"State-Sponsored Hackers Shift to Social Engineering, Targeting Crypto Execs"

Changpeng Zhao, CEO of Binance and widely known in the crypto industry as CZ, disclosed on October 10, 2025, that he received a security alert from Google indicating a potential state-sponsored attempt to breach his personal account. The notification, which CZ shared via X (formerly Twitter), suggested that hackers linked to North Korea's Lazarus Group might be attempting to steal his password. While CZ humorously questioned whether the attack was attributable to Lazarus, the incident has reignited concerns about the growing sophistication of state-backed cyber threats targeting high-profile figures in the cryptocurrency sector Coinedition^[1].

Elliptic, a blockchain analytics firm, reported that North Korea-linked hackers have stolen over $2 billion in crypto assets in 2025 alone, marking a record annual total. This figure nearly triples the $742.8 million stolen in 2024 and brings the cumulative total of North Korean crypto theft to more than $6 billion since 2017 Elliptic^[2]. The Lazarus Group, a state-sponsored hacking collective, has been implicated in several major breaches this year, including the $1.46 billion theft from Bybit in February-the largest crypto heist in history-and attacks on platforms like WOOWOO-- X, Seedify, and BitoPro CoinGabbar^[3].

The tactics employed by Lazarus have evolved significantly. While earlier attacks focused on exploiting technical vulnerabilities in crypto exchanges, recent operations increasingly rely on social engineering. This shift underscores a broader trend: attackers are now targeting individuals and mid-sized operations rather than solely large-scale protocols. CertiK data shows that while total crypto losses fell 37% in Q3 2025, the number of successful social-engineering breaches rose CertiK Alert^[4]. Experts attribute this to the growing appeal of high-net-worth individuals as targets, who often lack the robust security measures employed by institutions.

The attack on CZ highlights a strategic pattern in state-sponsored cyber campaigns. Cybersecurity researchers note that such groups often begin by probing high-profile executives to compromise their contacts, enabling access to broader networks. This approach aligns with Lazarus's historical playbook, which includes spear-phishing, fake job applications, and AI-generated deepfakes to infiltrate organizations Blocknews^[5]. KuCoin's security team recently identified a new phishing campaign by Lazarus that combined fake job interviews, poisoned code repositories, and exploitation of the newly disclosed vulnerability CVE-2025-48384 KuCoin^[6].

The broader crypto industry has responded with heightened vigilance. CertiK and other firms emphasize the importance of rotating passwords, enabling two-factor authentication (2FA) via authenticator apps, and monitoring linked devices for unauthorized access. Influencers like Crypto Jargon urged CZ's followers to adopt these measures, noting that even minor lapses in security could lead to significant breaches CoinCentral^[7]. Meanwhile, the U.S. Treasury and United Nations have reiterated that North Korea's cyber-enabled thefts fund its nuclear and missile programs, underscoring the geopolitical stakes of these attacks U.S. Treasury^[8].

As the threat landscape evolves, experts stress the need for real-time AI threat detection, dual-wallet management, and stricter identity verification for employees and contractors. The case of CZ's alert serves as a cautionary tale: even top industry figures are not immune to state-backed cyber threats. With Lazarus and other groups adapting their tactics, the crypto sector faces a critical challenge in balancing innovation with security in an increasingly interconnected digital economy.