Blockchain investigator ZachXBT has documented at least 25 instances of North Korean IT workers infiltrating crypto companies to steal funds or extort employers, contradicting misconceptions that these operatives only seek legitimate employment. The revelation came in response to a claim made by Amjad Masad, CEO of the AI coding platform Replit, that North Korean workers primarily pursue remote jobs for financial gain rather than malicious purposes. “Not to infiltrate” This is actually a common misconception. At minimum there’s 25+ instances of DPRK ITWs hacking or extorting teams for funds. Granted all of those companies were related to crypto. pic.twitter.com/ZmmSeDZZKZ — ZachXBT (@zachxbt) September 25, 2025 Cyber Operations Generate Billions for Weapons Program ZachXBT’s findings reveal sophisticated operations in which agents from the Democratic People’s Republic of Korea pose as developers, security specialists, and finance professionals to gain insider access to crypto projects. These workers have evolved beyond simple employment fraud to hack systems and actively threaten former employers with data leaks. In fact, just earlier this month, Binance founder Changpeng Zhao warned about four primary attack vectors used by North Korean hackers, including fake job applications, fraudulent interviews with malware-laden links, customer support scams, and bribery of employees or outsourced vendors. He cited a recent incident that included a major hack of an Indian outsourced service, which leaked U.S. exchange user data, resulting in over $400 million in losses. The operations have generated massive profits, with North Korean hackers stealing over $1.3 billion across 47 incidents in 2024 and $2.2 billion in the first half of 2025 alone. These funds flow back to North Korea’s weapons program through elaborate money laundering networks. Corporate Infiltration Through Elaborate Identity Fraud Networks ZachXBT’s recent investigation has exposed five North Korean IT workers operating under more than 30 fake identities, using government-issued ID cards and professional LinkedIn and Upwork accounts to secure positions at crypto projects. A breach of one operative’s device revealed systematic expense documentation for purchasing Social Security numbers, professional accounts, and VPN services. The compromised data included Google Drive exports, Chrome browser profiles, and device screenshots from a five-person syndicate conducting employment fraud operations. Their expense spreadsheet detailed purchases of AI subscriptions, computer rental services, and proxy networks designed to meet blockchain industry employment requirements. North Korean operatives established legitimate U.S. corporations, including Blocknovas LLC and Softglide LLC, using fake identities to create credible corporate fronts. Silent Push researchers discovered Blocknovas registered to a vacant lot in South Carolina, while Softglide traced back to a Buffalo tax office. The FBI seized Blocknovas’ domain as part of a law enforcement action against North Korean cyber actors who utilized fake job postings to distribute malware. These companies served as launching pads for the “Contagious Interview” campaign, a Lazarus Group subgroup specializing in sophisticated malware deployment. ZachXBT traced one frequently used ERC-20 wallet address back to the $680,000 Favrr exploit in June 2025 , where the project’s chief technology officer and additional developers were later identified as DPRK operatives using fraudulent credentials. ZachXBT exposes 5 North Korean workers running 30+ fake identities to target crypto projects as anonymous source compromises DPRK IT worker devices, revealing $680K Favrr exploit. #NorthKorea #Lazarus https://t.co/ZmPCIZmVpW — Cryptonews.com (@cryptonews) August 13, 2025 Advanced Malware Campaigns Target Global Developer Networks The PylangGhost malware campaign , discovered in June, represents one of North Korea’s most sophisticated attacks targeting crypto professionals, particularly India-based blockchain developers, through elaborate fake interview schemes. Cisco Talos researchers documented how Famous Chollima threat groups create fraudulent skill-testing websites using React frameworks. Victims complete technical assessments designed to validate professional backgrounds before receiving invitations to record video interviews. The sites request camera access through seemingly innocuous button clicks, then display instructions for downloading alleged video drivers containing malicious Python-based payloads. The malware establishes persistent system access while targeting over 80 browser extensions, including MetaMask, Phantom, Bitski, and TronLink. North Korean IT workers are growing globally. @Google warns UK crypto firms of North Korea-linked fraudsters infiltrating blockchain projects with fake identities and extortion tactics. #Crypto #CyberSecurity https://t.co/QuGN6DbZ17 — Cryptonews.com (@cryptonews) April 2, 2025 Earlier this year, Google’s Threat Intelligence Group documented North Korean operatives expanding beyond U.S. targets to infiltrate blockchain companies in the United Kingdom and Europe. The shift followed heightened scrutiny from American authorities, pushing operators to seek employment beyond U.S. borders. Since October, dismissed North Korean IT workers have increasingly resorted to extortion tactics, threatening former employers with data leaks or selling proprietary information to competitors unless paid. This escalation coincides with intensified U.S. law enforcement actions, including indictments targeting fraudulent IT employment schemes. International responses have intensified with South Korea and the European Union formalizing cybersecurity cooperation agreements specifically targeting North Korean crypto operations. U.S. authorities also seized over $7.7 million in crypto allegedly earned through networks of covert IT workers posing as foreign freelancers in June. The post ZachXBT Links North Korean IT Workers to Over 25 Crypto Hacks and Team Extortion Schemes appeared first on Cryptonews .
BNB slides to $900 as traders look to havens
