North Korean Hackers: A New Threat to the Crypto Market

North Korean Hackers: A New Threat to the Crypto Market

Contents

Introduction

North Korean hackers have become one of the most visible threats to the crypto market. In the past, such attacks often looked like an exchange hack, stolen coins, and a quick withdrawal of funds. Now the scheme has become more complex. DPRK hackers target not only wallets and exchanges, but also people: developers, managers, contractors, recruiters, and employees of crypto companies.

According to Chainalysis, hackers stole more than $3.4 billion in cryptocurrency in 2025, and groups from North Korea accounted for at least $2.02 billion. This shows that the issue is no longer a set of rare incidents, but a systemic threat to the entire industry.

Why North Korea Targets the Crypto Market

targeting

For North Korea, cryptocurrency has become a convenient target. Crypto assets can move quickly across borders, be swapped into other coins, and hide behind a long chain of addresses. In the traditional banking system, such transactions are more likely to face checks, limits, and sanctions. In crypto, the path of money is often harder to trace, especially when bridges, mixers, and weak exchanges are involved.

The crypto market also stores huge sums in digital form. An exchange, DeFi protocol, or custody service can hold hundreds of millions of dollars in assets. For hackers, this makes one successful attack more profitable than dozens of smaller attempts.

Why Crypto Companies Have Become Convenient Targets

Many crypto companies grow quickly. Teams may be spread across different countries, some tasks go to contractors, and new hires are found through Telegram, LinkedIn, GitHub, and other open platforms. This is convenient for business, but dangerous for security.

A crypto exchange or Web3 startup often has several weak points at once:

  • Access to wallets and internal panels
  • Developers with rights in repositories
  • Contractors without strict control
  • Work chats with important information
  • Test environments linked to real infrastructure

Because of this, an attack can start with a regular message, a resume, a test assignment, or a fake call.

Who Lazarus Group and Other DPRK Groups Are

Lazarus Group is the best-known name often linked to North Korean attacks on cryptocurrency companies. It is not one person and not a small group of enthusiasts. It is a network of hackers that has targeted the financial sector, crypto exchanges, blockchain projects, and payment infrastructure for years.

Open reports also mention names such as BlueNoroff, APT38, TraderTraitor, Hidden Cobra, and others. Sometimes these are separate groups. Sometimes they are different names for related areas of one large activity. For the crypto market, the name matters less than the model: behind an attack may be not an ordinary scammer, but a group with resources, experience, and a long-term plan.

How the Threat Model for the Crypto Market Has Changed

landscape

The main change is that hackers are less likely to rely only on a direct hack. They look for a path to a person who already has the needed access. This can be a developer, security employee, product manager, DevOps engineer, or someone from a contractor team.

Such an attack often follows a chain:

Attack stageWhat hackers doRisk for the crypto company
Target searchThey study employees and their profilesThey find people with valuable access
First contactThey write as a recruiter or partnerThe victim does not see the threat
TrustThey keep up a normal work conversationThe victim becomes less cautious
File or linkThey send a test assignment or projectMalicious code gets onto the device
AccessThey steal keys, tokens, and passwordsThe company loses control over part of its systems

This is how the new threat model for the crypto market has become closer to espionage than to ordinary phishing.

Social Engineering as the Main Weapon

Social engineering in cryptocurrency has become one of the main attack methods. Hackers do not break through defenses head-on. They make a person open a file, follow a link, install a package, or enter a password on their own.

The scheme often looks like a normal work process. A developer receives a job offer. Then a test project is sent through GitHub. Inside it, there may be malicious code. The person runs the project on their computer, and hackers gain access to the system, files, tokens, and work accounts.

Fake Jobs and Interviews

Fake vacancies are especially dangerous for Web3. Crypto has a lot of remote work, and people are used to talking with unknown recruiters. That is why a message with a job offer does not always raise concern.

Hackers can pretend to be employees of a large fund, exchange, DeFi project, or technology company. They create profiles, websites, domains, and chats. Sometimes everything looks almost convincing. Then the victim is asked to pass a technical stage, open a repository, or install a file for a call.

A joint advisory from the FBI, CISA, and the U.S. Treasury described DPRK attacks on blockchain companies back in 2022, including social engineering, malicious crypto apps, and private key theft.

Attacks Through LinkedIn, Telegram, GitHub, and Zoom

attacks

An attack no longer needs a strange website full of errors. Hackers use the same channels as real teams. LinkedIn works for contacting developers. Telegram works for communication in crypto communities. GitHub works for code and test assignments. Zoom or a similar service works for a fake interview.

Because of this, phishing has started to look like a normal work conversation. It is hard for a beginner to tell a real vacancy from a trap, especially when the other person speaks confidently, knows the market, and uses the right terms.

