North Korean Hackers Target Crypto Professionals with Fake Job Interviews

North Korean hackers have been targeting crypto professionals with elaborate fake job interviews designed to steal their data and deploy sophisticated malware on their devices. The campaign primarily targets crypto and blockchain professionals, using fraudulent job sites that impersonate legitimate companies, including Coinbase, Robinhood, and Uniswap. The scheme begins with fake recruiters directing job seekers to skill-testing websites where victims enter personal details and answer technical questions. After completing the assessments, candidates are instructed to enable camera access for a video interview and then prompted to copy and execute malicious commands disguised as video driver installations.

A new Python-based remote access trojan called "PylangGhost," links malware to a North Korean-affiliated hacking collective called "Famous Chollima," also known as "Wagemole.” The malware can steal credentials and session cookies from over 80 browser extensions, including popular password managers and crypto wallets such as Metamask, 1Password, NordPass, and Phantom. The Trojan establishes persistent access to infected systems and executes remote commands from command-and-control servers. This latest operation aligns with North Korea's broader pattern of crypto-focused cybercrime, which includes the notorious Lazarus Group, responsible for some of the industry's largest heists.

Apart from stealing funds directly from exchanges, the regime is now targeting individual professionals to gather intelligence and potentially infiltrate crypto companies from within. The group has been conducting hiring-based attacks since at least 2023 through campaigns like "Contagious Interview" and "DeceptiveDevelopment," which have targeted crypto developers on platforms including GitHub, Upwork, and CryptoJobsList. Earlier this year, North Korean hackers established fake U.S. companies—BlockNovas LLC and SoftGlide LLC—to distribute malware through fraudulent job interviews before the FBI seized the BlockNovas domain.

The PylangGhost malware is functionally equivalent to the previously documented GolangGhost RAT, sharing many of the same capabilities. The Python-based variant specifically targets Windows systems, while the Golang version continues to target macOS users. Linux systems are notably excluded from these latest campaigns. The attackers maintain dozens of fake job sites and download servers, with domains designed to appear legitimate, such as "quickcamfix.online" and "autodriverfix online."

This latest operation aligns with North Korea's broader pattern of crypto-focused cybercrime, which includes the notorious Lazarus Group, responsible for some of the industry's largest heists. Apart from stealing funds directly from exchanges, the regime is now targeting individual professionals to gather intelligence and potentially infiltrate crypto companies from within. The group has been conducting hiring-based attacks since at least 2023 through campaigns like "Contagious Interview" and "DeceptiveDevelopment," which have targeted crypto developers on platforms including GitHub, Upwork, and CryptoJobsList. Earlier this year, North Korean hackers established fake U.S. companies—BlockNovas LLC and SoftGlide LLC—to distribute malware through fraudulent job interviews before the FBI seized the BlockNovas domain.

In December 2024, the $50 million Radiant Capital hack began when North Korean operatives posed as former contractors and sent malware-laden PDFs to engineers. Similarly, crypto exchange Kraken revealed in May that it successfully identified and thwarted a North Korean operative who applied for an IT position, catching the applicant when they failed basic identity verification tests during interviews. The PylangGhost malware is functionally equivalent to the previously documented GolangGhost RAT, sharing many of the same capabilities. The Python-based variant specifically targets Windows systems, while the Golang version continues to target macOS users. Linux systems are notably excluded from these latest campaigns. The attackers maintain dozens of fake job sites and download servers, with domains designed to appear legitimate, such as "quickcamfix.online" and "autodriverfix online."