North Korean hackers target US AI, crypto job applicants with fake listing platforms

North Korean hackers are now creating fake job application platforms to pick out applicants to major United States artificial intelligence and crypto firms, researchers have uncovered. While the hackers have been at it for years, the researchers claimed that they have added a new twist to their operations.

According to security outfit Validin, which uncovered the new twist to their operations, North Korean hackers are now working to gain long-term access to the computers of applicants before they join any company, instead of simply impersonating the employees of those companies.

In an operation that researchers with Validin call “Contagious Interview,” North Korean hackers are now targeting individuals and stealing the know-how for the Kim Jong Un regime, doing it with the help of a fake job platform.

North Korean hackers are now targeting applicants

Speaking to CNN, Kenneth Kinion, the CEO of Validin, mentioned that going after job seekers is expected to provide an advantage for North Korean actors. Now, instead of trying to slip past an employer’s defenses, they take over the entire hiring process and make it feel completely legitimate to individuals seeking employment. This way, applicants assume they are taking a standard coding test or following the steps for a job opportunity.

Kinion noted that if the job applicant believes that everything they are being asked to do is legitimate, they are much more likely to open any files the supposed interview sends to them. Specifically, candidates are lured into fake job opportunities, guided to record video responses, and prompted to fix their webcam by using a helper tool. These steps seem easy and simple, but they are the steps that the hacker uses to deliver malware directly to a target’s system.

The fake platform, hosted at lenvnydotcom, mimics the style of Lever, a popular headhunting website boasting tens of thousands of users.

According to the description made by Validin, the illicit job platform is a “campaign designed to socially engineer and compromise people seeking jobs in a variety of roles, including software developers, AI researchers, cryptocurrency professionals, and other technical and non-technical job seekers while mimicking leading brands in these areas.”

Among the fictional jobs advertised by the North Korean hackers on the website is a “product manager” related to Claude, an AI chatbot developed by artificial intelligence firm Anthropic. Validin noted that identifying confirmed victims of the scheme is quite challenging because many candidates either refuse to disclose or lie to their current employers that they are applying for positions elsewhere and are therefore less likely to report any suspicious activities that they discover.

North Korean actors ramp up attacks

Over the past few years, North Korean actors have used fake identities and sometimes passed interview screenings to infiltrate companies in the United States, especially firms in the IT sector. The bad actors then send the funds obtained from their callous activities back home to support the regime’s rogue weapons program.

Last week, the United States Department of Justice announced that five people pleaded guilty to helping North Korean hackers.

These people were accused of helping the hackers obtain remote IT employment with US companies to commit fraud. The scheme affected more than 136 companies in general, generating more than $2.2 million in illicit funds that have been sent back to the Kim Jong Un regime.

In addition, the identities of more than 18 Americans were compromised, with the report noting that their activities spanned several industries.

Audricus Phagnasay, 24, Jason Salazar, 30, and Alexander Paul Travis, 34, were part of those arrested. They all pleaded to one count of wire fraud conspiracy. The court mentioned that they provided their identities to external IT workers to help them obtain employment with US companies. They also hosted work laptops at their homes and installed remote access software on them without authorization, making it as if IT workers were working remotely from their residences.

If you're reading this, you’re already ahead. Stay there with our newsletter.