In an interview with Stripe’s John Collison, Coinbase CEO Brian Armstrong shared details on tactics North Korean hackers use to infiltrate Coinbase. Attempts by deceptive agents to bribe the exchange’s support team or get jobs at Coinbase resulted in stricter security standards. What did we learn about hackers from the DPRK?
Summary
- In a new interview, Brian Armstrong emphasized that North Korea is trying to infiltrate tech companies with a large number of its agents disguised as remote IT workers.
- Armstrong said it feels like around 500 new agents graduate from special schools every quarter.
- According to Armstrong, threat actors are trying to bribe the Coinbase support team with hundreds of thousands of dollars to get private info.
- Coinbase had to tighten up its security standards while hiring new people. Only the fingerprinted employees with U.S. citizenship and family in-country can access sensitive info.
- Previously, investigators found out that the DPRK is constantly trying to get its agents hired in tech companies so they can steal cryptocurrency there. Stolen crypto is thought to be used as funding for the North Korean nuclear program.
North Korea takeaways from Armstrong’s interview
On Aug. 20, 2025, the Stripe YouTube channel released a new video. In it, Collison and Armstrong, who are the heads of Stripe and Coinbase, have a conversation about notable trends in the cryptocurrency space.
Collison asked Armstrong what the general tech public does not appreciate about the cybercrime landscape, and Armstrong’s nearly immediate response was “a lot of North Korean agents are trying to work at these companies,” most of the time remotely.
Armstrong said that while companies are working with law enforcement and get notified about some candidates as “known actors,” it feels like 500 more agents graduate from “some kind of school” in the DPRK each quarter, and infiltrating tech companies is their “whole job.”
He emphasized that he does not blame individuals for becoming agents:
“In many of these cases, it’s not the individual person’s fault. Their families will be coerced or detained if they don’t cooperate. So actually, they’re the victim as well in many cases.”
During online job interviews, the DPRK agents usually have some kind of a coach around who assists them, so Coinbase employees have to demand that candidates turn on the camera to make sure they are talking with a real person and no one is nearby to give instructions.
If an employee needs to access any sensitive system, they are required to come to the U.S. in person for orientation. Coinbase limits access to sensitive data by allowing only fingerprinted employees with U.S. citizenship and family in-country. Such a strict approach is dictated by increased security concerns associated with the DPRK infiltration attempts.
Another concern voiced by Armstrong during the interview is the cases when threat actors were trying to bribe Coinbase support team agents, offering hundreds of thousands of dollars in exchange for smuggling in personal phones, taking screen photos, and sharing other types of data. To address the risk of leaks resulting from bribery, Coinbase had to increase control over the support team and move customer support offices to the U.S. and Europe. Armstrong said:
“[We] really started to make a deterrent in the sense of, when we catch people doing this – and we red‑team it consistently — we don’t walk them out the door — they go to jail. We try to make it very clear that you’re destroying the rest of your life by taking this, even if you think it’s some life‑changing amount of money, it’s not worth going to jail.”
Another measure is putting out a $20 million bounty for information that could help arrest or convict attackers. Armstrong emphasized that Coinbase is not only going after insiders but targets the threat actors themselves.
What is known about hackers from the DPRK?
During the same interview, Armstrong said that “DPRK is very interested in stealing crypto,” and this statement cannot be underestimated. According to a blockchain analyst company, Elliptic, the hacking of a crypto exchange, ByBit, by North Korean hackers was the biggest heist in history. Hackers from the infamous Lazarus Group associated with the DPRK managed to steal $1.46 billion in crypto assets. Since 2017, the DPRK has stolen over $5 billion in crypto. Allegedly, 40% of the North Korean military’s nuclear program is funded via stolen cryptocurrencies. Over $300 million of money stolen from ByBit was probably used to fund nuclear weapons.
The North Korean hackers use diverse tactics to steal crypto and launder money. On Aug. 13, 2025, a prominent anonymous crypto sleuth using the ZachXBT handle on X shared documents leaked from the North Korean hackers who pretended to be IT workers in Western companies.
The leak revealed that five agents have been operating 30 fake identities and had bogus LinkedIn and Upwork IT worker accounts. They were communicating mostly in English and using various Google services to conduct their operations, buying accounts on job platforms, serial security numbers, etc. Some of the screenshots of the browser history of these agents reveal low levels of tech competency. According to ZachXBT, hiring a North Korean agent is “100% negligence.” In his opinion, figuring out that the candidate is a DPRK agent is not that hard.
However, despite the fact that the DPRK agents are bad at work and get fired quickly, they find new jobs; usually, several agents are taking positions at the same company simultaneously, and eventually manage to steal crypto.
6/ I am closely monitoring five other larger clusters of DPRK ITWs but will not share those addresses publicly since they are active.
One thing to note is the number does not include exploits conducted by them on projects (LND, ChainSaw, Favrr, Munchables, Dream, etc)
They… pic.twitter.com/kIbFewIM8b
— ZachXBT (@zachxbt) July 2, 2025
North Korean hackers used to launder stolen assets via Binance and Coinbase, but had to find other ways as these exchanges increased KYC/AML scrutiny. They developed a chain of over-the-counter brokers. Also, Korean hackers use crypto mixer platforms that obfuscate transaction data. In relation to the Lazarus Group activity, the U.S. Treasury named such mixer platforms as Sinbad, Tornado Cash, and Blender.
According to ZachXBT, public company Circle, which is a prime competitor of Tether, is neglecting the use of its stablecoin USDC in the DPRK-related money laundering operations, being the only company that didn’t freeze flagged wallets when ZachXBT brought up the connection. The company eventually froze the addresses involved in hacking months later. The Circle CEO, Jeremy Allaire, responded to ZachXBT’s criticism by saying that the company would not freeze addresses solely based on ZachXBT’s investigation. The request from the law enforcement was necessary.
5/ USDC was sent directly from Circle accounts to three addresses in this cluster.
It’s 1 hop from an address blacklisted by Tether in April 2023 tied to Hyon Sop Sim.
Other DPRK ITW clusters currently have decent sized quantities of USDC sitting.
I think it’s misleading… pic.twitter.com/vGCcMZX6wL
— ZachXBT (@zachxbt) July 2, 2025
ZachXBT accuses Circle of allowing Korean hackers to use USDC so that the company will earn via transaction fees. Similar claims were made against the MetaMask wallet, which was allegedly involved in the DPRK money laundering operations.
While ZachXBT dismisses the sophistication of the DPRK agents when they try to infiltrate tech companies, Coinbase has its reasons to be cautious. Given that Coinbase is responsible for the custody of over 2.2 million bitcoins, which is more than 10% of the total supply, extensive control over the works may not seem unnecessary.
