• ZachXBT reveals 345–920 suspected North Korean hackers may hold crypto IT jobs, often juggling multiple roles simultaneously.
• Hackers have earned over $16.5 million via salary payments, exposing global firms with weak KYC/AML and rising DeFi breach risks.
• Red flags include fake profiles, poor performance, and refusal to meet teams—signals startups must not ignore.

Crypto sleuth ZachXBT published an exposé on North Korean hackers working in the crypto industry, claiming they may occupy up to 920 IT and software development jobs.

These infiltrators are active worldwide, targeting companies across the crypto industry. Still, they often have telltale red flags, and dedicated startups can sniff out potential threats.

North Korean Hackers are Silently Infiltrating Crypto Businesses

Since the Lazarus Group pulled off the biggest theft in crypto history this year, the industry has been wary of North Korean hackers.

Crypto crime is at an elevated rate across the board, further contributing to the panic. However, there hasn’t been a concrete analysis of potential infiltrators working in crypto, which ZachXBT is attempting to remedy.

1/ My recent investigation uncovered more than $16.58M in payments since January 1, 2025 or $2.76M per month has been sent to North Korean IT workers hired as developers at various projects & companies.

To put this in perspective payments range from $3K-8K per month meaning… pic.twitter.com/pjHZG9wJ4r

— ZachXBT (@zachxbt) July 2, 2025

ZachXBT, one of the industry’s most famous sleuths, has been tracking North Koreans in DeFi for several months. Some of the first major infiltrators were unmasked in May, but the trend is increasing.

Last week, these hackers stole $1 million from several NFT projects, showing their increasing capabilities. So, how does this infiltration work?

Tracking the Breaches

Many hackers are paid exclusively in crypto, or a mix of crypto and fiat, enabling sleuths to track their blockchain data. ZachXBT tracked legitimate salary payments to clusters of suspected North Koreans, which totaled $16.58 million this year.

Many applicants worked multiple jobs at once, so there may not be 900+ simultaneous hackers.

Still, that’s a small comfort for many. North Korean hackers are likely present in almost every regional crypto industry, regardless of KYC/AML requirements.

Many smaller startups are facing a talent shortage, encouraging them to ignore potential red flags. These hackers also post fake job postings, further developing their ability to mimic normal applicants.

Nonetheless, common red flags can help companies identify these candidates during the hiring process, like sketchy digital footprints, failed KYC checks, and refusal to meet coworkers in the cities they allegedly live in.

The most important indicator, however, is shoddy performance and a high turnover rate. North Korean hackers routinely take IT and software development jobs at multiple firms at once, trying to get any inside access they can.

They are frequently unable to meet the workload, especially because they’re mainly interested in breaching security.

All that is to say, crypto startups should be able to prevent North Korean infiltration. So far, many of these techniques are surprisingly amateurish.

A security firm recently claimed that the Lazarus Group sends weaker hackers to breach companies, employing more veteran thieves to actually steal the assets. Dedicated watchers can prevent these breaches.