North Korean Hackers Target Crypto Developers With Fake Recruitment Tests

North Korean hackers, linked to the $1.4 billion Bybit exploit, have been targeting crypto developers with fake recruitment tests infected with malware. These malicious actors pose as recruiters, approaching developers on professional networking platforms and offering fraudulent career opportunities. Once they gain the developer's trust, they send a malicious document containing a coding challenge on GitHub. Opening this file installs stealer malware, compromising the victim’s system.

The scam is reportedly orchestrated by a North Korean hacking group known by various names, including Slow Pisces, Jade Sleet, Pukchong, TraderTraitor, and UNC4899. These hackers aim to steal developer credentials and access codes, including cloud configurations, SSH keys, iCloud Keychain, system and app metadata, and wallet access. They also target API keys or production infrastructure, using platforms like LinkedIn, Upwork, and Fiverr to pose as clients or hiring managers offering well-paid contracts or tests, particularly in the DeFi or security space.

To create a credible facade, these hackers often create “credible-looking” employee profiles on professional networking websites, matching them with resumes that reflect their fake positions. Their ultimate goal is to gain access to the Web3 company that employs their targeted developer, identify vulnerabilities, and exploit them. This sophisticated approach highlights the evolving tactics of cybercriminals, who are becoming more creative in their methods to exploit security gaps.

Cybersecurity professionals warn that developer education and operational hygiene are just as important as code audits or smart contract protections. Best practices for developers to avoid falling victim to such attacks include using virtual machines and sandboxes for testing, verifying job offers independently, and not running code from strangers. Additionally, developers should avoid installing unverified packages, use good endpoint protection, and reach out to official channels to verify recruiter identities. Storing secrets in plain text format should also be avoided, and developers should be extra cautious with ‘too-good-to-be-true’ gigs, especially unsolicited ones.