Fake Job Offers, Real Thefts: North Korea’s New Crypto Scam Tactic Exposed

BTCC / BTCC Square / Bitcoinist /

Author:

Bitcoinist

Published:

2025-09-05 10:00:14

North Korean operatives are hijacking crypto careers—and draining wallets through elaborate fake job schemes.

The Recruitment Ruse

They're posing as blockchain recruiters, dangling six-figure salaries at fake crypto firms. Candidates receive polished offer letters, complete with corporate branding and seemingly legitimate onboarding paperwork. Except the 'HR department' is actually Pyongyang's latest crypto-heist operation.

The Digital Heist

Targets get directed to download 'company software'—malware that grants full access to their crypto wallets and exchange accounts. One click installs payloads that bypass 2FA, drain hot wallets, and even compromise hardware wallet connections. Victims don't realize they've been robbed until their portfolios hit zero.

Why Crypto Jobs?

The industry's remote-first culture creates perfect cover. No office visits, no verification—just trust and blockchain addresses. North Korea's cyber-divisions continuously adapt, mimicking real companies and leveraging industry jargon to appear legitimate. They're not just stealing coins; they're harvesting intellectual property and insider knowledge.

Security experts note the irony: an industry built on 'don't trust, verify' keeps falling for the oldest trick in the book—promises of easy money. Maybe Wall Street's sharks were more honest about their intentions.

North Korean Hackers Are Masquerading As Recruiters To Steal Crypto

According to a report from Reuters, research, raw data, and interviews have shed light on the latest playbook that North Korean hackers are using to pull off crypto heists.

Hacking groups tied to North Korea are notorious in the space, having been blamed for several high-profile attacks. In 2024 alone, they made away with $1.34 billion in digital assets, as per Chainalysis data.

Some of the major examples in that year included a $305 million hack on Japanese crypto exchange DMM and a $235 million attack on Indian digital assets platform WazirX.

The largest of them all, however, occurred this year, involving Bybit, the exchange second only to Binance in trading volume. Malicious players related to North Korea stole a whopping $1.5 billion from the platform.

Bybit has been able to recover a portion of the funds, but the majority of the stolen tokens have already become untraceable. Hackers exploited vulnerabilities in the platform’s wallet system to pull off the heist.

But attackers tied to Pyongyang aren’t solely relying on large-scale exchange exploits. Research unveils they are also employing a more subtle tactic to steal digital assets: by masquerading as recruiters. The scam involves malicious actors reaching out over platforms like LinkedIn and Telegram and advertising a blockchain-related job for well-known firms like Ripple, Bitwise, and Robinhood.

Then, the recruiter WOULD ask applicants to take a skills test on an obscure website and record a video. Some prospects would get suspicious at this stage and back off, but those who didn’t would end up getting funds stolen from their crypto wallets kept on the device.

Reuters notes:

SentinelOne and Validin attribute the thefts to a North Korean operation previously dubbed “Contagious Interview”, opens new tab by cybersecurity company Palo Alto Networks. The researchers tracking the campaign concluded that the North Koreans were behind it based on several factors, including their use of internet protocol addresses and emails linked to previous North Korean hacking activity.

In January, the governments of Japan, the US, and South Korea came together to release a joint statement regarding the North Korean crypto thefts. The statement warned that Pyongyang’s cyber program poses a serious threat to the international financial system, with the stolen funds believed to be funneled into its weapons of mass destruction and ballistic missiles program.