Overview

• Zhao outlined tactics in which DPRK-linked actors pose as job candidates, recruiters, or customers to plant malware and gain insider access at crypto companies.
• Methods described include fake Zoom “updates,” booby-trapped “sample code,” and malicious links sent through support tickets that compromise employee devices.
• Zhao cited a breach at an outsourced provider in India that he said preceded more than $400 million in losses at a U.S. exchange.
• Security Alliance released a database of over 60 known impostor profiles tied to North Korean operatives and called for broader information sharing to slow identity recycling.
• Reporting links these operations to state-backed groups such as Lazarus and Famous Chollima, reinforcing calls for stronger vetting, onboarding controls, and employee training across the sector.