
According to crypto investigator ZachXBT 345 to 920 North Korean hackers have infiltrated crypto startups around the world.
They have also earned over $16.5 million in salaries since January 2025.
These operatives pose as remote developers and IT specialists and use privileges to access company codebases and admin keys.
This infiltration is linked to the rise in hacks and scams in the NFT and DeFi spaces.
The crypto industry is once again under the microscope. This time, not for its volatility or regulatory developments.
According to insights from crypto investigator ZachXBT, hundreds of North Korean hackers may have quietly secured jobs within crypto startups across the world.
His latest investigation, which was released on 2 July shows how these hackers have managed to receive over $16.5 million in salaries from crypto companies since the beginning of the year.
They have posed as everything from remote developers to software engineers and IT specialists in this scheme, and here are a few things to keep in mind.
According to ZachXBT between 345 and 920 North Korean operatives may currently be holding jobs across various crypto firms.
These workers are believed to be part of a much bigger effort from the North Korean regime to infiltrate Web3 companies, gather intelligence and in many cases, gain access to project funds.
North Koreans infiltrating the job market | Source: Twitter
When data from salary payments and blockchain activity are analyzed, ZachXBT calculated that the average hacker earned between $3,000 and $8,000 per month.
Some of these hackers even worked multiple jobs simultaneously.
While some of these roles are believed to be relatively low-level, others may have involved privileged access to company codebases or admin keys.
This is likely where the rash of hacks and scams has been coming from.
These aren’t just rogue freelancers trying to earn a paycheck.
ZachXBT warned that in many cases, the hackers use their internal access to exploit companies from the inside.
This can include breaking and making off with funds, helping to stage rug pulls, or leaking sensitive information.
Several recent hacks in the NFT and DeFi spaces, including the $1 million hack last week, are believed to be connected to these operatives.
Hackers stole $1 million last week | Source: Twitter
This goes without mentioning the notorious Lazarus Group, North Korea’s most infamous state-sponsored hacking unit.
Lazarus has already been linked to some of the largest crypto thefts in history, and experts believe that they are now recruiting junior employees to gain access, while the more experienced team members do the actual stealing.
One of the most disturbing aspects of the report is how easily these hackers slip past the defenses of Web3 companies.
This is very disturbing, considering how crypto is an industry that prides itself on decentralization and fast hiring.
Standard security checks like proper KYC (Know Your Customer) and AML (Anti-Money Laundering) procedures are increasingly being overlooked, especially by small startups.
ZachXBT identified several red flags that companies should be watching out for, including the use of Russian or foreign IP addresses despite claiming to live in the U.S. or Western Europe.
Other red flags include failed KYC verifications and refusal to attend in-person meetings or show up at local events in the cities they claim to reside.
More could be an inconsistent online presence, such as frequent GitHub name changes or incomplete work histories as well as poor job performance and high turnover.
According to ZachXBT, many of these hackers struggle to meet deliverables because their main goal is access, not output.
One example in the report is a developer named Sandy Nguyen, who was tracked via on-chain activity.
Nguyen was later identified at a tech event in Russia, alongside other suspected North Korean operatives.
The U.S. Department of Justice (DOJ) and Japan’s regulators have already taken notice of this trend.
Moves from the DoJ | Source: Twitter
Recently, the DOJ moved to seize $7.7 million in crypto tied to similar North Korean hacking attempts, while Japan has been actively lobbying the G7 to stop the regime’s use of crypto to fund weapons development.
Overall, ZachXBT’s findings are a call to action:
Crypto security isn’t just about firewalls and smart contracts, and security should be an all-round measure.
Disclaimer: Voice of Crypto aims to deliver accurate and up-to-date information, but it will not be responsible for any missing facts or inaccurate information. Cryptocurrencies are highly volatile financial assets, so research and make your own financial decisions.