Binance Uncovers North Korean Crypto Hacking Campaign

• Binance CSO Jimmy Su identifies North Korean hackers as the top threat in crypto for 2025.
• North Korean hackers are contaminating open-source codebases.
• So far, $2.17 billion has been stolen during the first half of 2025.

In 2025, North Korean hackers represent the most significant and daring threat to the cryptocurrency sector, executing sophisticated scams to penetrate companies and steal billions in digital assets. Jimmy Su, Chief Security Officer at Binance, disclosed that these attackers impersonate job applicants, sometimes employing voice changers and deepfake technology during interviews, thereby elevating security risks for crypto firms worldwide.

Fake Job Applications Become a Growing Security Concern

North Korean hackers have moved beyond conventional cyberattacks by establishing fake crypto consulting companies and conducting fraudulent job interviews. These tactics entice candidates and employees into downloading malware disguised as coding tests or assignments. Through this social engineering method, attackers deploy malicious payloads such as JavaScript stealers and Python backdoors, granting them unauthorized access to corporate systems and confidential information. These tools enable data theft, browser information extraction, reverse shell access, and installation of remote control software, making these intrusions highly invasive and dangerous.

The extent of this infiltration continues to grow rapidly. Security professionals and blockchain investigators estimate that hundreds, potentially close to a thousand, North Korean IT operatives are covertly embedded within the crypto industry via remote IT positions. These actors often recruit others from their own networks, thereby establishing deep-rooted access within targeted companies.

Many of these malicious actors exhibit warning signs such as inconsistent IP addresses, failure to pass KYC procedures, or frequent changes in identifiers on platforms like GitHub. With insider privileges, they can manipulate projects, commit fraud, and orchestrate cyberattacks discreetly from within organizations.

North Korean State-Sponsored Hackers Connected to Major Bybit Breach

Throughout 2025, numerous crypto heists have been traced back to elite North Korean hacking groups. The most significant incident occurred in February when the Dubai-based exchange Bybit suffered a breach resulting in the loss of approximately $1.5 billion in Ethereum tokens. This remains the largest crypto theft on record, accounting for nearly 69% of all stolen funds this year. Both the FBI and blockchain analysts have conclusively linked this breach to state-sponsored North Korean hackers, highlighting their advanced skills and determination.

In total, over $2.17 billion has been stolen from the crypto sector in the first half of 2025, surpassing the losses of the entire previous year and setting a new half-year record. Analysts caution that if this trend continues, thefts could reach $4 billion by the end of the year. In 2024, North Korea was responsible for nearly two-thirds of all crypto hacks, and its hacking teams have intensified their efforts in 2025 by evading global sanctions through large-scale crypto theft and laundering operations.

Beyond direct hacks, North Korean cyber groups engage in supply chain attacks by injecting malicious code into widely used open-source repositories such as NPM (Node Package Manager). They also impersonate high-paying recruiters or employment agencies to lure victims while implanting malware for prolonged access. Their use of voice modulation tools and AI-generated deepfakes during job interviews further demonstrates their sophisticated and innovative social engineering capabilities.

Experts Call for Enhanced Recruitment and Vetting Measures

Security experts emphasize the necessity for the crypto industry and broader tech sectors to strengthen hiring protocols, particularly for remote positions. Rigorous identity verification and comprehensive background checks are essential to prevent infiltration. Companies are also encouraged to enhance security by implementing multifactor authentication, conducting regular audits, providing employee training on phishing and social engineering, and deploying monitoring systems to detect unusual behavior indicative of insider threats.

The repercussions extend well beyond the crypto space, as North Korea also targets industries such as aerospace and defense contractors. Nevertheless, the lucrative rewards and comparatively weaker security in crypto make it a favored target. Combating these threats requires coordinated global efforts involving law enforcement, cybersecurity professionals, and governments to trace stolen assets, dismantle hacker networks, and disrupt these complex operations before they succeed.