Changpeng Zhao ("CZ"), the founder of Binance, has issued a warning about North Korean hackers infiltrating cryptocurrency firms by posing as IT job candidates. CZ's "SEAL" team, an internal security group, uncovered the profiles and fake names of 60 such impersonators. These hackers are employing increasingly sophisticated methods to gain access to sensitive systems and steal funds. The broader campaign has already resulted in substantial losses, with $1.3 billion stolen in 2024 and over $2.2 billion in the first half of 2025.

The hackers often target positions in development, security, and finance departments, using these roles as a "foot in the door" to access company systems. They also pose as employers and attempt to interview or offer jobs to employees, sending malicious links disguised as "updates" that can compromise the employee's device. In other instances, they provide coding questions and then send malicious "sample code". Furthermore, they may pose as users to send malicious links to customer support or even bribe employees and outsourced vendors for data access.

These North Korean actors are using shell companies, such as Blocknovas LLC and Softglide LLC, to bypass security measures. These entities are registered with legitimate-sounding names and sometimes even in real locations to appear credible. In addition, an advanced Python-based malware called PylangGhost, linked to the North Korea-affiliated group "Famous Chollima," is being distributed through fake job interview websites impersonating companies like Coinbase and Robinhood. These sites use social engineering tactics to trick victims into downloading malicious payloads under the pretense of installing video drivers. Once installed, PylangGhost grants attackers remote access to systems and the ability to harvest credentials from over 80 browser extensions, including MetaMask and Phantom.

CZ urged all crypto platforms to train their employees not to download files and to screen candidates carefully. Coinbase CEO Brian Armstrong introduced new internal security measures, including requiring all workers to receive in-person training in the US, while people with access to sensitive systems will be required to hold US citizenship and submit to fingerprinting.

The Security Alliance (SEAL) has also launched an initiative to combat North Korean operatives posing as IT contractors. SEAL-ISAC encourages a coordinated, multi-factor approach to identity verification to protect industry participants from these threats. They also provide a tool to assist companies in spotting malicious actors, leveraging a threat intelligence feed with shared intelligence about known DPRK tactics and identities.

The US Department of Justice (DOJ) has charged a North Korea-backed scheme in which workers, under stolen identities, were hired by American firms as IT staff. Their wages were funneled back to the DPRK's weapons programs. The operation included widespread use of shell companies, fraudulent websites, and seizure of laptops and crypto accounts. The FBI has advised American companies to carefully check the backgrounds of employees.