“An unknown user received access to an IT specialist account from North Korea, which was included in a small hacker group involved in $ 680,000. 1/ an Unnamed Source Recently Compromison A Dprk It Worker Device Wich Provides Invide Invides Into How A Small Team of Five ITWS OPERATED 30+ FAKE IDENTITIES WITH GOVERNMENT […]”, – WRITE: Businessua.com.ua
An unknown user got access to an IT specialist account from North Korea, which was included in a small hacker group involved in the theft of $ 680,000. Zachxbt blockchain detective.
1/ an Unnamed Source Recently Compromised A Dprk It Worker Device Wich Provided Insights Ingt How A Small Team of Five ITWS OPERATED 30+ FAKE IDENTITIES WITH GOVERNNMENT Accounts to Obtain Developer Jobs at Projects. pic.twitter.com/demv0gnm79
– zachxbt (@zachxbt) August 13, 2025
Six of the DPRK citizens have created more than 30 fictional personalities to get into cryptocurrency. To do this, they bought counterfeit documents as well as accounts on LinkedIn and Upwork, giving themselves for experienced blockchain development. One of them even went interview in Polygon Labs as a Full-Stack engineer, indicating the experience of working at Opensea and Chainlink.
Source: X.
“My professional experience in blockchain development is more than seven years (including the university period), although I officially work for about five years. During this time, I created smart contract systems, decentralized applications and Web3 platforms, including Opensea, Chainlink Labs and Greenbay, ”the script used for a fictional person named Henry Chan said.
Hackers performed work because of Software For remote access Anydesk and hid their location with VPN. They used Google Services to plan tasks and communication. In May, their operating expenses amounted to $ 1489, which included rental computers and SOFT subscriptions.
Transactions were carried out through Payoneer. One of the wallets is associated with a group that participated in June Ataci on the Favrr Marketplaces with $ 680,000.
The search for which access was accessed, there were questions about the deployment of ERC-20 on Solana and leading SI companies in Europe. Most often they were looking for: “How to understand that they are the North Koreans?”
Zachxbt also noted that the search story showed the active use of Google Translate to translate from Korean to English through Russian IP.
The blockchain detective called on crypto companies to check the candidates more carefully, stressing that such schemes are not difficult. In his opinion, vulnerability causes overloading of HR departments.
“The main problem in counteracting IT experts from DPRK ITWS is the lack of cooperation between government agencies and the private sector. Another difficulty is the negligence of recruiting teams that argue after receiving warnings. DPRK ITWS methods are not too sophisticated, but they are persistent because of the mass presence in the global vacancy market, ”he said.
North Korean Hackers in Binance Binance Director Jimmy SU told Decrypt that the Exchange receives fake resumes from North Korean hackers daily. It lasts for years, but lately their tactics have become more sophisticated.
Previously, they sent template reviews with Japanese and Chinese names. Currently, dipphases and voice modulators are used during interviews, giving themselves for developers from Europe or the Middle East.
Small Internet connection is suspected. According to the SU, the use of the translator and other emulators, the response of the attackers is delayed for a few seconds.
“The only reliable way to check the candidate is to ask him to cover his face with a hand. The deep fake usually “breaks”, but we do not reveal all the methods not to help hackers, ”he added.
The Binance representative stressed that the Exchange never hired the DPRK agents, but constantly monitors the employees on suspicious behavior. North Korea specialists are often among the most productive ones – probably due to several changes. If someone does not break even to sleep, it is a typical signal of lazarus, said SU.
He added that some companies are asked to speak negatively about the DPRK leader Kim Jong -in, which is forbidden in the country. Other details did not disclose the Binance representative for security reasons.
In addition to employment attempts, Lazarus also:
- infect NPM-libraries, adding a harmful code in Open-Source repositories that integrate into projects;
- Phishing “interviews” are carried out – they make themselves for recruiters, offer to update Zoom by fake reference and infect victims of harmful software.
Recall that in February, the BYBIT exchange lost $ 1.46 billion as a result of breaking. Cybersecurity experts are accused of this Lazarus Group.
In July, the Indian Marketllis Coindcx was injured, which lost $ 44.2 million cyberattacks also attributed to North Korean hackers.
The gun
Please wait …