Binance founder Changpeng Zhao, known as “CZ,” has issued a stark warning about advanced North Korean hacking operations targeting the crypto sector.
According to Zhao, these attackers are using sophisticated methods such as posing as job seekers for developer and security roles, tricking companies through fake interviews with malware-infected links, and bribing outsourced vendors to gain insider access.
The warning comes after evidence showed North Korean hackers stole more than $1.3 billion across 47 crypto attacks in 2024, and already over $2.2 billion in the first half of 2025.
Your completely free resource hub designed to boost your knowledge of cryptocurrencies
PylangGhost Malware Targets Crypto Developers
Investigations also revealed that operatives have gone as far as creating fake U.S. corporations, like Blocknovas LLC and Softglide LLC, using false identities to set up fronts for targeting blockchain developers.
In August, blockchain investigator ZachXBT uncovered a network of five North Korean IT workers who were operating under more than 30 fake identities. They used forged government-issued IDs and professional LinkedIn profiles to land jobs at crypto firms.
A breach of one operative’s device exposed detailed records of expenses, including payments for stolen Social Security numbers, verified online accounts, and VPN services—tools used to maintain their fraudulent employment.
The schemes have also grown more sophisticated, with attackers deploying PylangGhost, a Python-based malware spread through fake interview websites posing as major companies like Coinbase and Robinhood. The malware is capable of stealing login details from more than 80 browser extensions and crypto wallets.
North Korea’s Expanding Cyber Fronts in Crypto
North Korean operatives have set up multiple shell companies across U.S. states to build convincing corporate fronts for infiltration campaigns.
Silent Push researchers identified Blocknovas LLC, registered to an empty lot in South Carolina, and Softglide LLC, tied to a small tax office in Buffalo. A third entity, Angeloper Agency, was found to be unregistered. The FBI has since seized Blocknovas’ domain in a crackdown on North Korean cyber actors using fake job postings to spread malware.
These entities became the backbone of the “Contagious Interview” campaign, a Lazarus Group operation that deploys sophisticated malware against crypto wallet developers. Investigations revealed operatives also purchased stolen American identities and used layered laundering techniques to disguise fund flows before funneling money back into North Korea’s weapons program.
In June, U.S. authorities seized $7.7 million in crypto tied to covert IT networks posing as foreign freelancers. Binance founder CZ further highlighted the threat, citing a major hack on an Indian outsourcing service that exposed U.S. exchange user data and led to over $400 million in losses.
Zhao has urged crypto companies to step up their defenses against North Korean infiltration tactics. His advice includes training staff to avoid downloading suspicious files and tightening candidate screening processes to block malicious actors posing as job applicants.
