North Korea Targets Crypto Professionals With New Malware in Hiring Scams

North Korean hackers are luring crypto professionals into elaborate fake job interviews designed to steal their data and deploy sophisticated malware on their devices.

A new Python-based remote access trojan called “PylangGhost,” links malware to a North Korean-affiliated hacking collective called “Famous Chollima,” also known as “Wagemole,” threat intelligence research firm Cisco Talos reported on Wednesday.

“Based on the advertised positions, it is clear that the Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies,” the firm wrote.

The campaign primarily targets crypto and blockchain professionals in India, using fraudulent job sites that impersonate legitimate companies, including Coinbase, Robinhood, and Uniswap.

The scheme begins with fake recruiters directing job seekers to skill-testing websites where victims enter personal details and answer technical questions. 

After completing the assessments, candidates are instructed to enable camera access for a video interview and then prompted to copy and execute malicious commands disguised as video driver installations.

Dileep Kumar H V, director at Digital South Trust, told Decrypt that to counter these scams, “India must mandate cybersecurity audits for blockchain firms and monitor fake job portals.”

A vital need for awareness

“CERT-In should issue red alerts, while MEITY and NCIIPC must strengthen global coordination on cross-border cybercrime,” he said, calling for “stronger legal provisions” under the IT Act and “digital awareness campaigns.”

The newly discovered PylangGhost malware can steal credentials and session cookies from over 80 browser extensions, including popular password managers and crypto wallets such as Metamask, 1Password, NordPass, and Phantom. 

The Trojan establishes persistent access to infected systems and executes remote commands from command-and-control servers.

This latest operation aligns with North Korea’s broader pattern of crypto-focused cybercrime, which includes the notorious Lazarus Group, responsible for some of the industry’s largest heists.

Apart from stealing funds directly from exchanges, the regime is now targeting individual professionals to gather intelligence and potentially infiltrate crypto companies from within. 

The group has been conducting hiring-based attacks since at least 2023 through campaigns like “Contagious Interview” and “DeceptiveDevelopment,” which have targeted crypto developers on platforms including GitHub, Upwork, and CryptoJobsList. 

Mounting cases

Earlier this year, North Korean hackers established fake U.S. companies—BlockNovas LLC and SoftGlide LLC—to distribute malware through fraudulent job interviews before the FBI seized the BlockNovas domain.

The PylangGhost malware is functionally equivalent to the previously documented GolangGhost RAT, sharing many of the same capabilities. 

The Python-based variant specifically targets Windows systems, while the Golang version continues to target macOS users. Linux systems are notably excluded from these latest campaigns.

The attackers maintain dozens of fake job sites and download servers, with domains designed to appear legitimate, such as “quickcamfix.online” and “autodriverfix online,” according to the report. 

A joint statement from Japan, South Korea, and the U.S. confirmed that North Korean-backed groups, including Lazarus, stole at least $659 million through multiple cryptocurrency heists in 2024.

In December 2024, the $50 million Radiant Capital hack began when North Korean operatives posed as former contractors and sent malware-laden PDFs to engineers. 

Similarly, crypto exchange Kraken revealed in May that it successfully identified and thwarted a North Korean operative who applied for an IT position, catching the applicant when they failed basic identity verification tests during interviews.

Edited by Sebastian Sinclair