Anonymous user hacks DPRK cryptocurrency hacker

An unknown user has gained access to the account of a North Korean IT specialist who was part of a small hacker group. According to blockchain researcher ZachXBT, six DPRK citizens created more than 30 fake identities to get employed in crypto projects. They used fake documents, LinkedIn and Upwork profiles, and one of them even had an interview at Polygon Labs, indicating experience in OpenSea and Chainlink.

The attackers used AnyDesk software for remote access and VPNs to hide their location. They used Google services for communication and task planning. In May, the hackers' operating expenses amounted to $ 1,489, which was spent on renting equipment and software subscriptions. Payments were made through Payoneer, in particular through the wallet associated with the attack on the Favrr marketplace in June 2025.

The search history, which was accessed, included questions about the deployment of ERC-20 tokens on Solan SOL $188.20 Binance-Peg SOL -2.27% Market capitalization $0.21 billion VOL. 24 hours $0.72 billion a and leading European IT companies. The most popular query was: «how do I know they are North Koreans?». Frequent use of Google Translate with Korean to English translations via Russian IP addresses was also recorded.

ZachXBT emphasized the need for more thorough vetting of candidates for crypto companies. According to him, the lack of cooperation between government agencies and the private sector, as well as the negligence of recruiters, facilitate the penetration of attackers. He noted that the methods of North Korean hackers are not complicated, but they act in a massive and systematic way.

Jimmy Su, Chief Security Officer of Binance, confirmed that the company receives fake resumes from North Korean hackers every day. They use dipshits, voice modifiers, and other tools to imitate candidates from Europe or the Middle East. According to Suu, the lack of sleep or rest breaks for some employees is a typical sign of connection with the Lazarus group.