North Korea’s Latest Cyberweapon? Crypto-Targeted Malware Disguised as Job Offers
Pyongyang's hacking units have leveled up—now weaponizing LinkedIn-style recruitment scams to infect crypto professionals with stealth malware.
How the attack works: Fake headhunters dangle lucrative blockchain gigs, then deliver 'interview tests' laced with spyware. Targets don't realize their wallets are being drained until it's too late.
Why crypto teams are vulnerable: The industry's remote-first culture and six-figure salary expectations make perfect bait for social engineering—because nothing screams 'legit opportunity' like an unsolicited Telegram message from '[email protected]'.
Security firms report the malware bypasses 2FA and air-gapped wallets—proving even 'not your keys, not your coins' isn't bulletproof when your device becomes a puppet for the Kim regime.
The kicker? These attacks coincidentally spiked just as Bitcoin reclaimed $100K—because where there's euphoria, there's always someone waiting to exploit it. Just ask the Mt. Gox creditors.
A vital need for awareness
“CERT-In should issue red alerts, while MEITY and NCIIPC must strengthen global coordination on cross-border cybercrime,” he said, calling for “stronger legal provisions” under the IT Act and “digital awareness campaigns.”
The newly discovered PylangGhost malware can steal credentials and session cookies from over 80 browser extensions, including popular password managers and crypto wallets such as Metamask, 1Password, NordPass, and Phantom.
The Trojan establishes persistent access to infected systems and executes remote commands from command-and-control servers.
This latest operation aligns with North Korea's broader pattern of crypto-focused cybercrime, which includes the notorious Lazarus Group, responsible for some of the industry's largest heists.
Apart from stealing funds directly from exchanges, the regime is now targeting individual professionals to gather intelligence and potentially infiltrate crypto companies from within.
The group has been conducting hiring-based attacks since at least 2023 through campaigns like "Contagious Interview" and "DeceptiveDevelopment," which have targeted crypto developers on platforms including GitHub, Upwork, and CryptoJobsList.
Mounting cases
Earlier this year, North Korean hackers established fake U.S. companies—BlockNovas LLC and SoftGlide LLC—to distribute malware through fraudulent job interviews before the FBI seized the BlockNovas domain.
The PylangGhost malware is functionally equivalent to the previously documented GolangGhost RAT, sharing many of the same capabilities.
The Python-based variant specifically targets Windows systems, while the Golang version continues to target macOS users. Linux systems are notably excluded from these latest campaigns.
The attackers maintain dozens of fake job sites and download servers, with domains designed to appear legitimate, such as "quickcamfix.online" and "autodriverfix online," according to the report.
A joint statement from Japan, South Korea, and the U.S. confirmed that North Korean-backed groups, including Lazarus, stole at least $659 million through multiple cryptocurrency heists in 2024.
In December 2024, the $50 million Radiant Capital hack began when North Korean operatives posed as former contractors and sent malware-laden PDFs to engineers.
Similarly, crypto exchange Kraken revealed in May that it successfully identified and thwarted a North Korean operative who applied for an IT position, catching the applicant when they failed basic identity verification tests during interviews.
Edited by Sebastian Sinclair
