A cyber twist has emerged in the ongoing battle between cybersecurity experts and North Korean hacking groups. According to blockchain investigator ZachXBT, an unidentified user managed to hack the account of an IT specialist from North Korea involved in a small cybercrime ring tied to the theft of $680,000.
Fake Identities and Infiltration Tactics
Investigations reveal that six North Korean nationals created over 30 fake identities to infiltrate crypto projects. Using forged documents and purchased accounts on LinkedIn and Upwork, they posed as experienced blockchain developers. One suspect even passed an interview with Polygon Labs for a full-stack engineer role, claiming to have worked at OpenSea and Chainlink.
To hide their tracks, the hackers used AnyDesk for remote access, VPNs to disguise their location, and Google services for coordination. Their monthly operational costs in May totaled $1,489, covering rented computers and software subscriptions.
The $680K Connection
The group’s cryptocurrency transactions were processed via Payoneer, and one of their wallets was linked to the June hack of Favrr marketplace, which resulted in a $680,000 loss. Search histories retrieved from the hacked account included questions about deploying ERC-20 on Solana, top AI companies in Europe, and—ironically—“how to tell if they are North Koreans.”
ZachXBT noted that Google Translate was frequently used from a Russian IP address, translating from Korean to English, a detail that further exposed their origins.
Calls for Stronger Screening
The blockchain detective urged crypto firms to tighten recruitment checks, stressing that North Korean IT workers (DPRK ITWs) use persistent but simple methods to penetrate the industry. He blamed poor HR practices and the lack of cooperation between governments and private companies for enabling such infiltration.
Binance Confirms Ongoing Threat
Jimmy Su, Chief Security Officer at Binance, revealed that the exchange receives fake resumes from North Korean hackers almost daily. While earlier attempts used Japanese or Chinese names, modern tactics involve deepfakes and voice modulators during interviews.
Suspicious signs include slow internet responses, caused by translation tools and spoofing software. Su said the most reliable detection method is to ask candidates to cover part of their face—deepfakes often fail under such scrutiny.
Despite their criminal ties, some DPRK operatives perform at top productivity levels, likely due to working multiple shifts without breaks. This relentless pace, Su added, is a classic sign of Lazarus Group involvement.
Broader Cybercrime Links
Beyond job infiltration, Lazarus hackers have been caught infecting NPM libraries with malicious code and staging phishing “interviews” to trick victims into downloading malware. Major incidents, such as the $1.46 billion Bybit hack in February and the $44.2 million CoinDCX breach in July, have been attributed to this notorious group.
Conclusion
The unexpected hack of a North Korean hacker highlights the cat-and-mouse nature of modern cyber warfare. As North Korean groups refine their methods, the crypto industry must respond with equally advanced security measures and verification protocols to stay ahead.
