Hackers Use Fake Crypto Firms To Spread Malware In Job Scams

North Korean hackers are posing as crypto firms, tricking job seekers into downloading malware that steals wallet credentials during fake interviews.

Security researchers at Silent Push have uncovered a new cyberattack campaign orchestrated by the North Korean hacking group known as Contagious Interview, also referred to as Famous Chollima.

The group is operating three fraudulent cryptocurrency companies—BlockNovas LLC, Angeloper Agency, and SoftGlide LLC—to deceive job seekers into installing malware.

The scheme begins with fake job postings on freelance and recruitment websites, targeting individuals seeking roles in the cryptocurrency industry. When applicants respond, they are asked to download files allegedly containing interview materials or coding challenges.

These files, however, deliver malicious software identified as BeaverTail, InvisibleFerret, and OtterCookie. The malware is designed to steal sensitive data, including cryptocurrency wallet credentials.

To bolster the scam’s credibility, the hackers create fake employee profiles using AI-generated images. Some of these headshots were produced with Remaker AI, a tool designed to fabricate realistic portraits.

The three fraudulent companies—BlockNovas, Angeloper, and SoftGlide—present themselves as legitimate businesses, but their primary purpose is to distribute malware. Victims are misled into executing malicious code during what they believe to be technical assessments or interviews.

The hackers rely on platforms such as GitHub, freelancer marketplaces, and job boards to distribute the malware and manage their operations.

The attack strategy aligns with a pattern seen in past operations by Contagious Interview, a subgroup of the North Korean state-backed Lazarus team. Known for using fake job offers and AI-generated personas, Lazarus leverages residential proxies and VPNs to mask its location while targeting individuals globally.

To protect against such attacks, experts advise job seekers to be wary of any offers that require downloading unknown files or executing code. It is also essential to verify the legitimacy of companies before engaging in interviews and to use up-to-date security software.

One developer recounted their experience: “I wanted to share how my MetaMask wallet was hacked yesterday as a cautionary tale.”

“I received a new project through Freelancer.com. The client had a ‘payment verified’ badge, so I assumed they were legitimate. The project involved web3 backend development, which I was confident I could handle,” he continued.

“After accepting the contract, the client invited me to their GitLab project and asked me to run their backend code. Soon after running it, I realized that my MetaMask wallet had been compromised,” the developer warned.