Changpeng Zhao warns the crypto community of disguised North Korean hackers and how they infiltrate top crypto companies, whether it be through their employees or even as users seeking help. What are their top methods?
Summary
- Changpeng Zhao mentions the methods often used by North Korean hackers to infiltrate crypto firms and their employees.
- So far, there have been a string of crypto hacks connected to state-funded hacking syndicates like Lazarus Group and Famous Chollima.
In his recent post, Changpeng Zhao highlights the many ways North Korean hackers try to infiltrate top crypto companies. Many state-funded groups, like the notorious Lazarus Group, have been known to exploit blockchains and infiltrate major firms from the inside to steal data needed to gain access to crypto wallets and funds.
“These North Korean hackers are advanced, creative and patient,” CZ remarked in his post.
According to Changpeng Zhao, he has witnessed these methods used first-hand and heard stories of people who got scammed by the syndicates coming from North Korea. One of the methods he pointed out was how they would pose as job candidates to try to get hired by crypto companies so they can infiltrate them as insiders.
“This gives them a “foot in the door.” They especially like dev, security, finance positions,” he added.
And if they don’t get the job, they could switch gears by posing as recruitment agents who try to poach employees already working at crypto companies by posing as competitor sites looking for new talent. During the initial interview phase, CZ stated that these hackers will say there is a problem with the Zoom and urge the employee to update their Zoom through a shared link.
Another method they often use is sending through a coding question that will require the user to run a “sample code.” These codes will instead give hackers access to the user’s device.
In the past, this method was employed by hackers from Famous Chollima, a hacking group that create fake job advertisements of major crypto firms to lure in potential candidates and steal access to their device by making them run codes that would invite malware in.
The same modus operandi was used by hackers that deployed a malware called JSCEAL to infiltrate user devices by masquerading as major crypto platforms.
CZ also highlighted the fact that some hackers liked to pose as users asking for help in a Customer Support request. They would send links through the ticket request, which contains a virus that would be downloaded into the system if clicked on.
Changpeng Zhao spotlights Coinbase’s $400m loss?
In his last point, Changpeng Zhao mentioned an example of a case which involved a major India outsource service that leaked information from a major U.S. exchange that happened “just a few months ago.” The breach, he claimed, resulted in a loss of more than $400 million in user assets.
Although he does not explicitly name the exchange, another user with the X handle cryptobraveHQ surmised that Changpeng Zhao may be allegedly referring to Coinbase.
In May 2025, Coinbase fell victim to a large scale hack that involved customer services based in India who were successfully bribed by hackers into handing them unauthorized access to client data.
According to a previous report by crypto.news, the hackers got ahold of crucial personal information which included names, birth dates, addresses, nationalities, government identification numbers, banking information, and account information.
The breach resulted in high-profile victims getting targeted through the hack, such as Sequoia Capital Managing Partner Roelof Botha. Some Coinbase users received security alerts last weekend warning that their information may have been improperly accessed.
According to data from Chainalysis, as much as $2.17 billion have been stolen in crypto so far, with the Bybit hack leading the charge with $1.5 billion.
