Binance Calls Lazarus Group It's Biggest Threat Yet

Binance’s Chief Security Officer, Jimmy Su, has named the North Korean hacking group Lazarus as the company’s single biggest security threat, as the exchange continues to fend off persistent infiltration attempts from the country.

According to Su, members of the Lazarus Group have been trying to penetrate Binance’s systems ever since the company’s founding eight years ago. In recent years, their tactics have grown increasingly sophisticated, making them a formidable challenge for the exchange.

“The largest vector currently against the crypto industry is state actors, particularly in the DPRK. They’ve had a crypto focus in the last two, three years and have been quite successful in their endeavors.”

The Democratic People’s Republic of Korea (DPRK) is home to one of the most prolific hacker collectives in the world.

The FBI has linked the group to several high-profile attacks, including the $1.4 billion Bybit hack in March.

How North Korean Hackers Try to Infiltrate Binance

Su revealed that North Korean attackers have frequently attempted to get hired at Binance. In response, the company has implemented multiple layers of defense to block them from gaining insider access.

The first line of defense is resume screening. Binance filters out and discards applications suspected of originating from DPRK operatives.

If a suspicious resume passes this preliminary vetting, the applicant is then invited to a video interview so that the hiring team can visually confirm their identity.

However, this verification step is becoming more difficult as artificial intelligence tools improve. Su explained that today, North Korean applicants can use AI not only to alter their facial appearance but also to modify their voice in real-time, making it harder to detect them during interviews.

One of the few consistent giveaways, Su noted, is a slow internet connection:

“The only real good detection is that they almost always have a slow internet connection. What’s happening is that the translation and the voice changer are working during the call. That’s why they are always delayed.”

Ironically, Su added, DPRK-linked hires often appear to be among the company’s most productive employees—possibly because multiple people share the same account and work in shifts across different time zones.

Binance also keeps track of employee work patterns as an added security measure.

“If a worker doesn’t appear to ever sleep, it might be a sign they’re part of the infamous Lazarus Group.”

Multi-Faceted Threats: From Code Poisoning to Social Engineering

Once embedded in the crypto space, DPRK operatives often employ two common attack strategies. The first involves injecting malicious code into public software libraries, aiming to compromise crypto projects that unknowingly integrate the tainted code into their platforms.

To prevent this, Binance conducts meticulous code reviews, combing through public libraries with a fine-tooth comb before use.

Another important layer of defense comes from industry cooperation. Major crypto exchanges share intelligence with one another through Telegram and Signal groups, enabling them to quickly flag compromised libraries and warn each other about emerging DPRK attack methods.

The second major tactic is social engineering. DPRK hackers frequently pose as external recruiters or project collaborators, inviting crypto professionals to fake job interviews.

During these calls, they attempt to convince the target to download malware disguised as a harmless “Zoom update.”

Through a combination of rigorous internal screening, advanced code analysis, and close coordination with industry peers, Binance continues to build its defenses against one of the most persistent and well-resourced threats in the crypto sector.