Cz Warns Of Advanced North Korean Hackers Posing As Job Candidates To Infiltrate Crypto Companies

What Happened

Binance founder Changpeng Zhao “CZ” issued urgent warnings about sophisticated North Korean hackers infiltrating crypto companies through elaborate job application schemes, fake interview processes, and bribery of employees.

The warning follows extensive documentation of North Korean cyber operations targeting the crypto industry, with hackers stealing over $1.3 billion across 47 incidents in 2024, and over $2.2 billion in the first half of 2025 alone.

Recent investigations revealed operatives creating legitimate U.S. corporations, including Blocknovas LLC and Softglide LLC, using fake identities to establish corporate fronts for attacking crypto developers.

ZachXBT’s August investigation also exposed five North Korean IT workers operating under more than 30 fake identities, using government-issued ID cards and professional LinkedIn accounts to secure positions at crypto projects.

These companies served as launching pads for the “Contagious Interview” campaign, a Lazarus Group subgroup specializing in sophisticated malware deployment targeting crypto wallet developers.

In fact, according to CZ, a recent case includes a major Indian outsource service hack that leaked U.S. exchange user data, resulting in over $400 million in user asset losses.

Market Context

The former CEO detailed four primary attack vectors, including posing as job candidates for developer and security positions, conducting fraudulent interviews with malware-laden links, and bribing outsourced vendors for data access.

Billions Stolen Through Fake Employees and Employers

Why It Matters

The breach of one operative’s device revealed systematic expense documentation for purchasing Social Security numbers, professional accounts, and VPN services to maintain fraudulent employment.

The schemes have also evolved to include Python-based malware called PylangGhost, deployed through fake interview websites impersonating major companies like Coinbase and Robinhood to steal credentials from over 80 browser extensions and crypto wallets.

Details

Corporate Infiltration Through Fake Companies and Stolen Identities

North Korean operatives established multiple legitimate business entities across US states to create credible corporate fronts for their infiltration campaigns.

Silent Push researchers discovered Blocknovas LLC registered to a vacant lot in South Carolina, while Softglide LLC traced back to a small Buffalo tax office, with Angeloper Agency operating as an unregistered third entity.

The FBI seized Blocknovas’ domain as part of law enforcement action against North Korean cyber actors utilizing fake job postings to distribute malware.

The elaborate schemes include purchasing stolen American identities and using complex laundering tactics to mask fund origins before routing money back to North Korea’s weapons program.

In June, US authorities seized over $7.7 million in crypto allegedly earned through networks of covert IT workers posing as foreign freelancers.

The Justice Department linked these operations to Sim Hyon Sop, a Foreign Trade Bank representative, and Kim Sang Man, CEO of state-linked IT firm Chinyong operating under North Korea’s Ministry of Defense.

The workers used sophisticated concealment methods, including fake accounts, transaction splitting, token-swapping techniques, and NFT purchases as value stores.

Advanced Malware Campaigns Target Global Crypto Professional Networks

The PylangGhost malware campaign is one of the most recent large-scale attacks by North Korea targeting crypto professionals, particularly focusing on India-based blockchain developers through elaborate fake interview schemes.

Cisco Talos researchers documented how Famous Chollima threat groups create fraudulent skill-testing websites using React frameworks that closely mimic legitimate company assessment platforms.

Victims complete technical assessments designed to validate professional backgrounds before receiving invitations to record video interviews.

The sites request camera access through seemingly innocuous button clicks, then display platform-specific instructions for downloading alleged video drivers containing malicious Python-based payloads.

The malware establishes persistent system access through registry modifications while targeting over 80 browser extensions, including MetaMask, Phantom, Bitski, and TronLink.