North Korean IT Workers' Secret Crypto Operations within Google Docs, Upwork, and LinkedIn Unveiled
In a sophisticated and coordinated operation, North Korean operatives have been infiltrating the global cryptocurrency development job market using forged government-issued IDs and fabricated digital identities, according to recent reports.
These operatives, supported by training from elite universities within North Korea, have been linked to multiple high-profile cyberattacks, including the hack of Dubai-based Bybit in February 2025, which resulted in the largest crypto exchange hack in history, stealing approximately $1.5 billion in Ethereum. The attack on Bybit was attributed to North Korean operatives by the FBI and was labeled "TraderTraitor".
The Lazarus Group, known for cryptocurrency hacks, and AI-focused research groups aiming to evade sanctions and launder funds through crypto projects are among the state-backed units involved in this operation. The operatives not only steal funds but have also been involved in inserting backdoors into smart contracts across DeFi and meme token projects, increasing the security risks for affected companies.
To blend in, these operatives purchase or rent legitimate LinkedIn and Upwork accounts. During interviews, they prepare scripted answers, often claiming prior experience with well-known crypto companies such as OpenSea and Chainlink to establish credibility and secure developer positions remotely. After hiring, they work via freelance platforms like Upwork, using remote access tools such as AnyDesk and VPNs to conceal their true location and maintain operational security. They also use collaboration tools like Google Drive and company translation tools to communicate effectively with their targets.
A small group of about six North Korean IT workers controls at least 31 fake identities, including forged government IDs and phone numbers, as well as purchased LinkedIn and freelance platform accounts like Upwork. The scale of this operation has increased dramatically in recent years, with a 220% spike in North Korean IT worker infiltrations reported in the past year alone, now spanning hundreds of companies globally.
These operatives leverage automation, generative AI, and rental of external hardware to sustain and expand their fraudulent employment, making detection and prevention a growing challenge for the crypto industry and broader tech sector.
In July 2025, CoinDCX, an Indian cryptocurrency exchange, fell victim to a $44 million heist, which was also linked to the Lazarus Group. The attack on CoinDCX exploited vulnerabilities in the exchange's liquidity infrastructure and exposed internal credentials.
As the crypto industry continues to grow, so does the threat posed by North Korean hackers, specifically the Lazarus Group. Collaboration between private companies and services, as well as the willingness of teams to address fraudulent activity, remains a challenge in countering these operations. It is crucial for the industry to stay vigilant and implement robust security measures to protect against these sophisticated attacks.
[1] [Source 1] [2] [Source 2] [3] [Source 3] [4] [Source 4] [5] [Source 5]
- The North Korean operatives, linked to the largest crypto exchange hack in history, have been using forged identities to secure remote developer positions in the global cryptocurrency industry.
- In addition to stealing funds, these operatives have been found inserting backdoors into smart contracts across DeFi and meme token projects, increasing security risks.
- To blend in, these North Korean operatives purchase or rent legitimate accounts on platforms like LinkedIn and Upwork, preparing scripted answers during interviews to establish credibility.
- As the crypto industry grows, it faces a growing challenge from North Korean hackers, such as the Lazarus Group, and implementing robust security measures is crucial to counter these sophisticated attacks.
