Coinbase CEO reveals how firm sniffs out North Korean “IT workers”
By now, it’s no secret that North Korean hackers pretending to be IT workers run rampant in the crypto world. Brian Armstrong, CEO of cryptocurrency exchange Coinbase, says the firm has been finding ways to deal with the issue effectively.
The list of increasingly sophisticated hacks by North Korea’s alleged state-sponsored hacking units is growing every year.
Bybit, for instance, lost around $1.5 billion in ethereum earlier in 2025. It was the largest cryptocurrency heist to date, and, unsurprisingly, hackers from the infamous Lazarus Group were responsible.
Not only is Lazarus Group posting bogus opportunities on job boards, but they’re also targeting would-be employees of crypto companies such as Coinbase.
The firm said in May that the North Korean hackers bribed some of its overseas employees for customer data and demanded a $20 million ransom from the company.
But the North Koreans are also attempting to get jobs at crypto companies to infiltrate them and send their wages and whatever they manage to steal back home, generating revenue for the isolated regime.
Now, Coinbase CEO Armstrong has admitted in an interview for the Cheeky Pint podcast that the general tech public doesn’t really appreciate how North Korean agents are changing the global cybercrime landscape.
“The DPRK is very interested in stealing crypto. You’d think that we can collaborate with law enforcement – and we get these dossiers of “Okay, this is a known actor,” that we share sometimes with other companies,” said Armstrong.
“But it feels like there are 500 new people graduating every quarter from some school they have whose whole job is this. In many of these cases, it’s not the individual person’s fault. Their families will be coerced or detained if they don’t cooperate.”
However, Armstrong also says there’s a recipe for sniffing the fake remote “IT workers” out in time.
First, for example, these agents are usually coached offline when they’re working or taking part in meetings and job interviews, so Coinbase forces them to turn on the camera and prove they’re not AI.
Moreover, Coinbase now requires all new recruits to come to the US for orientation. Only after the company ensures that they have US citizenship and family in-country can the remote workers access any sensitive systems.
Apparently, they’re also fingerprinted, as Armstrong explains: “You don’t want someone to feel like they can flee and then have no fear of extradition.”
Security has been enhanced at customer support facilities, and when the company catches workers taking bribes, “they go to jail,” according to Armstrong.
According to Coinbase’s boss, North Korean threat actors are also very willing to try to bribe the company’s customer support agents.
“Our customer support agents work in facilities that are pretty locked down, and they have a Chromebook that is pretty locked down. In some cases, they’ve been offered hundreds of thousands of dollars to smuggle in a personal phone and take photos of a screen or something,” said Armstrong.
Security has been enhanced at customer support facilities, and when the company catches workers taking bribes, “they go to jail,” according to Armstrong.
“We try to make it very clear that you’re destroying the rest of your life by taking this, even if you think it's some life‑changing amount of money, it’s not worth going to jail,” he added.
Armstrong agreed with the host’s summary of what Coinbase and other tech firms should be doing: “More proof of physical presence, more compartmentalization, and more deterrent effect through aggressive prosecution.”
However, “the ultimate deterrent is not going after insiders but after the threat actors themselves” because “we need to be a hard target,” he stressed.
