North Korean Hackers Target Cryptocurrency Professionals With Phishing Attacks

North Korean hackers, operating under the alias Famous Chollima, have launched a series of phishing attacks targeting cryptocurrency professionals. On June 20, 2025, the group deployed the PylangGhost malware, a sophisticated tool designed to mimic legitimate job recruitment websites of major cryptocurrency companies such as Coinbase and Robinhood. This campaign specifically targeted blockchain professionals in India, aiming to steal credentials from over 80 browser extensions, including MetaMask and TronLink, which are widely used for managing Ethereum (ETH) and Tron (TRX) assets.

The malware operates by disguising itself as video interview links, tricking users into downloading and executing the malicious software. Once activated, PylangGhost compromises users' credentials, including wallet information and password manager data, significantly increasing the cybersecurity risk for potential victims. This tactic is part of a broader strategy by the North Korean group to exploit the trust and familiarity of cryptocurrency professionals with these platforms.

Security experts have noted that this latest campaign is consistent with the group's historical pattern of social engineering attacks directed toward crypto workers. The use of PylangGhost, a Python-based version of their trojan, targets Windows systems, while a Golang-based version is deployed for MacOS users. This dual approach ensures a broader reach and effectiveness across different operating systems.

Industry analysts have observed that there have been no official comments from the companies whose recruitment sites were mimicked, suggesting that these actions are external to their official networks. Security researcher Vanja Svajcer highlighted the persistent capability of this malware, noting its similarity to tools employed in previous campaigns. The group's tactics, including the use of fake job offers, have been previously linked to significant financial losses in the cryptocurrency sector, such as the $137 million stolen from TRON users in a 2025 incident.

The escalation of these cyber attacks underscores the ongoing threat to the cryptocurrency industry. As the value and popularity of digital assets continue to grow, so does the incentive for malicious actors to exploit vulnerabilities. Cryptocurrency professionals are advised to remain vigilant and implement robust security measures to protect their digital assets. This includes being cautious of unsolicited job offers, verifying the authenticity of recruitment websites, and regularly updating security software.