Changpeng Zhao, known as CZ and co-founder of Binance, posted a screenshot on X showing a Google security alert.
He asked why he keeps getting the message and wondered if North Korea’s Lazarus group might be behind it.
CZ said he gets the warning sometimes and joked that he has nothing important on the account. He told followers to stay SAFU.
The post included an image that read, “Warning: Google may have detected government-backed attackers trying to steal your password.” He shared the screenshot to ask who else had seen it and to raise concern.
What the image shows?
The attached image is a Google pop-up, and it warns of possible government-backed attackers trying to steal a password. A large button says “SECURE MY ACCOUNT.”
Also Read: North Korea’s Lazarus Hacker Group Deposits 400 $ETH (~$750K) into Tornado Cash
The notice suggests Google has flagged activity that looks like a state-linked intrusion. CZ’s post showed the pop-up and asked his followers to weigh in. He also named “North Korea Lazarus?” as a possible source in his message.
Possible connection to Lazarus
A recent report from cybersecurity firm Silent Push says a Lazarus sub-team set up two shell companies in the United States. The firms are Blocknovas LLC in New Mexico and Softglide LLC in New York.
The report claims the companies were registered under false names. According to that report, the move likely helps the group avoid US and UN sanctions. CZ’s question about Lazarus ties to these findings. Some experts say the group has used many tricks to hide its moves before.
North Korea and Bitcoin
North Korea is now one of the largest nation-state holders of Bitcoin, and the country is said to hold more Bitcoin than Bhutan or El Salvador. Arkham Intelligence data points to 13,518 BTC linked to the Lazarus Group.
The actual amount may be higher, and the group has also stolen funds in several hacks, including the ByBit incident. That history helps explain why security services and platforms flag certain accounts as possibly targeted by state-linked attackers.
What does the warning mean?
When Google shows this kind of alert, it flags login or account activity that fits patterns tied to state-backed threats. The warning does not prove a successful breach, and instead, it signals a risk. Users are urged to secure their accounts right away.
That includes changing passwords, enabling two-factor authentication, and reviewing recent activity. For public figures or people with crypto holdings, the risk can be higher because nation-state groups may target high-value accounts.
Why this matters?
A prompt like the one CZ shared can be a wake-up call. It shows how major platforms detect and warn users about possible state-level threats. For people who work with crypto or hold funds digitally, the stakes are real.
A targeted attack can lead to large losses, and the link between Lazarus and shell companies suggests that some groups are getting creative. They use legal covers and fake identities to move money and avoid sanctions. That can make tracking and stopping them harder.
In short, CZ’s post shows a rare public glimpse at a platform-level warning. The image is a simple alert, and the context behind it is complex. State-linked groups such as Lazarus have shown the tools and reach to target accounts tied to cryptocurrency.
Also Read: OKX Halts DEX Aggregator Activity Following Cybersecurity Threat from Lazarus Group