In an interview with Stripe’s John Collison, Coinbase CEO Brian Armstrong revealed the methods North Korean hackers use to target the exchange. Efforts by deceptive agents to bribe support staff or secure jobs at Coinbase prompted the company to implement stricter security protocols. What insights did this give us into the tactics of DPRK hackers?
Key Insights on North Korea from Armstrong’s Interview
On August 20, 2025, the Stripe YouTube channel released a new video featuring a conversation between John Collison of Stripe and Brian Armstrong of Coinbase, discussing key trends in the cryptocurrency industry.
During the discussion, Collison asked Armstrong what the broader tech community often overlooks about the cybercrime landscape. Armstrong responded almost immediately: “A lot of North Korean agents are trying to work at these companies,” usually through remote positions.
He explained that while companies collaborate with law enforcement and are sometimes alerted to certain candidates as “known actors,” it seems that hundreds more graduate from “some kind of school” in North Korea each quarter, with infiltrating tech companies as their primary mission. Armstrong clarified that he does not blame the individuals themselves for becoming agents.
“In many of these cases, it’s not the individual person’s fault. Their families will be coerced or detained if they don’t cooperate. So actually, they’re the victim as well in many cases.”
During online job interviews, DPRK agents often have a coach nearby to guide them, so Coinbase requires candidates to turn on their cameras to ensure they are speaking directly with the interviewee and not receiving instructions.
Access to sensitive systems is tightly controlled: employees must travel to the U.S. for in-person orientation, and only fingerprinted U.S. citizens with family in the country are granted access. These stringent measures reflect heightened security concerns stemming from North Korean infiltration attempts.
Armstrong also highlighted cases in which threat actors attempted to bribe Coinbase support staff, offering hundreds of thousands of dollars to smuggle in personal phones, take screenshots, or share other sensitive data. To mitigate these risks, Coinbase increased oversight of its support team and relocated customer support offices to the U.S. and Europe. Armstrong stated:
“[We] really started to make a deterrent in the sense of, when we catch people doing this – and we red‑team it consistently — we don’t walk them out the door — they go to jail. We try to make it very clear that you’re destroying the rest of your life by taking this, even if you think it’s some life‑changing amount of money, it’s not worth going to jail.”
Another step Coinbase has taken is offering a $20 million bounty for information that could lead to the arrest or conviction of attackers. Armstrong emphasized that the company is pursuing not just insider threats, but the external threat actors themselves.
What We Know About North Korean Hackers
In the same interview, Armstrong emphasized that “DPRK is very interested in stealing crypto,” a point that should not be underestimated. According to blockchain analytics firm Elliptic, the hacking of the crypto exchange ByBit by North Korean hackers was the largest crypto heist in history. The notorious Lazarus Group, linked to the DPRK, managed to steal $1.46 billion in crypto assets. Since 2017, North Korea has reportedly stolen over $5 billion in cryptocurrency, with an estimated 40% of the country’s nuclear program funded through these illicit gains. Over $300 million of the funds stolen from ByBit may have been used to finance nuclear weapons.
North Korean hackers employ a wide range of tactics to steal crypto and launder money. On August 13, 2025, a prominent anonymous crypto researcher known as ZachXBT shared leaked documents showing DPRK hackers posing as IT workers at Western companies. The leak revealed that five agents were operating 30 fake identities, complete with fraudulent LinkedIn and Upwork IT accounts. They primarily communicated in English and used various Google services to carry out their operations, purchasing job platform accounts, generating serial security numbers, and more.
Some screenshots of the agents’ browser histories suggested surprisingly low levels of technical skill. According to ZachXBT, hiring a North Korean agent amounts to “100% negligence,” and he noted that detecting a DPRK operative is not particularly difficult.
Despite their poor performance and frequent firings, DPRK agents often find new positions. Typically, multiple agents join the same company at the same time, eventually succeeding in stealing cryptocurrency.
North Korean hackers previously laundered stolen assets through exchanges like Binance and Coinbase, but as these platforms strengthened their KYC and AML controls, the hackers turned to alternative methods. They established a network of over-the-counter brokers and also relied on crypto mixer platforms that obscure transaction data. In connection with Lazarus Group operations, the U.S. Treasury identified mixers such as Sinbad, Tornado Cash, and Blender.
According to ZachXBT, the public company Circle—major competitor of Tether—initially failed to act on the use of its stablecoin USDC in DPRK-related money laundering. It was the only company that did not freeze the flagged wallets when ZachXBT highlighted the connection. Circle eventually froze the involved addresses months later. CEO Jeremy Allaire responded to the criticism by stating that the company would not freeze addresses based solely on ZachXBT’s findings, emphasizing that action requires law enforcement requests.
ZachXBT has accused Circle of enabling North Korean hackers to use USDC in order to profit from transaction fees. Similar allegations have been made against the MetaMask wallet, which was reportedly used in DPRK-linked money laundering operations.
Although ZachXBT downplays the technical sophistication of DPRK agents attempting to infiltrate tech companies, Coinbase has clear reasons to remain vigilant. The platform holds custody of over 2.2 million bitcoins—more than 10% of the total supply—making strict internal controls a prudent measure rather than an overreaction.