Attacks on Developers and Web3 Infrastructure

A developer can be more valuable than a wallet. Developers often have access to code, API keys, test environments, internal panels, and deployment systems. If a hacker gets this access, they can move deeper inside the company.

Malicious packages and fake libraries create a special risk. Web3 development often uses npm, open-source code, and ready-made tools. If a team installs a package or copies someone else’s repository without checks, it may open the door to an attack itself.

How Attacks on Exchanges and Crypto Services Happen

The main goal of an attack is control over money or over systems that lead to money. These may be private keys, seed phrases, session tokens, employee accounts, withdrawal panels, or transaction signing services.

Even a large exchange remains vulnerable if it has a weak point in people or processes. A complex security system will not help if an employee opens an infected project on a work device or a contractor receives excessive permissions.

The FBI linked the Bybit hack in February 2025, worth about $1.5 billion, to North Korean TraderTraitor activity. According to the agency, part of the assets was quickly converted into bitcoin and other coins, and then spread across thousands of addresses in different networks.

What Happens to Stolen Cryptocurrency

After a theft, hackers rarely keep coins at one address. Funds are split, moved between wallets, switched to another network, sent through bridges, and sometimes routed to services with weaker customer checks. The goal is simple: confuse the trail and buy time.

Stolen cryptocurrency can pass through:

  • Several blockchains
  • Dozens or hundreds of wallets
  • Bridges between networks
  • Mixers and exchange services
  • Exchanges with weak risk controls

For blockchain analysts, this creates a difficult task. All transactions are visible, but the path of the money can be long and confusing.

Why This Threat Matters for the Whole Market

threat

DPRK attacks harm not only one exchange or one DeFi protocol. They hit trust across the whole market. After major hacks, users more often withdraw funds, investors demand stronger guarantees, and regulators put more pressure on companies.

For funds and large players, this is also an important factor. If a platform cannot protect assets, risk grows even when returns are high. Security becomes part of project evaluation, along with liquidity, team, reserves, and business model.

Risks for Regular Users

A regular user is also exposed to risk. They may not work at a crypto company or have access to large sums, but their money may sit on an exchange, in a wallet, in a DeFi protocol, or in an investment service.

A user can suffer in three cases. The first is if their personal wallet is hacked. The second is if a platform where they store assets is attacked. The third is if the market takes a hit to trust and token prices after a hack.

How Crypto Companies Can Reduce Risks

Crypto companies need to think not only about code, but also about people. It is important to check candidates, limit permissions, avoid giving new employees access to everything at once, and separate work devices from personal ones.

Basic measures include:

  • Multisig for large sums
  • Limits on asset withdrawals
  • Different roles for employees
  • Separate devices for important operations
  • Control over new packages and libraries
  • A ban on test assignments on work machines
  • Fast alerts for unusual transactions

This does not make a company invulnerable, but it lowers the chance that one mistake will lead to a loss of money.

How Investors Can Evaluate the Security of Crypto Platforms

An investor should look not only at yield, fees, and a convenient interface. In crypto, it is important to understand how a platform stores assets and what it does during incidents.

Before working with an exchange or service, it is worth checking:

  • Whether there have been major hacks in the past
  • How the team disclosed incident details
  • Whether smart contracts have been audited
  • Whether there are reserves and a clear asset custody structure
  • How withdrawal limits are arranged
  • Whether the company publishes security reports

If a service promises high returns but says nothing about asset custody and risks, that is a warning sign.

Why Security Is Becoming Part of Investment Analysis

The crypto market is maturing, and threats are becoming more complex. That is why security can no longer be treated as a technical detail somewhere in the background. For an investor, it is part of the analysis. It is important to look not only at yield, fees, and a convenient interface, but also at how a trader or platform confirms its results. Screenshots from a terminal are not enough: transparent trading statistics are much more convincing when they show real portfolio dynamics, drawdown, risk, and results across different periods. This approach helps separate a normal strategy from attractive promises.

North Korean hackers have shown the market one important thing: the main vulnerability is often not inside the blockchain, but around it. It is people, access rights, hiring, chats, work devices, and external contractors.

Conclusion

North Korean hackers have changed the rules for the crypto market. Now the threat comes not only through code, wallets, and smart contracts. It passes through trust, work processes, fake vacancies, malicious packages, and employee access rights.

For exchanges, DeFi protocols, funds, and Web3 companies, this means one thing: security must be part of the whole system, not a separate task for the IT team. For investors, the takeaway is also simple. Before choosing a crypto platform, they need to evaluate not only profit and convenience, but also how well the service is ready for complex attacks.