North Korean hackers pose as IT workers to infiltrate crypto projects and exchanges

North Korean hackers regularly apply to Binance. Investigators have also intercepted resources of hackers spinning up identities to apply to key IT jobs. 

The threat of DPRK hackers posing as IT workers is still active. Sources have discovered recent data on the techniques used to spin up fake identities and apply as IT workers. 

ZachXBT, known for tracking DPRK hackers, recently discovered information from one of the attacker’s devices. ZachXBT has often called out the risk of hiring DPRK workers, which leads to risks for smart contracts, multisig wallets, or compromised devices.

An unnamed source pointed to records of five DPRK hackers, spinning up 30 identities and applying to key IT tasks in crypto and other projects. 

1/ An unnamed source recently compromised a DPRK IT worker device which provided insights into how a small team of five ITWs operated 30+ fake identities with government IDs and purchased Upwork/LinkedIn accounts to obtain developer jobs at projects. pic.twitter.com/DEMv0GNM79

— ZachXBT (@zachxbt) August 13, 2025

The teams used fake locations, local names, and identities, overlapping with crypto-friendly countries like Ukraine and Estonia. 

North Korean IT workers scour job boards 

Leaked documents showed the tools and tracking used by the team, including attempts to build the fake identities. 

The hackers used shared documents, revealing a series of Upwork credit purchases. The finding coincides with reports of attempts to buy or rent Upwork accounts and bid on software jobs. Some of the most common jobs included various blockchain roles, smart contract engineering, as well as work on specific projects, including Polygon Labs.

Earlier reports showed that not all North Korean IT workers had hacking in mind or targeted crypto. Some of the workers had the task of earning from legitimate IT jobs, later handing over their pay to the North Korean regime. 

An escaped IT worker outlined the scheme, showing that the presence of DPRK IT workers was a constant threat to traditional companies and crypto teams. 

Binance filters out DPRK applications almost daily

Binance’s security officer Jimmy Su said the exchange is constantly filtering out candidates. DPRK hackers try to gain access to key crypto positions, and Binance has intercepted both through CV monitoring and at the interview stage. Crypto space also carries unofficial lists of known fake identities, using legitimate-looking LinkedIn accounts and social media profiles. 

In the past, Cryptopolitan reported cases where DPRK hackers built the key infrastructure for Web3 projects, leading to compromised smart contracts with known exploit backdoors. These hackers have affected multiple projects, from DeFi to Solana memes. Some of the teams also launched meme tokens as a way of laundering funds. 

In addition to public fake profiles, DPRK hackers also use infected code repos or malicious links to make users install malware. Techniques include fake job interviews with links to malware. DPRK hackers also pose as interviewers or project managers, setting up fake meetings with a fake download link.

In some cases, hackers have also proposed to Upwork users to connect to their computer remotely as a way to use new accounts without exposing their identity. Reports have it that some US-based persons agreed to the exchange, allowing the supposed IT workers access via AnyDesk. The hackers also used crypto payments through an intermediary Ethereum wallet, which has been linked to addresses used in large-scale hacks. 

Want your project in front of crypto’s top minds? Feature it in our next industry report, where data meets impact.