In an interview with Stripe’s John Collison, Coinbase CEO Brian Armstrong shared details on tactics North Korean hackers use to infiltrate Coinbase. Attempts by deceptive agents to bribe the exchange’s support team or get jobs at Coinbase resulted in stricter security standards. What did we learn about hackers from the DPRK? 🤔
“[We] really started to make a deterrent in the sense of, when we catch people doing this – and we red‑team it consistently – we don’t walk them out the door – they go to jail. We try to make it very clear that you’re destroying the rest of your life by taking this, even if you think it’s some life‑changing amount of money, it’s not worth going to jail.” 🚔
Another measure is putting out a $20 million bounty for information that could help arrest or convict attackers. Armstrong emphasized that Coinbase is not only going after insiders but targets the threat actors themselves. 💸🕵️♂️
What is known about hackers from the DPRK? 🤔
During the same interview, Armstrong said that “DPRK is very interested in stealing crypto,” and this statement cannot be underestimated. According to a blockchain analyst company, Elliptic, the hacking of a crypto exchange, ByBit, by North Korean hackers was the biggest heist in history. Hackers from the infamous Lazarus Group associated with the DPRK managed to steal $1.46 billion in crypto assets. Since 2017, the DPRK has stolen over $5 billion in crypto. 🧾💰 Allegedly, 40% of the North Korean military’s nuclear program is funded via stolen cryptocurrencies. Over $300 million of money stolen from ByBit was probably used to fund nuclear weapons. 🚀💣
The North Korean hackers use diverse tactics to steal crypto and launder money. On Aug. 13, 2025, a prominent anonymous crypto sleuth using the ZachXBT handle on X shared documents leaked from the North Korean hackers who pretended to be IT workers in Western companies. 📄
The leak revealed that five agents have been operating 30 fake identities and had bogus LinkedIn and Upwork IT worker accounts. They were communicating mostly in English and using various Google services to conduct their operations, buying accounts on job platforms, serial security numbers, etc. Some of the screenshots of the browser history of these agents reveal low levels of tech competency. According to ZachXBT, hiring a North Korean agent is “100% negligence.” In his opinion, figuring out that the candidate is a DPRK agent is not that hard. 🤡
9/ Other interesting items from their searches and browser history included: 📱
– ZachXBT (@zachxbt) August 13, 2025
However, despite the fact that the DPRK agents are bad at work and get fired quickly, they find new jobs; usually, several agents are taking positions at the same company simultaneously, and eventually manage to steal crypto. 🧑💻
6/ I am closely monitoring five other larger clusters of DPRK ITWs but will not share those addresses publicly since they are active.
One thing to note is the number does not include exploits conducted by them on projects (LND, ChainSaw, Favrr, Munchables, Dream, etc)
They… 🤡
– ZachXBT (@zachxbt) July 2, 2025
North Korean hackers used to launder stolen assets via Binance and Coinbase, but had to find other ways as these exchanges increased KYC/AML scrutiny. They developed a chain of over-the-counter brokers. Also, Korean hackers use crypto mixer platforms that obfuscate transaction data. In relation to the Lazarus Group activity, the U.S. Treasury named such mixer platforms as Sinbad, Tornado Cash, and Blender. 💸
According to ZachXBT, public company Circle, which is a prime competitor of Tether, is neglecting the use of its stablecoin USDC in the DPRK-related money laundering operations, being the only company that didn’t freeze flagged wallets when ZachXBT brought up the connection. The company eventually froze the addresses involved in hacking months later. The Circle CEO, Jeremy Allaire, responded to ZachXBT’s criticism by saying that the company would not freeze addresses solely based on ZachXBT’s investigation. The request from the law enforcement was necessary. 🚔
5/ USDC was sent directly from Circle accounts to three addresses in this cluster.
It’s 1 hop from an address blacklisted by Tether in April 2023 tied to Hyon Sop Sim.
Other DPRK ITW clusters currently have decent sized quantities of USDC sitting.
I think it’s misleading… 💸
– ZachXBT (@zachxbt) July 2, 2025
ZachXBT accuses Circle of allowing Korean hackers to use USDC so that the company will earn via transaction fees. Similar claims were made against the MetaMask wallet, which was allegedly involved in the DPRK money laundering operations. 🧾
While ZachXBT dismisses the sophistication of the DPRK agents when they try to infiltrate tech companies, Coinbase has its reasons to be cautious. Given that Coinbase is responsible for the custody of over 2.2 million bitcoins, which is more than 10% of the total supply, extensive control over the works may not seem unnecessary. 🧾
Read More
- Clash Royale Best Boss Bandit Champion decks
- Mobile Legends November 2025 Leaks: Upcoming new heroes, skins, events and more
- Stocks stay snoozy as Moody’s drops U.S. credit—guess we’re all just waiting for the crash
- The Best Movies of 2025 So Far
- The John Wick spinoff ‘Ballerina’ slays with style, but its dialogue has two left feet
- Bentley Delivers Largest Fleet of Bespoke Flying Spurs to Galaxy Macau
- Delta Force Best Settings and Sensitivity Guide
- Bealls & Flexa: Bitcoin Bonanza at 660+ Stores! 🛍️💰
- Clash of Clans: How to beat the Fully Staffed Challenge
- Millionaire Chicken Heir Johnny Ingham and Wife Rey Welcome Their First Baby!
2025-08-23 14:10