North Korean Hackers Try to Get Hired at Binance Every Day—Here’s How They're Spotted

Every day, Binance is inundated with fake resumes that it’s certain were written by would-be North Korean attackers, the crypto exchange’s chief security officer Jimmy Su told Decrypt. In his view, nation-state actors from North Korea are the single largest threat facing companies in the crypto industry today.

Su explained that North Korean attackers have been an issue throughout the exchange’s eight-year existence, but recently, the hackers have upped their game when it comes to crypto.

“The largest vector currently against the crypto industry is state actors, particularly in the DPRK, [with] Lazarus,” Su told Decrypt, adding that, “They’ve had a crypto focus in the last two, three years and have been quite successful in their endeavors.” He added that “almost all the large DPRK hacks” have involved a fake employee helping facilitate the attack.

How North Korea attacks crypto exchanges

The Democratic People's Republic of Korea, also referred to as the DPRK or North Korea, is home to the Lazarus Group, one of the most prolific hacker clans in the world. The group is believed to have been responsible for the infamous Bybit $1.4 billion hack in March—the largest hack in crypto history, according to the FBI.

Su said that Binance has mostly noticed North Korean attackers attempting to get hired at the firm. The centralized exchange claims to discard resumes daily, based on their tendency to use certain resume templates. The firm was not willing to share more specifics on resume red flags with Decrypt.

If those resumes make it past the initial vibe check, the company then must check that the applicant is legit on a video call—a challenge that is only getting harder with the rise of AI.

“Our tracking used to [show] that the actor, the operative, will have a resume, and they mostly either have a Japanese or Chinese surname,” Su explained. “But now, with AI and events in AI, they are able to fake to appear to be any kind of developer. More recently, we have seen them be candidates from Europe, from the Middle East. What they do is they actually use a voice changer during their interviews, and the video was a deepfake.”

“The only real good detection is that they almost always have a slow internet connection,” he added. “What's happening is that the translation and the voice changer are working during the call … that’s why they are always delayed.”

There are other ways that Binance can detect a North Korean applicant—such as asking them to put their hand over their face, which usually breaks the deepfake—but Binance doesn’t want to reveal all of its tricks out of fear that attackers may be reading this article.

Other employers have been known to ask candidates to say something negative about North Korean supreme leader Kim Jong Un, which is believed to be outlawed in the country, and have reported positive results.

Binance claims to have never hired a nation-state actor; however, they can’t be too certain. As a result, they even monitor their current employees for suspicious behavior—something all financial institutions do to some degree.

Ironically, according to Su’s research, DPRK employees are usually among the company’s top performers in the given role. That’s likely because there may be multiple people doing the same job across multiple time zones, he explained. So Binance tracks when employees are working, along with their output.

If a worker doesn’t appear to ever sleep, it might be a sign they’re part of the infamous Lazarus Group.

How else is North Korea attacking?

There are two other frequent modes of attack employed by North Korean state actors, Su said. One involves poisoning public NPM libraries with malicious code, while the other sees the rogue state making fake job offers to crypto employees.

Node Package Manager (NPM) libraries, or packages, are collections of reusable code that developers will frequently use. Malicious attackers can duplicate these packages and insert a small line of code that could have grave consequences—all while maintaining its original function. If this is even picked up once, the malicious code will embed itself deeper and deeper into the system as developers build on top of it, Su said.

To prevent this from becoming an issue, Binance has to go through the code with a fine-tooth comb. Major crypto exchanges also share intelligence related to security in Telegram and Signal groups—meaning they’re able to flag poisoned libraries and emerging DPRK techniques with their peers.

“The DPRK group will [also] try to schedule calls with the external-facing employees,” Su told Decrypt. “Either as a DeFi project or investment firm. Worst yet, they’ll be recruiting them for a high-level job, paying twice, three times as much, just to get them onto an interview.”

During the fake interview, Su explained, the DPRK hackers will claim that the call has “some kind of video or voice issues,” before sending the victim a link to update their Zoom. Then, he said, their device is infected with malware.

Binance has trained its employees to report every phishing attempt made on them. By the frequency of these reports, Su is confident that DPRK attackers are messaging Binance employees on LinkedIn every day.

North Korean hackers stole $1.34 billion across 47 crypto-related incidents last year, a Chainalysis report revealed. Since then, the DPRK attacks have persisted, with Wiz's Director of Strategic Threat Intelligence estimating that $1.6 billion in crypto has been stolen so far this year via fake IT job offers.

“Lazarus Group has always been an issue,” Su told Decrypt. “But in the last two, three years, they have switched their focus, more of their resources onto crypto. Just because of the industry’s [large] dollar amount.”