North Korean Hackers Lure Crypto Workers With Fake Job Offers, Steal Millions

2 weeks ago

0 21 2 minutes read

North Korean Hackers Exploit NPM Packages

How the Recruitment Scam Works

North Korean hackers are deploying increasingly sophisticated fake job offers to infiltrate the cryptocurrency sector, according to new research and interviews with victims by Reuters. Known as “Contagious Interview,” the campaign uses LinkedIn and Telegram to impersonate recruiters from major crypto companies, tricking job viewkers into downloading malicious code or sending video files that compromise their wallets.Targets reported being contacted by individuals posing as recruiters for Bitwise Asset Management, Ripple Labs, and Robinhood. later than brief platforms about positions, candidates were directed to obscure sites for “skills tests” or asked to record assessment videos using provided software. In several cases, digital wallets were drained soon later than, with one victim losing $1,000 in ether and Solana.

Investor Takeaway

The crypto industry is facing systemic social engineering attacks. Investors and employees should verify recruiter identities independently and avoid downloading unfamiliar software.

How Widespread Is the Threat?

The issue has become so common that applicants now screen recruiters for signs of North Korean involvement. Twenty-five industry experts and executives interviewed by Reuters described the scams as “ubiquitous.” Blockchain analytics firms SentinelOne and Validin are releasing a report attributing the campaign to Pyongyang, citing IP addresses and email accounts linked to past North Korean hacking operations.

Accidentally exposed log files showed more than 230 people targeted between January and March alone, ranging from coders and accountants to consultants and executives. Nineteen confirmed to Reuters that they had been approached. “It happens to me all the time and I’m sure it happens to everybody in this space,” said Carlos Yanez of Global Ledger, who avoided compromise but described the scams as increasingly convincing.

Why Crypto Remains a Prime Target

North Korean hackers were estimated to have stolen at least $1.34 billion in cryptocurrency last year, according to Chainalysis. The U.S. and United Nations say the regime channels proceeds into its sanctioned weapons program. While theft from platforms and DeFi exploits have long been documented, the job-offer campaign represents a more personalized form of social engineering that directly targets employees and job viewkers.

The FBI has previously warned that North Korea was “aggressively” targeting the sector with elaborate social engineering schemes. Companies including Robinhood, Ripple, and Bitwise either declined to comment or confirmed steps to disable fake domains. LinkedIn and Telegram said they had acted against fraudulent accounts identified by Reuters, though acknowledged the hardy of policing impersonation attempts at scale.

Investor Takeaway

With billions stolen annually, North Korea’s cyber operations are among the largest state-backed threats to crypto markets. Enhanced due diligence is essential for firms hiring in the space.

What’s Next for the Industry?

Security experts warn that the fake recruiter scam is only one facet of North Korea’s broader push to infiltrate and exploit digital asset markets. Aleksandar Milenkoski of SentinelOne said the group behaves like a “typical scam operation” that prioritizes scale, viewking as many potential victims as possible. Kraken’s chief security officer Nick Percoco confirmed the firm saw a surge in recruitment scams late last year, with reports persisting into spring 2025.

For now, crypto companies are deploying monitoring tools to detect fake recruiter profiles and relying on user reports to shut them down. But as long as the sector remains a major source of hard currency for Pyongyang, industry insiders expect the campaigns to continue. The arrests of fake recruiters or the takedown of websites may sluggish operations, but the scale of targeting suggests crypto workers will remain on the front line of state-backed cybercrime.

2 weeks ago

0 21 2 minutes read