, hackers tied to North Korea have stolen more than $1.3 billion across 47 incidents in 2024, with total losses surpassing $2.2 billion in the first half of 2025.

North Korea Expands Crypto Crime Network After $21M SBI Hack

North Korea’s cyber operations have continued to expand in scale and sophistication, with new evidence linking the regime to a $21 million hack targeting Japanese firm SBI Crypto in late September.

Blockchain investigator ZachXBT traced the stolen funds, including Bitcoin, Ethereum, Litecoin, and Dogecoin, through multiple exchanges before being laundered via Tornado Cash.

The tactics matched those of the Lazarus Group, a state-backed hacking unit long tied to the Democratic People’s Republic of Korea (DPRK).

Market Context

Zhao said he received an alert from Google warning that “government-backed attackers” had tried to steal his password.

Sharing a screenshot of the notice on X, he wrote, “I get this warning from Google once in a while. Does anyone know what this is? North Korea Lazarus? Not that I have anything important on my account. But stay SAFU.”

Why It Matters

The incident reveals a growing pattern of state-backed cyber threats targeting high-profile cryptocurrency figures and infrastructure providers.

Google’s security notifications are typically reserved for serious intrusion attempts believed to be connected to state actors.

Details

U.S. intelligence reports have long linked Lazarus to Pyongyang’s efforts to fund its weapons programs through cybercrime.

The attempted breach follows earlier warnings by Zhao about North Korean operatives posing as remote IT workers to infiltrate crypto companies.

Recent security research has also pointed out new malware tools such as “PylangGhost,” which are distributed through fake interview websites impersonating major crypto firms like Coinbase and Robinhood.

The malicious software is designed to extract credentials from more than 80 browser extensions and crypto wallets.

Zhao has urged industry professionals to stay vigilant against phishing attempts and impersonation scams, reiterating his long-standing warning for users to “stay SAFU”, a reference to Binance’s Secure Asset Fund for Users.

Their activities now extend beyond theft, encompassing fake developer identities, fraudulent employment schemes, and targeted malware campaigns.